You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Sergio Patricio <se...@link.pt> on 2008/06/04 14:41:49 UTC
Error using derived key
Hello,
I'm trying to do signing and encryption using derived keys from username token.
I looked into the test cases of wss4j and used the code in TestWSSecurityUTDK.java
I removed the asserts and added the processSecurityHeader, the code I'm testing is:
Document doc = ...
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();
String tokenIdentifier = builder.getId();
//
// Derived key encryption
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sigBuilder.build(doc, secHeader);
builder.prependToHeader(secHeader);
// validation
WSSConfig config = WSSConfig.getDefaultWSConfig();
config.setHandleCustomPasswordTypes(true);
WSSecurityEngine engine = new WSSecurityEngine();
engine.setWssConfig(config);
engine.processSecurityHeader(doc, null, new PasswordCallbackHandler(), null);
This code creates the following security header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-14158819">
<wsse:Username>user</wsse:Username>
<wsse11:Salt xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">2zz+e8xDhqzB6hCb7bCbAQ==</wsse11:Salt>
<wsse11:Iteration xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">1000</wsse11:Iteration>
</wsse:UsernameToken>
<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="derivedKeyId-28910606">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#UsernameToken-14158819"/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>20</wsc:Length>
<wsc:Nonce>pDfj84xuTHPCEXzUGPaQRg==</wsc:Nonce>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-27940859">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#id-23268025">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>sqAea80cptqohi3v1Gnnir8hrsE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Zm6vGutgm2XFvBFBZjbmeo3KSog=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-20590970">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-25589390">
<wsse:Reference URI="#derivedKeyId-28910606"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
When I run the code it gives the following error:
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181)
What is wrong?
I'm using wss4j 1.5.4 ant used the code from the test case TestWSSecurityUTDK.java
I have been looking into the wss4j source and my first idea is that the extractSecret method fails when tries to get the processor corresponding to the element referred in the security token reference.
In the test case the verification is commented maybe because of the error.
Can someone help me, thanks.
By the way, my objective is to develop some code that allows me to sign and encrypt the soap message without using certificates, I want to use a secret that both client and server knows. The ideal is to use the usernametoken (without sending the password), I know that WSE 3.0 do this but I can't do it using wss4j so was trying to use derived keys from usernametoken.
Thanks.
_____________________
Sérgio Patrício
sergio.patricio@link.pt
Link Consulting
RE: Error using derived key
Posted by Sergio Patricio <se...@link.pt>.
Thanks.
I found this JIRA https://issues.apache.org/jira/browse/WSS-111 that have the comment "The processing of a UsernameToken with derived keys is left for a future release.", this should be the reason why the verification is commented in the test case.
Do you have any suggestion of a way I do encryption using wss4j only with a secret key that both sides know (without using certificates or a crypto instance)?
I already had successfully sign the message using a usernametoken, I followed the action 'UsernameTokenSignedAction'. Here I notice that if I don't want to send the password I should set the password type to null (new feature in 1.5.4) but if I do this than the prepare method will not work.
_____________________
Sérgio Patrício
sergio.patricio@link.pt
Link Consulting
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: quarta-feira, 4 de Junho de 2008 15:03
To: Sergio Patricio; wss4j-dev@ws.apache.org
Subject: RE: Error using derived key
Hi Sergio,
The reason you're seeing that error is that our support for derived keys on the processing side is patchy at best L
I suggest you add a JIRA for this with a test-case.
Colm.
________________________________
From: Sergio Patricio [mailto:sergio.patricio@link.pt]
Sent: 04 June 2008 13:42
To: wss4j-dev@ws.apache.org
Subject: Error using derived key
Hello,
I'm trying to do signing and encryption using derived keys from username token.
I looked into the test cases of wss4j and used the code in TestWSSecurityUTDK.java
I removed the asserts and added the processSecurityHeader, the code I'm testing is:
Document doc = ...
