Hi,
I have an issue using symmetric key encryption in WSS4J. My problem is
the following:
My goal is to configure WSS4J to encrypt a (part of) message with a
symmetric key (both client and server know in advance that key).
I'm using CXF 2.5.1, and WSS4J 1.6.0
I created a symmetricStore with keytool (JDK 1.6.0), and I configured
the client:
action: Encrypt
embeddedKeyCallbackClass:
org.openspcoop.wssecurity.SymmetricCallbackHandler
encryptionKeyIdentifier: EmbeddedKeyName
encryptionPropFile: symmetric-crypto.properties
isBSPCompliant: false
user: symmetric
and the server:
action: Encrypt
decryptionPropFile: symmetric-crypto.properties
encryptionKeyIdentifier: EmbeddedKeyName
isBSPCompliant: false
PasswordCallbackClass:
org.openspcoop.wssecurity.SymmetricCallbackHandler
org.openspcoop.wssecurity.SymmetricCallbackHandler class is a custom
CallbackHandler which does nothing but set the key in the
WsPasswordCallback by calling the setKey(byte[]) method.
With such a configuration message is encypted and decrypted correctly.
My problem is that such a configuration is not Basic Security Profile
compliant. If I set isBSPCompliant to true, I get the following
exception on receiver side:
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header (WSSecurityEngine: EncryptedKey
does not contain ds:KeyInfo/wsse:SecurityTokenReference)
at
org.apache.ws.security.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:197)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:137)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:96)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:63)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:248)
In fact, monitoring the message which is passing, I saw that no
SecurityTokenReference is included, and the wsse:Security header looks
like:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:DataReference URI="#ED-29"/>
</xenc:ReferenceList>
</wsse:Security>
I checked the Basic Profile specs about it:
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#Exactly_One_SecurityTokenReference_Child_Element
and I'm not sure wheter this SecurityTokenReference should be included:
it seems to me that, IF a SecurityTokenReference is provided, it must
have exactly one child.
Am i getting this right? and if I'm wrong, anybody knows how can I
achieve encrypting with symmetric key, in a BSPCompliant way?
Thanks in advance!
--
Giovanni Bussu
