You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Thundr <th...@gmail.com> on 2012/06/26 12:49:09 UTC
Encryption/Decryption using a shared symmetric key
Hi!
I am studying the various options for encryption and mi first test case is
to use a Encryption/Decryption using a shared symmetric key. I create the
keystore with that keytool command:
keytool -genseckey -alias symmetric -keyalg DESede -keystore
symmetricStore.jks -storepass symmetricPassword -keypass keyPassword
-storetype JCEKS
And the spring config client file (only probe encryption/decryption):
####################
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<bean id="client" class="com.solnss.jaxws.PersonasService"
factory-bean="clientFactory" factory-method="create"/>
<bean id="clientFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass"
value="com.solnss.jaxws.PersonasService"/>
<property name="address"
value="http://localhost:8090/JAX-WSService-ENC/services/PersonasService"/>
<property name="inInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Response"/>
</list>
</property>
<property name="outInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Request"/>
</list>
</property>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="TimestampSignEncrypt_Request">
<constructor-arg>
<map>
<entry key="action" value="Encrypt"/>
<entry key="encryptionUser" value="symmetric"/>
<entry key="encryptionPropFile"
value="SymetricKeystore.properties"/>
<entry key="passwordCallbackClass"
value="com.solnss.jaxws.ClientKeystorePasswordCallback"/>
<entry key="encryptionParts"
value="{Element}{Null}apellidos"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="TimestampSignEncrypt_Response">
<constructor-arg>
<map>
<entry key="action" value="Encrypt"/>
<entry key="decryptionPropFile"
value="SymetricKeystore.properties"/>
<entry key="passwordCallbackClass"
value="com.solnss.jaxws.ClientKeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</beans>
##############
when I run the client I get the following error:
##############
Caused by: org.apache.ws.security.WSSecurityException: General security
error (No certificates for user symmetric were found for encryption)
at
org.apache.ws.security.message.WSSecEncrypt.prepare(WSSecEncrypt.java:251)
at org.apache.ws.security.message.WSSecEncrypt.build(WSSecEncrypt.java:293)
at
org.apache.ws.security.action.EncryptionAction.execute(EncryptionAction.java:75)
... 13 more
##############
The certificate is on the keystore and the alias is correct, but i don´t
understand why don´t works...
Can you help me with this case?
Thanks for anticipate!
Carlos
--
View this message in context: http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Encryption/Decryption using a shared symmetric key
Posted by Thundr <th...@gmail.com>.
Ok, anyway this scenario works with spring webservices
Thanks :)
Carlos
--
View this message in context: http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302p5710370.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Encryption/Decryption using a shared symmetric key
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've never tried it so I can't say for sure it'll work. I don't think there
is an easier way to do it.
Colm.
On Wed, Jun 27, 2012 at 11:47 AM, Thundr <th...@gmail.com> wrote:
> Thanks Colm,
>
> I have implemented the scenario with a two pair of public/private keys and
> it works.
>
> In the original scenario with a shared symmetric key, i added the property
> encryptSymmetricEncryptionKey=false to the client "out" interceptor, but in
> the server "in" interceptor, I supose that i have to rewrite this metod in
> the passwordCallbackClass:
> ####
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> WSPasswordCallback pc = (WSPasswordCallback)
> callbacks[i];
>
> String pass = passwords.get(pc.getIdentifier());
> if (pass != null) {
> pc.setPassword(pass);
> return;
> }
> }
> }
> ####
> In that method, I have to implement the logic for reading the
> symmetricStore.jks and read the entry for symmetric.
>
> Is that correct?
>
> Is there any api that I can make it easier?
>
> Thanks for all
>
> Carlos
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302p5710357.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Encryption/Decryption using a shared symmetric key
Posted by Thundr <th...@gmail.com>.
Thanks Colm,
I have implemented the scenario with a two pair of public/private keys and
it works.
In the original scenario with a shared symmetric key, i added the property
encryptSymmetricEncryptionKey=false to the client "out" interceptor, but in
the server "in" interceptor, I supose that i have to rewrite this metod in
the passwordCallbackClass:
####
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
String pass = passwords.get(pc.getIdentifier());
if (pass != null) {
pc.setPassword(pass);
return;
}
}
}
####
In that method, I have to implement the logic for reading the
symmetricStore.jks and read the entry for symmetric.
Is that correct?
Is there any api that I can make it easier?
Thanks for all
Carlos
--
View this message in context: http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302p5710357.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Encryption/Decryption using a shared symmetric key
Posted by Colm O hEigeartaigh <co...@apache.org>.
The scenario of using a secret key in a keystore for encryption is not
really supported. The more usual scenario for encryption is that CXF/WSS4J
will generate a secret key internally to use for encryption, which is
subsequently encrypted with the public key of the recipient.