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();
String tokenIdentifier = builder.getId();
//
// Derived key encryption
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sigBuilder.build(doc, secHeader);
builder.prependToHeader(secHeader);
// validation
WSSConfig config = WSSConfig.getDefaultWSConfig();
config.setHandleCustomPasswordTypes(true);
WSSecurityEngine engine = new WSSecurityEngine();
engine.setWssConfig(config);
engine.processSecurityHeader(doc, null, new PasswordCallbackHandler(), null);
This code creates the following security header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-14158819">
<wsse:Username>user</wsse:Username>
<wsse11:Salt xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">2zz+e8xDhqzB6hCb7bCbAQ==</wsse11:Salt>
<wsse11:Iteration xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">1000</wsse11:Iteration>
</wsse:UsernameToken>
<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="derivedKeyId-28910606">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#UsernameToken-14158819"/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>20</wsc:Length>
<wsc:Nonce>pDfj84xuTHPCEXzUGPaQRg==</wsc:Nonce>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-27940859">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#id-23268025">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>sqAea80cptqohi3v1Gnnir8hrsE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Zm6vGutgm2XFvBFBZjbmeo3KSog=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-20590970">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-25589390">
<wsse:Reference URI="#derivedKeyId-28910606"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
When I run the code it gives the following error:
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181)
What is wrong?
I'm using wss4j 1.5.4 ant used the code from the test case TestWSSecurityUTDK.java
I have been looking into the wss4j source and my first idea is that the extractSecret method fails when tries to get the processor corresponding to the element referred in the security token reference.
In the test case the verification is commented maybe because of the error.
Can someone help me, thanks.
By the way, my objective is to develop some code that allows me to sign and encrypt the soap message without using certificates, I want to use a secret that both client and server knows. The ideal is to use the usernametoken (without sending the password), I know that WSE 3.0 do this but I can't do it using wss4j so was trying to use derived keys from usernametoken.
Thanks.
_____________________
Sérgio Patrício
sergio.patricio@link.pt
Link Consulting
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Error using derived key
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Hi Sergio,
The reason you're seeing that error is that our support for derived keys on the processing side is patchy at best :-(
I suggest you add a JIRA for this with a test-case.
Colm.
________________________________
From: Sergio Patricio [mailto:sergio.patricio@link.pt]
Sent: 04 June 2008 13:42
To: wss4j-dev@ws.apache.org
Subject: Error using derived key
Hello,
I'm trying to do signing and encryption using derived keys from username token.
I looked into the test cases of wss4j and used the code in TestWSSecurityUTDK.java
I removed the asserts and added the processSecurityHeader, the code I'm testing is:
Document doc = ...
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();
String tokenIdentifier = builder.getId();
//
// Derived key encryption
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sigBuilder.build(doc, secHeader);
builder.prependToHeader(secHeader);
// validation
WSSConfig config = WSSConfig.getDefaultWSConfig();
config.setHandleCustomPasswordTypes(true);
WSSecurityEngine engine = new WSSecurityEngine();
engine.setWssConfig(config);
engine.processSecurityHeader(doc, null, new PasswordCallbackHandler(), null);
This code creates the following security header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-14158819">
<wsse:Username>user</wsse:Username>
<wsse11:Salt xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">2zz+e8xDhqzB6hCb7bCbAQ==</wsse11:Salt>
<wsse11:Iteration xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">1000</wsse11:Iteration>
</wsse:UsernameToken>
<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="derivedKeyId-28910606">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#UsernameToken-14158819"/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>20</wsc:Length>
<wsc:Nonce>pDfj84xuTHPCEXzUGPaQRg==</wsc:Nonce>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-27940859">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#id-23268025">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>sqAea80cptqohi3v1Gnnir8hrsE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Zm6vGutgm2XFvBFBZjbmeo3KSog=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-20590970">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-25589390">
<wsse:Reference URI="#derivedKeyId-28910606"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
When I run the code it gives the following error:
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181)
What is wrong?
I'm using wss4j 1.5.4 ant used the code from the test case TestWSSecurityUTDK.java
I have been looking into the wss4j source and my first idea is that the extractSecret method fails when tries to get the processor corresponding to the element referred in the security token reference.
In the test case the verification is commented maybe because of the error.
Can someone help me, thanks.
By the way, my objective is to develop some code that allows me to sign and encrypt the soap message without using certificates, I want to use a secret that both client and server knows. The ideal is to use the usernametoken (without sending the password), I know that WSE 3.0 do this but I can't do it using wss4j so was trying to use derived keys from usernametoken.
Thanks.
_____________________
Sérgio Patrício
sergio.patricio@link.pt
Link Consulting
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland