Hi All -- Running into a problem on the server implementation (a cxf soap server) of asymmetric encryption. The intention is the soap body is to be encrypted with the server's public key. The client (also using cxf) seems to be encrypting the message body ok.
On receipt of the message, the server implementation raises an exception, with the reason the alias is null. Here's the stack: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is: java.lang.Exception: alias is null at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302) … Caused by: java.lang.Exception: alias is null at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328) ... 22 more I added some println statements to the password callback on the server side to print out the type and id: *** password callback type 1 class org.apache.ws.security.WSPasswordCallback *** password callback id null The API is used to configure CXF and WSS4j and not the xml configuration. The messages are not being signed, nor are timestamps being used, just encryption/decryption, ep is the endpointimpl : Map<String,Object> inProps1 = new HashMap<String,Object>(); inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class.getName()); inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.properties"); inProps1.put(WSHandlerConstants.USER, "clientkey"); ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInInterceptor(inProps1)); And the properties file is: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=storepass org.apache.ws.security.crypto.merlin.keystore.alias=clientkey org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks The server cert is self signed: $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -keypass ump-pass -storepass dummy-service -keystore server-encypt.jks -dname cn=localhost $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -keypass client-pass -storepass dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd and the certificate was exported using the following: $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dummy-service -keypass client-pass -alias clientkey -file client-cert.cer This is the WSDL extract: <wsp:Policy wsu:Id="AsymEncryption" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <!-- <sp:RequireThumbprintReference/> --> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> <wsp:Policy> <!-- <sp:RequireThumbprintReference/> --> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <!-- <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> --> </wsp:Policy> </sp:AsymmetricBinding> <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> … <wsdl:binding name="CollectionImplServiceSoapBinding" type="tns:CollectionService"> <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#AsymEncryption"/> And this is the incoming message: <output> INFO: Inbound Message ---------------------------- ID: 1 Address: /FooWS/services/Collection/ Encoding: UTF-8 Content-Type: text/xml; charset=UTF-8 Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; charset=U TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]} Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/ 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data></wsse:SecurityTokenReference> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-1" /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252" /></wsse:SecurityTokenReference> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/ wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> </output> On the client side, the WSS4j is setup as: Map<String,Object> outProps1 = new HashMap<String,Object>(); outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName()); outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties"); outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey"); cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps1)); and the properties file is: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.alias=servicekey org.apache.ws.security.crypto.merlin.keystore.password=clientpass org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks and the cert was imported using the command: $ keytool -import -trustcacerts -keystore client-store.jks -storepass clientpass -alias servicekey -file client-cert.cer Not sure what is going wrong, but there are a lot of steps, so maybe this is a simple error on my part. The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, please let me know. Thanks for the help, Aman