Whatever I need to run the test-case. Colm.
On Wed, Oct 19, 2011 at 10:08 AM, aman kohli <aman.ko...@gmail.com> wrote: > Sure. You want the maven scripts and everything too? > > Thanks > > > Aman > > > On 19 Oct 2011, at 09:35, Colm O hEigeartaigh <cohei...@apache.org> wrote: > >> Hi Aman, >> >> Could you create a test-case and attach it to a JIRA (in CXF?). >> >> Colm. >> >> On Tue, Oct 18, 2011 at 10:47 PM, aman kohli <ako...@yahoo.com> wrote: >>> Hi All -- >>> >>> Running into a problem on the server implementation (a cxf soap server) of >>> asymmetric encryption. The intention is the soap body is to be encrypted >>> with the server's public key. The client (also using cxf) seems to be >>> encrypting the message body ok. >>> >>> On receipt of the message, the server implementation raises an exception, >>> with the reason the alias is null. Here's the stack: >>> >>> org.apache.ws.security.WSSecurityException: The signature or decryption was >>> invalid; nested exception is: >>> java.lang.Exception: alias is null >>> at >>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330) >>> at >>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104) >>> at >>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84) >>> at >>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) >>> at >>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198) >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) >>> at >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) >>> at >>> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302) >>> … >>> Caused by: java.lang.Exception: alias is null >>> at >>> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207) >>> at >>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328) >>> ... 22 more >>> >>> I added some println statements to the password callback on the server side >>> to print out the type and id: >>> *** password callback type 1 class >>> org.apache.ws.security.WSPasswordCallback >>> *** password callback id null >>> >>> The API is used to configure CXF and WSS4j and not the xml configuration. >>> The messages are not being signed, nor are timestamps being used, just >>> encryption/decryption, ep is the endpointimpl : >>> >>> Map<String,Object> inProps1 = new HashMap<String,Object>(); >>> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); >>> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >>> PasswordCallbackHandler.class.getName()); >>> inProps1.put(WSHandlerConstants.DEC_PROP_FILE, >>> "server-security.properties"); >>> inProps1.put(WSHandlerConstants.USER, "clientkey"); >>> >>> ep.getServer().getEndpoint().getInInterceptors().add(new >>> WSS4JInInterceptor(inProps1)); >>> >>> And the properties file is: >>> >>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>> org.apache.ws.security.crypto.merlin.keystore.password=storepass >>> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey >>> >>> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks >>> >>> The server cert is self signed: >>> >>> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA >>> -keypass ump-pass -storepass dummy-service -keystore server-encypt.jks >>> -dname cn=localhost >>> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA >>> -keypass client-pass -storepass dummy-service -keystore >>> ump-stub-keystore.jks -dname cn=umpd >>> >>> and the certificate was exported using the following: >>> >>> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass >>> dummy-service -keypass client-pass -alias clientkey -file client-cert.cer >>> >>> This is the WSDL extract: >>> >>> <wsp:Policy wsu:Id="AsymEncryption" >>> >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >>> <wsp:ExactlyOne> >>> <wsp:All> >>> <sp:AsymmetricBinding >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> <sp:InitiatorToken> >>> <wsp:Policy> >>> <sp:X509Token >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >>> <wsp:Policy> >>> <!-- <sp:RequireThumbprintReference/> --> >>> </wsp:Policy> >>> </sp:X509Token> >>> </wsp:Policy> >>> </sp:InitiatorToken> >>> >>> <sp:RecipientToken> >>> <wsp:Policy> >>> <sp:X509Token >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> >>> <wsp:Policy> >>> <!-- <sp:RequireThumbprintReference/> --> >>> </wsp:Policy> >>> </sp:X509Token> >>> </wsp:Policy> >>> </sp:RecipientToken> >>> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:TripleDesRsa15/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Strict/> >>> </wsp:Policy> >>> </sp:Layout> >>> >>> <!-- <sp:IncludeTimestamp/> >>> <sp:OnlySignEntireHeadersAndBody/> >>> --> >>> </wsp:Policy> >>> </sp:AsymmetricBinding> >>> >>> <sp:EncryptedParts >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <sp:Body/> >>> </sp:EncryptedParts> >>> </wsp:All> >>> </wsp:ExactlyOne> >>> </wsp:Policy> >>> >>> … >>> <wsdl:binding name="CollectionImplServiceSoapBinding" >>> type="tns:CollectionService"> >>> <wsp:PolicyReference >>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >>> URI="#AsymEncryption"/> >>> >>> >>> And this is the incoming message: >>> >>> <output> >>> >>> INFO: Inbound Message >>> ---------------------------- >>> ID: 1 >>> Address: /FooWS/services/Collection/ >>> Encoding: UTF-8 >>> Content-Type: text/xml; charset=UTF-8 >>> Headers: {content-type=[text/xml; charset=UTF-8], >>> connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549], >>> SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; >>> charset=U >>> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]} >>> Payload: <soap:Envelope >>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; >>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/ >>> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >>> soap:mustUnderstand="1"><xenc:EncryptedKey >>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>> Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe >>> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo >>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <wsse:SecurityTokenReference >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data> >>> <ds:X509IssuerSerial> >>> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName> >>> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber> >>> </ds:X509IssuerSerial> >>> </ds:X509Data></wsse:SecurityTokenReference> >>> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl >>> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference >>> URI="#EncDataId-1" >>> /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen >>> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>> Id="EncDataId-1" >>> Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- >>> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <wsse:SecurityTokenReference >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 >>> 1-wss-wssecurity-secext-1.0.xsd" >>> URI="#EncKeyId-A77755F726FB2C832813189733820252" >>> /></wsse:SecurityTokenReference> >>> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR >>> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F >>> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c >>> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz >>> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi >>> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/ >>> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB >>> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> >>> >>> >>> </output> >>> >>> >>> On the client side, the WSS4j is setup as: >>> >>> Map<String,Object> outProps1 = new HashMap<String,Object>(); >>> outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); >>> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >>> ClientCallbackHandler.class.getName()); >>> outProps1.put(WSHandlerConstants.ENC_PROP_FILE, >>> "client-crypto.properties"); >>> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey"); >>> >>> cxfEndpoint.getOutInterceptors().add(new >>> WSS4JOutInterceptor(outProps1)); >>> >>> and the properties file is: >>> >>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey >>> org.apache.ws.security.crypto.merlin.keystore.password=clientpass >>> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks >>> >>> and the cert was imported using the command: >>> $ keytool -import -trustcacerts -keystore client-store.jks >>> -storepass clientpass -alias servicekey -file client-cert.cer >>> >>> Not sure what is going wrong, but there are a lot of steps, so maybe this >>> is a simple error on my part. >>> >>> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, >>> please let me know. >>> >>> Thanks for the help, >>> >>> Aman >> >> >> >> -- >> Colm O hEigeartaigh >> >> http://coheigea.blogspot.com/ >> Talend - http://www.talend.com/apache > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com/apache
