Server wants to know the client's private key...

Fri, 19 Jan 2007 03:23:43 -0800 

Hello list, I'm not sure if this is the place to ask, but it's the only
mailing list in the wss4j project...

I'm using WSS4J 1.5.1 and Axis 1.4. I have a client and a server set up and
running, and I am trying to enable mutual authentication between them. My
goal is using certificates and encryption to protect the webservice call and
the corresponding response.

On the server side, I have server-config.wsdd as follows:

<globalConfiguration>
...
 <requestFlow>
  <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
   <parameter name="user" value="wsserver"/>
   <parameter name="signaturePropFile" value="cryptoReceiver.properties"/>
   <parameter name="passwordCallbackClass" value="
org.eg.ws.client.DummyCallback"/>
   <parameter name="action" value="Signature Encrypt"/>
  </handler>
 </requestFlow>
 <responseFlow>
  <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
   <parameter name="user" value="wsserver"/>
   <parameter name="signatureKeyIdentifier" value="DirectReference"/>
   <parameter name="signaturePropFile" value="cryptoReceiver.properties"/>
   <parameter name="passwordCallbackClass" value="
org.eg.ws.client.DummyCallback"/>
   <parameter name="action" value="Encrypt Signature"/>
  </handler>
 </responseFlow>
</globalConfiguration>
...

Both property files above have the keystore password to access the server's
keystore. On that keystore, I can list two keys: one (wsserver) has the
certificate and private key of the server, another (wsclient3) has the
client's public certificate.

On the client, I am not using a deployment descriptor, but rather an API
call (this is right before I invoke my service method):

 WSDoAllSender send = new WSDoAllSender();

 send.setOption( WSHandlerConstants.SIG_PROP_FILE, "cryptoSender.properties"
);
 send.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
 send.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT + "
" + WSHandlerConstants.SIGNATURE );
 send.setOption( WSHandlerConstants.USER, "wsclient3" );
 send.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,
DummyCallback.class.getName() );

 WSDoAllReceiver recv = new WSDoAllReceiver();
 recv.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE +
" " + WSHandlerConstants.ENCRYPT );
 recv.setOption( WSHandlerConstants.SIG_PROP_FILE, "cryptoSender.properties"
);
 recv.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
 recv.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,
DummyCallback.class.getName() );

 _call.setClientHandlers( send, recv );

When I inkove my service method, an exception is raised on the server,
complaining it hasn't found the private key for alias 'wsclient3', which is
obvious, since the server only knows the client's public certificate.

The SOAP request being sent has this fragment:

<wsse:SecurityTokenReference>
<ds:X509Data>
 <ds:X509IssuerSerial>

<ds:X509IssuerName>CN=lab1,OU=lab1,O=DAInc,L=Unicamp,ST=SP,C=BR</ds:X509IssuerName>
  <ds:X509SerialNumber>1165404488</ds:X509SerialNumber>
 </ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>

The name matches the key under alias 'wsclient3' on the server (though the
serial number does not). Where is the problem? Does the server really need
the client's private key? I figure it would need it only if the client
encrypted the request with his own public key... in this case is it a client
misconfiguration?

Here's the (partial) stacktrace. Any help would be greatly appreciated! TIA!

[]'s

2007-01-18 19:15:15,619 INFO
org.apache.ws.security.message.token.SecurityTokenReference -
X509IssuerSerial alias: wsclient3
2007-01-18 19:15:15,620 DEBUG
org.apache.ws.security.processor.EncryptedKeyProcessor - X509IssuerSerial
alias: wsclient3
2007-01-18 19:15:15,647 ERROR
org.apache.ws.security.components.crypto.AbstractCrypto - Cannot find key
for alias: wsclient3
org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data;
nested exception is:
       java.lang.Exception: Cannot find key for alias: wsclient3
       at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(
EncryptedKeyProcessor.java:287)
       at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(
EncryptedKeyProcessor.java:88)
       at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(
EncryptedKeyProcessor.java:77)
       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
WSSecurityEngine.java:279)
       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
WSSecurityEngine.java:201)
       at org.apache.ws.axis.security.WSDoAllReceiver.invoke(
WSDoAllReceiver.java:159)
       at org.apache.axis.strategies.InvocationStrategy.visit(
InvocationStrategy.java:32)
 (snip...)
Caused by: java.lang.Exception: Cannot find key for alias: wsclient3
       at
org.apache.ws.security.components.crypto.AbstractCrypto.getPrivateKey(
AbstractCrypto.java:186)
       at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(
EncryptedKeyProcessor.java:285)
       ... 45 more

Reply via email to