Created on CXF https://issues.apache.org/jira/browse/CXF-3865
Thanks. Aman On 19 Oct 2011, at 10:23, Colm O hEigeartaigh <[email protected]> wrote: > Whatever I need to run the test-case. > > Colm. > > On Wed, Oct 19, 2011 at 10:08 AM, aman kohli <[email protected]> wrote: >> Sure. You want the maven scripts and everything too? >> >> Thanks >> >> >> Aman >> >> >> On 19 Oct 2011, at 09:35, Colm O hEigeartaigh <[email protected]> wrote: >> >>> Hi Aman, >>> >>> Could you create a test-case and attach it to a JIRA (in CXF?). >>> >>> Colm. >>> >>> On Tue, Oct 18, 2011 at 10:47 PM, aman kohli <[email protected]> wrote: >>>> Hi All -- >>>> >>>> Running into a problem on the server implementation (a cxf soap server) of >>>> asymmetric encryption. The intention is the soap body is to be encrypted >>>> with the server's public key. The client (also using cxf) seems to be >>>> encrypting the message body ok. >>>> >>>> On receipt of the message, the server implementation raises an exception, >>>> with the reason the alias is null. Here's the stack: >>>> >>>> org.apache.ws.security.WSSecurityException: The signature or decryption >>>> was invalid; nested exception is: >>>> java.lang.Exception: alias is null >>>> at >>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330) >>>> at >>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104) >>>> at >>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84) >>>> at >>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) >>>> at >>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) >>>> at >>>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198) >>>> at >>>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) >>>> at >>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) >>>> at >>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) >>>> at >>>> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302) >>>> … >>>> Caused by: java.lang.Exception: alias is null >>>> at >>>> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207) >>>> at >>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328) >>>> ... 22 more >>>> >>>> I added some println statements to the password callback on the server >>>> side to print out the type and id: >>>> *** password callback type 1 class >>>> org.apache.ws.security.WSPasswordCallback >>>> *** password callback id null >>>> >>>> The API is used to configure CXF and WSS4j and not the xml configuration. >>>> The messages are not being signed, nor are timestamps being used, just >>>> encryption/decryption, ep is the endpointimpl : >>>> >>>> Map<String,Object> inProps1 = new HashMap<String,Object>(); >>>> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); >>>> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >>>> PasswordCallbackHandler.class.getName()); >>>> inProps1.put(WSHandlerConstants.DEC_PROP_FILE, >>>> "server-security.properties"); >>>> inProps1.put(WSHandlerConstants.USER, "clientkey"); >>>> >>>> ep.getServer().getEndpoint().getInInterceptors().add(new >>>> WSS4JInInterceptor(inProps1)); >>>> >>>> And the properties file is: >>>> >>>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >>>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>>> org.apache.ws.security.crypto.merlin.keystore.password=storepass >>>> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey >>>> >>>> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks >>>> >>>> The server cert is self signed: >>>> >>>> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA >>>> -keypass ump-pass -storepass dummy-service -keystore server-encypt.jks >>>> -dname cn=localhost >>>> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA >>>> -keypass client-pass -storepass dummy-service -keystore >>>> ump-stub-keystore.jks -dname cn=umpd >>>> >>>> and the certificate was exported using the following: >>>> >>>> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass >>>> dummy-service -keypass client-pass -alias clientkey -file client-cert.cer >>>> >>>> This is the WSDL extract: >>>> >>>> <wsp:Policy wsu:Id="AsymEncryption" >>>> >>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >>>> <wsp:ExactlyOne> >>>> <wsp:All> >>>> <sp:AsymmetricBinding >>>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>> <wsp:Policy> >>>> <sp:InitiatorToken> >>>> <wsp:Policy> >>>> <sp:X509Token >>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >>>> <wsp:Policy> >>>> <!-- <sp:RequireThumbprintReference/> --> >>>> </wsp:Policy> >>>> </sp:X509Token> >>>> </wsp:Policy> >>>> </sp:InitiatorToken> >>>> >>>> <sp:RecipientToken> >>>> <wsp:Policy> >>>> <sp:X509Token >>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> >>>> <wsp:Policy> >>>> <!-- <sp:RequireThumbprintReference/> --> >>>> </wsp:Policy> >>>> </sp:X509Token> >>>> </wsp:Policy> >>>> </sp:RecipientToken> >>>> >>>> <sp:AlgorithmSuite> >>>> <wsp:Policy> >>>> <sp:TripleDesRsa15/> >>>> </wsp:Policy> >>>> </sp:AlgorithmSuite> >>>> >>>> <sp:Layout> >>>> <wsp:Policy> >>>> <sp:Strict/> >>>> </wsp:Policy> >>>> </sp:Layout> >>>> >>>> <!-- <sp:IncludeTimestamp/> >>>> <sp:OnlySignEntireHeadersAndBody/> >>>> --> >>>> </wsp:Policy> >>>> </sp:AsymmetricBinding> >>>> >>>> <sp:EncryptedParts >>>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>> <sp:Body/> >>>> </sp:EncryptedParts> >>>> </wsp:All> >>>> </wsp:ExactlyOne> >>>> </wsp:Policy> >>>> >>>> … >>>> <wsdl:binding name="CollectionImplServiceSoapBinding" >>>> type="tns:CollectionService"> >>>> <wsp:PolicyReference >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >>>> URI="#AsymEncryption"/> >>>> >>>> >>>> And this is the incoming message: >>>> >>>> <output> >>>> >>>> INFO: Inbound Message >>>> ---------------------------- >>>> ID: 1 >>>> Address: /FooWS/services/Collection/ >>>> Encoding: UTF-8 >>>> Content-Type: text/xml; charset=UTF-8 >>>> Headers: {content-type=[text/xml; charset=UTF-8], >>>> connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549], >>>> SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; >>>> charset=U >>>> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]} >>>> Payload: <soap:Envelope >>>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; >>>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security >>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/ >>>> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >>>> soap:mustUnderstand="1"><xenc:EncryptedKey >>>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>>> Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe >>>> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo >>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <wsse:SecurityTokenReference >>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data> >>>> <ds:X509IssuerSerial> >>>> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName> >>>> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber> >>>> </ds:X509IssuerSerial> >>>> </ds:X509Data></wsse:SecurityTokenReference> >>>> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl >>>> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference >>>> URI="#EncDataId-1" >>>> /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen >>>> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>>> Id="EncDataId-1" >>>> Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod >>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- >>>> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <wsse:SecurityTokenReference >>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference >>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 >>>> 1-wss-wssecurity-secext-1.0.xsd" >>>> URI="#EncKeyId-A77755F726FB2C832813189733820252" >>>> /></wsse:SecurityTokenReference> >>>> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR >>>> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F >>>> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c >>>> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz >>>> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi >>>> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/ >>>> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB >>>> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> >>>> >>>> >>>> </output> >>>> >>>> >>>> On the client side, the WSS4j is setup as: >>>> >>>> Map<String,Object> outProps1 = new HashMap<String,Object>(); >>>> outProps1.put(WSHandlerConstants.ACTION, >>>> WSHandlerConstants.ENCRYPT); >>>> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >>>> ClientCallbackHandler.class.getName()); >>>> outProps1.put(WSHandlerConstants.ENC_PROP_FILE, >>>> "client-crypto.properties"); >>>> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey"); >>>> >>>> cxfEndpoint.getOutInterceptors().add(new >>>> WSS4JOutInterceptor(outProps1)); >>>> >>>> and the properties file is: >>>> >>>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >>>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>>> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey >>>> org.apache.ws.security.crypto.merlin.keystore.password=clientpass >>>> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks >>>> >>>> and the cert was imported using the command: >>>> $ keytool -import -trustcacerts -keystore client-store.jks >>>> -storepass clientpass -alias servicekey -file client-cert.cer >>>> >>>> Not sure what is going wrong, but there are a lot of steps, so maybe this >>>> is a simple error on my part. >>>> >>>> The CXF version is 2.2.3, If I need to redirect this to the cxf-users >>>> list, please let me know. >>>> >>>> Thanks for the help, >>>> >>>> Aman >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> http://coheigea.blogspot.com/ >>> Talend - http://www.talend.com/apache >> > > > > -- > Colm O hEigeartaigh > > http://coheigea.blogspot.com/ > Talend - http://www.talend.com/apache
