Hi All --
Running into a problem on the server implementation (a cxf soap server) of
asymmetric encryption. The intention is the soap body is to be encrypted with
the server's public key. The client (also using cxf) seems to be encrypting the
message body ok.
On receipt of the message, the server implementation raises an exception, with
the reason the alias is null. Here's the stack:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid; nested exception is:
java.lang.Exception: alias is null
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
…
Caused by: java.lang.Exception: alias is null
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
... 22 more
I added some println statements to the password callback on the server side to
print out the type and id:
*** password callback type 1 class
org.apache.ws.security.WSPasswordCallback
*** password callback id null
The API is used to configure CXF and WSS4j and not the xml configuration. The
messages are not being signed, nor are timestamps being used, just
encryption/decryption, ep is the endpointimpl :
Map<String,Object> inProps1 = new HashMap<String,Object>();
inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
PasswordCallbackHandler.class.getName());
inProps1.put(WSHandlerConstants.DEC_PROP_FILE,
"server-security.properties");
inProps1.put(WSHandlerConstants.USER, "clientkey");
ep.getServer().getEndpoint().getInInterceptors().add(new
WSS4JInInterceptor(inProps1));
And the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
The server cert is self signed:
$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA
-keypass ump-pass -storepass dummy-service -keystore server-encypt.jks -dname
cn=localhost
$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA
-keypass client-pass -storepass dummy-service -keystore ump-stub-keystore.jks
-dname cn=umpd
and the certificate was exported using the following:
$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass
dummy-service -keypass client-pass -alias clientkey -file client-cert.cer
This is the WSDL extract:
<wsp:Policy wsu:Id="AsymEncryption"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!-- <sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<!-- <sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<!-- <sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
-->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
…
<wsdl:binding name="CollectionImplServiceSoapBinding"
type="tns:CollectionService">
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#AsymEncryption"/>
And this is the incoming message:
<output>
INFO: Inbound Message
----------------------------
ID: 1
Address: /FooWS/services/Collection/
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {content-type=[text/xml; charset=UTF-8],
connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549],
SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml;
charset=U
TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/
01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
<ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
+7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#EncDataId-1"
/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncDataId-1"
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
1-wss-wssecurity-secext-1.0.xsd"
URI="#EncKeyId-A77755F726FB2C832813189733820252"
/></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
</output>
On the client side, the WSS4j is setup as:
Map<String,Object> outProps1 = new HashMap<String,Object>();
outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientCallbackHandler.class.getName());
outProps1.put(WSHandlerConstants.ENC_PROP_FILE,
"client-crypto.properties");
outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
cxfEndpoint.getOutInterceptors().add(new
WSS4JOutInterceptor(outProps1));
and the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.password=clientpass
org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
and the cert was imported using the command:
$ keytool -import -trustcacerts -keystore client-store.jks -storepass
clientpass -alias servicekey -file client-cert.cer
Not sure what is going wrong, but there are a lot of steps, so maybe this is a
simple error on my part.
The CXF version is 2.2.3, If I need to redirect this to the cxf-users list,
please let me know.
Thanks for the help,
Aman
