> My question here is, if STS endpoint need to support more than one > encryptionAlgorithm and keyWrapAlgorithm, how do we satisfy that?
The values specified as part of the "EncryptionProperties" bean are just default values. The STS client can also specify other algorithms to use by sending a "<wst:EncryptionAlgorithm>...</wst:EncryptionAlgorithm>" String and/or a "<wst:KeyWrapAlgorithm>...</wst:KeyWrapAlgorithm>" String in the request. > Where do > I find correct value for encryptionAlgorithm and keyWrapAlgorithm for > UTEncrypted end point to uncomment currently commented parts? What JDK vendor and version are you using on the WSP side? Some JDK's have a problem with the rsa-oaep key wrapping algorithm. Try just using the following instead for the "keyWrapAlgorithm" property (this is the default which explains why it works when you comment it out): "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; Colm. On Tue, Jul 17, 2012 at 10:12 PM, Gina Choi <[email protected]> wrote: > I found problem parts and comment out those parts from cxf-encrypted-ut.xml > like bellow. I was able to run UTEncrypted_Port successfully. So, I guess > that WSP doesn't understand algorithms listed on UTEncrypted end point. My > question here is, if STS endpoint need to support more than one > encryptionAlgorithm and keyWrapAlgorithm, how do we satisfy that? Where do > I find correct value for encryptionAlgorithm and keyWrapAlgorithm for > UTEncrypted end point to uncomment currently commented parts? > > * > * > > * <!--bean id="encProperties" > class="org.apache.cxf.sts.service.EncryptionProperties">* > > * <property name="encryptionAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />* > > * <property name="keyWrapAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; />* > > * </bean-->* > > <bean id="encryptedUtSTSProperties" > > class="org.apache.cxf.sts.StaticSTSProperties"> > > <property name="signaturePropertiesFile" > value="stsKeystore.properties"/> > > <property name="signatureUsername" > value="mystskey"/> > > <property name="callbackHandlerClass" > value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler"/> > > <property name="encryptionPropertiesFile" > value="stsKeystore.properties"/> > > *<!--property name="encryptionProperties" > ref="encProperties"/-->* > > <property name="issuer" > value="DoubleItSTSIssuer"/> > > <property name="encryptionUsername" > value="myservicekey"/> > > </bean> > > > On Tue, Jul 17, 2012 at 3:59 PM, Gina Choi <[email protected]> wrote: > > > Hi All, > > > > I have following environment. > > > > Tomcat7.0.27. CXF 2.6.2-SNAPSHOT, WSS4J-1.6.7-SNAPSHOT, Spring3.0.7 > > > > 1. Fediz STS: > > - UT_Port and UTEncrypted_Port > > - Imported WSP certificate to STS keystore > > > > 2. WSP : SymmetricBinding, ProtectionToken, SymmetricKey > > - Imported STS certificate to WSP keystore > > > > 3. WSC > > > > If I use UT_Port, every thing goes well. If use UTEncrypted_Port, I am > > getting following error messages on the WSC and WSP side. So, I decided > to > > fully satisfy certificate request - STS has both WSP and WSC certs, WSP > has > > both STS and WSC cert, WSC has both STS and WSP cert. But it didn't > change > > anything. Could someone tell me what is additional requirement for > > UTEncrypted_Port compared to UT_Port? This is my first time using > > UTEncrypted_Port. > > > > > > ------------------------- Start of WSC Error > > Message-------------------------- > > Jul 17, 2012 2:54:56 PM org.apache.cxf.ws.addressing.soap.MAPCodec > > restoreExchange > > WARNING: Response message does not contain WS-Addressing properties. Not > > correlating response. > > Jul 17, 2012 2:54:56 PM > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage > > WARNING: Request does not contain Security header, but it's a fault. > > Jul 17, 2012 2:54:56 PM org.apache.cxf.ws.addressing.ContextUtils > > retrieveMAPs > > WARNING: WS-Addressing - failed to retrieve Message Addressing Properties > > from context > > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > > signature or decryption was invalid > > at > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156) > > at $Proxy26.doubleIt(Unknown Source) > > at client.WSClient.doubleIt(WSClient.java:18) > > at client.WSClient.main(WSClient.java:11) > > Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or > > decryption was invalid > > at > > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75) > > at > > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46) > > at > > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > at > > > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:112) > > at > > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) > > at > > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > at > > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) > > at > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1693) > > at > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1529) > > at > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1437) > > at > > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > > at > > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:660) > > at > > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > at > org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) > > at > > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89) > > at > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) > > ... 3 more > > [INFO] > > ------------------------------------------------------------------------ > > [INFO] BUILD FAILURE > > > > -------------------------End of WSC Error---------------------------- > > > > > > > > ----------------------- Start of WSP Error ----------------------------- > > > > WARNING: > > > > org.apache.ws.security.WSSecurityException: The signature or decryption > > was invalid > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) > > > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289) > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97) > > > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > > > at > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > > > at > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > > > > at > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > > > > at > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > > > > at > > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) > > > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) > > > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > > > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > > > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > > > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > > > > at > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > > > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > > > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > > > > at > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > > > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > > > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > > > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > > > > at > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > > > > at > > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > > > at java.lang.Thread.run(Thread.java:662) > > > > Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > > Given final block not properly padded > > > > Original Exception was javax.crypto.BadPaddingException: Given final > block > > not properly padded > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650) > > > > at > > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312) > > > > ... 32 more > > > > Caused by: javax.crypto.BadPaddingException: Given final block not > > properly padded > > > > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > > > > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > > > > at > > com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..) > > > > at javax.crypto.Cipher.doFinal(DashoA13*..) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) > > > > ... 36 more > > > > Jul 17, 2012 11:56:11 AM org.apache.cxf.phase.PhaseInterceptorChain > > doDefaultLogging > > > > WARNING: Interceptor for { > > http://www.example.org/contract/DoubleIt}DoubleItService has thrown > > exception, unwinding now > > > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > > invalid > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:780) > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:357) > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97) > > > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > > > at > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > > > at > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > > > > at > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > > > > at > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > > > > at > > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) > > > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > > > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) > > > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > > > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > > > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > > > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > > > > at > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > > > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > > > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > > > > at > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > > > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > > > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > > > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > > > > at > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > > > > at > > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > > > at java.lang.Thread.run(Thread.java:662) > > > > Caused by: org.apache.ws.security.WSSecurityException: The signature or > > decryption was invalid > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) > > > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > > > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289) > > > > ... 27 more > > > > Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > > Given final block not properly padded > > > > Original Exception was javax.crypto.BadPaddingException: Given final > block > > not properly padded > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650) > > > > at > > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978) > > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312) > > > > ... 32 more > > > > Caused by: javax.crypto.BadPaddingException: Given final block not > > properly padded > > > > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > > > > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > > > > at > > com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..) > > > > at javax.crypto.Cipher.doFinal(DashoA13*..) > > > > at > > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) > > > > ... 36 more > > > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
