Hi Colm,
<<<
What error are you seeing? The default value is rsa-1_5 so it shouldn't
make any difference whether it's specified or not.
>>>
No doubt that rsa01_5 is default value. When I comment out
"encryptionProperties", client sends following SOAP request to WSP. I
abbreviated some part of request to save space. The other thing that I
noticed is encryption algorithm for Body is
"*aes256-cbc<http://www.w3.org/2001/04/xmlenc#aes256-cbc>
",* I think this is because I set SymmetricKey key size to* "256"* in WSP
wsdl file..
So, I tried following combinations, but I am getting same error message(*The
signature or decryption was invalid*) that I was getting at the
begging(detailed error message is at the end of this email).
<bean id="encProperties"
class="org.apache.cxf.sts.service.EncryptionProperties">
<property name="encryptionAlgorithm" value="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<property name="keyWrapAlgorithm" value="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; />
</bean>
or
<bean id="encProperties"
class="org.apache.cxf.sts.service.EncryptionProperties">
<property name="encryptionAlgorithm" value="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<property name="keyWrapAlgorithm" value="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
</bean>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";
……………………………..
<Address>
http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-9">
<wsu:Created>2012-07-18T13:27:33.561Z</wsu:Created>
<wsu:Expires>2012-07-18T13:32:33.561Z</wsu:Expires>
</wsu:Timestamp>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_8FD304F766D8EC9F4913426180531752"
IssueInstant="2012-07-18T13:27:33.135Z"
Issuer="DoubleItSTSIssuer" MajorVersion="1" MinorVersion="1"
xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2012-07-18T13:27:33.192Z"
NotOnOrAfter="2012-07-18T13:57:33.192Z">
<saml1:AudienceRestrictionCondition>
<saml1:Audience>
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</saml1:Audience
>
</saml1:AudienceRestrictionCondition>
</saml1:Conditions>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>
gchoi</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#";
Id="EK-8FD304F766D8EC9F4913426180521881">
*<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />*
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<ds:X509Data>
…………………………………………..
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
wsu:Id="Id-33117811">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="ED-11" Type="http://www.w3.org/2001/04/xmlenc#Content";>
*<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />*
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ns3:SecurityTokenReference xmlns:ns3="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";>
<ns3:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">
#_8FD304F766D8EC9F4913426180531752</ns3:KeyIdentifier>
</ns3:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
N2Uccex7TOVh2BpffQu1e0KSyxSp3CAWh0iVkNeQ2FjB4GClOpd56C6zk6p39j5L8n/DoOqbBMmoufG848qQUACKfikmjqfmKQXBcaLZlFYk05BBr5myToUl7FnyJpChLlAJNNdERM2R5Z2eHz1GhYEIm3uS3Xz5UFzX/M0bE9KtaLkhP4CfQWTP/hskcDmg</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
Following is error message on WSP side.
Jul 18, 2012 9:24:55 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
*org.apache.ws.security.WSSecurityException: The signature or decryption
was invalid*
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
*Caused by: org.apache.xml.security.encryption.XMLEncryptionException:
Given final block not properly padded*
Original Exception was javax.crypto.BadPaddingException: Given final block
not properly padded
at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766)
at
org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612)
at
org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650)
at
org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312)
... 32 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762)
... 36 more
Jul 18, 2012 9:24:55 AM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for {
http://www.example.org/contract/DoubleIt}DoubleItService has thrown
exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:780)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:357)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
... 27 more
*Caused by: org.apache.xml.security.encryption.XMLEncryptionException:
Given final block not properly padded*
Original Exception was javax.crypto.BadPaddingException: Given final block
not properly padded
at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766)
at
org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612)
at
org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650)
at
org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312)
... 32 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762)
... 36 more
Jul 18, 2012 9:24:55 AM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Outbound Message