If you really want to implement the other scenario, you can try setting the
property "encryptSymmetricEncryptionKey" to "false". This will try to get
the Symmetric key as an array of bytes from the WSPasswordCallback that is
processed by the CallbackHandler. So you will have to read in the keystore
there and set the byte array on the WSPasswordCallback object.
Colm.
On Tue, Jun 26, 2012 at 5:45 PM, Thundr <th...@gmail.com> wrote:
> The "SymetricKeystore.properties" contains:
>
>
> ####
>
> org.apache.ws.security.crypto.merlin.keystore.file=symmetricStore.jks
>
> org.apache.ws.security.crypto.merlin.keystore.password=symmetricPassword
>
> org.apache.ws.security.crypto.merlin.keystore.type=jceks
>
> org.apache.ws.security.crypto.merlin.keystore.alias=symmetric
>
> ####
>
>
> And contains:
> http://cxf.547215.n5.nabble.com/file/n5710333/symmetricStore.jks.png
>
>
> "symmetric" is the key shared by client and server for *only* encrypt
> messages.
>
> Carlos
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302p5710333.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Encryption/Decryption using a shared symmetric key
Posted by Thundr <th...@gmail.com>.
The "SymetricKeystore.properties" contains:
####
org.apache.ws.security.crypto.merlin.keystore.file=symmetricStore.jks
org.apache.ws.security.crypto.merlin.keystore.password=symmetricPassword
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.alias=symmetric
####
And contains:
http://cxf.547215.n5.nabble.com/file/n5710333/symmetricStore.jks.png
"symmetric" is the key shared by client and server for *only* encrypt
messages.
Carlos
--
View this message in context: http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302p5710333.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Encryption/Decryption using a shared symmetric key
Posted by Colm O hEigeartaigh <co...@apache.org>.
What does "SymetricKeystore.properties" look like?
Colm.
On Tue, Jun 26, 2012 at 11:49 AM, Thundr <th...@gmail.com> wrote:
> Hi!
>
> I am studying the various options for encryption and mi first test case is
> to use a Encryption/Decryption using a shared symmetric key. I create the
> keystore with that keytool command:
> keytool -genseckey -alias symmetric -keyalg DESede -keystore
> symmetricStore.jks -storepass symmetricPassword -keypass keyPassword
> -storetype JCEKS
>
> And the spring config client file (only probe encryption/decryption):
> ####################
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <bean id="client" class="com.solnss.jaxws.PersonasService"
> factory-bean="clientFactory" factory-method="create"/>
>
> <bean id="clientFactory"
> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> <property name="serviceClass"
> value="com.solnss.jaxws.PersonasService"/>
> <property name="address"
> value="http://localhost:8090/JAX-WSService-ENC/services/PersonasService"/>
> <property name="inInterceptors">
> <list>
> <ref bean="TimestampSignEncrypt_Response"/>
> </list>
> </property>
> <property name="outInterceptors">
> <list>
> <ref bean="TimestampSignEncrypt_Request"/>
> </list>
> </property>
> </bean>
>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="TimestampSignEncrypt_Request">
> <constructor-arg>
> <map>
> <entry key="action" value="Encrypt"/>
> <entry key="encryptionUser" value="symmetric"/>
> <entry key="encryptionPropFile"
> value="SymetricKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="com.solnss.jaxws.ClientKeystorePasswordCallback"/>
> <entry key="encryptionParts"
> value="{Element}{Null}apellidos"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> </map>
> </constructor-arg>
> </bean>
>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="TimestampSignEncrypt_Response">
> <constructor-arg>
> <map>
> <entry key="action" value="Encrypt"/>
> <entry key="decryptionPropFile"
> value="SymetricKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="com.solnss.jaxws.ClientKeystorePasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
> </beans>
>
>
> ##############
>
> when I run the client I get the following error:
>
> ##############
> Caused by: org.apache.ws.security.WSSecurityException: General security
> error (No certificates for user symmetric were found for encryption)
> at
> org.apache.ws.security.message.WSSecEncrypt.prepare(WSSecEncrypt.java:251)
> at
> org.apache.ws.security.message.WSSecEncrypt.build(WSSecEncrypt.java:293)
> at
>
> org.apache.ws.security.action.EncryptionAction.execute(EncryptionAction.java:75)
> ... 13 more
> ##############
>
> The certificate is on the keystore and the alias is correct, but i don´t
> understand why don´t works...
>
> Can you help me with this case?
>
> Thanks for anticipate!
>
> Carlos
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Encryption-Decryption-using-a-shared-symmetric-key-tp5710302.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com