What does your EncryptedData Element look like? Colm.
On Wed, Mar 14, 2012 at 9:53 AM, Giovanni Bussu <bu...@link.it> wrote: > Hi, > I have an issue using symmetric key encryption in WSS4J. My problem is > the following: > > My goal is to configure WSS4J to encrypt a (part of) message with a > symmetric key (both client and server know in advance that key). > I'm using CXF 2.5.1, and WSS4J 1.6.0 > > I created a symmetricStore with keytool (JDK 1.6.0), and I configured > the client: > > action: Encrypt > embeddedKeyCallbackClass: > org.openspcoop.wssecurity.SymmetricCallbackHandler > encryptionKeyIdentifier: EmbeddedKeyName > encryptionPropFile: symmetric-crypto.properties > isBSPCompliant: false > user: symmetric > > and the server: > > action: Encrypt > decryptionPropFile: symmetric-crypto.properties > encryptionKeyIdentifier: EmbeddedKeyName > isBSPCompliant: false > PasswordCallbackClass: > org.openspcoop.wssecurity.SymmetricCallbackHandler > > org.openspcoop.wssecurity.SymmetricCallbackHandler class is a custom > CallbackHandler which does nothing but set the key in the > WsPasswordCallback by calling the setKey(byte[]) method. > > With such a configuration message is encypted and decrypted correctly. > My problem is that such a configuration is not Basic Security Profile > compliant. If I set isBSPCompliant to true, I get the following > exception on receiver side: > > org.apache.ws.security.WSSecurityException: An error was discovered > processing the <wsse:Security> header (WSSecurityEngine: EncryptedKey > does not contain ds:KeyInfo/wsse:SecurityTokenReference) > at > org.apache.ws.security.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:197) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:137) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:96) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:63) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:248) > > In fact, monitoring the message which is passing, I saw that no > SecurityTokenReference is included, and the wsse:Security header looks > like: > > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> > <xenc:ReferenceList > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> > <xenc:DataReference URI="#ED-29"/> > </xenc:ReferenceList> > </wsse:Security> > > I checked the Basic Profile specs about it: > http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#Exactly_One_SecurityTokenReference_Child_Element > and I'm not sure wheter this SecurityTokenReference should be included: > it seems to me that, IF a SecurityTokenReference is provided, it must > have exactly one child. > > Am i getting this right? and if I'm wrong, anybody knows how can I > achieve encrypting with symmetric key, in a BSPCompliant way? > > Thanks in advance! > -- > Giovanni Bussu > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com