You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Martin Kuba <ma...@ics.muni.cz> on 2006/06/14 16:38:12 UTC
two password bug when signing
Hi,
I am trying to use WSS4J 1.5.0 for message signing, and I found the
following problem. I have to specify the keystore password twice,
first in callback class using client-config.wsdd:
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass"
value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="crypto.properties"/>
</handler>
</requestFlow>
</globalConfiguration>
</deployment>
and then second time in crypto.properties:
org.apache.ws.security.crypto.merlin.file=server1.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=michal
Only the one from crypto.properties is used ! But I have
to provide also the callback class, if I don't, I get
an exception:
Exception in thread "main" org.apache.ws.security.WSSecurityException:
WSHandler: application provided null or empty password
The callback class must be specified and it must provide a password,
but the password in not used then, as I can specify a wrong password
there and it still works.
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
With Java keystores (JKS) WSS4J have the *correct* behaviour !
In both cases when the passwords are different and equal , the
callback handler is called requesting the password of the private key.
Also WSS4J correctly throws an exception when the key password
provided from the callback handler is different, even when the two
passwords are the same.
Thanks,
Ruchith
On 6/15/06, Werner Dittmann <We...@t-online.de> wrote:
> BTW, I forgot: the java keystore implemntation (maybe also the BC)
> have the behavior as described by Martin: if key store password _and_
> key password are the same the keystroe implementation does not request
> the second password. This is a key store behavior, not WSS4J.
>
> Werner
>
>
> Martin Kuba wrote:
> > Ruchith Fernando wrote:
> >> Hi Martin,
> >>
> >> I just tried changing the password of my private key in one of my test
> >> cases that does signature only. Then I got this error:
> >>
> >> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
> >> error during message
> >> procesingorg.apache.ws.security.WSSecurityException: Signature
> >> creation failed; nested exception is:
> >> java.security.UnrecoverableKeyException: Cannot recover key
> >> at
> >> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
> >>
> >> at
> >> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
> >>
> >>
> >> I also tried a keystore of which the private key used to sign had a
> >> different password.
> >>
> >> Seems like its working as expected !
> >>
> >> Can you help reproduce this issue.
> >
> > Yes, I can reproduce it. I just created a PKCS12 file, which has
> > different MAC (KeyStore) password and export (PrivateKey) password.
> > The passwords are "first" and "second".
> > When I specify
> >
> > org.apache.ws.security.crypto.merlin.file=server2.p12
> > org.apache.ws.security.crypto.merlin.keystore.password=first
> >
> > in crypto.properties and in client-config.wsdd I have
> >
> > <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> > <parameter name="user" value="michalUser"/>
> > <parameter name="passwordCallbackClass"
> > value="cz.makub.PWCallback"/>
> >
> > and the cz.makub.PWCallback class is:
> >
> > public class PWCallback implements CallbackHandler {
> > static Logger log = Logger.getLogger(PWCallback.class);
> > public void handle(Callback[] callbacks) throws IOException,
> > UnsupportedCallbackException {
> > for (int i = 0; i < callbacks.length; i++) {
> > if (callbacks[i] instanceof WSPasswordCallback) {
> > WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> > // set the password given a username
> > log.debug("getIdentifier()="+pc.getIdentifer());
> > if ("michalUser".equals(pc.getIdentifer())) {
> > pc.setPassword("second"); return; }
> > } else {
> > throw new UnsupportedCallbackException(callbacks[i],
> > "Unrecognized Callback");
> > }
> > }
> > }
> > }
> >
> > then I get the following exception:
> >
> > java.io.IOException: exception decrypting data -
> > javax.crypto.BadPaddingException: pad block corrupted
> > at
> > org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> > at
> > org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> > at java.security.KeyStore.load(KeyStore.java:1150)
> > at
> > org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
> >
> >
> >
> > The interesting point is that my callback handler is never called !
> > It is not even created ! Otherwise I would see its debug output.
> >
> > So it looks like WSS4J just wants the callback class to be specified,
> > but it never uses it, it uses the keystore password for the
> > key.
> >
> > Martin
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
With Java keystores (JKS) WSS4J have the *correct* behaviour !
In both cases when the passwords are different and equal , the
callback handler is called requesting the password of the private key.
Also WSS4J correctly throws an exception when the key password
provided from the callback handler is different, even when the two
passwords are the same.
Thanks,
Ruchith
On 6/15/06, Werner Dittmann <We...@t-online.de> wrote:
> BTW, I forgot: the java keystore implemntation (maybe also the BC)
> have the behavior as described by Martin: if key store password _and_
> key password are the same the keystroe implementation does not request
> the second password. This is a key store behavior, not WSS4J.
>
> Werner
>
>
> Martin Kuba wrote:
> > Ruchith Fernando wrote:
> >> Hi Martin,
> >>
> >> I just tried changing the password of my private key in one of my test
> >> cases that does signature only. Then I got this error:
> >>
> >> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
> >> error during message
> >> procesingorg.apache.ws.security.WSSecurityException: Signature
> >> creation failed; nested exception is:
> >> java.security.UnrecoverableKeyException: Cannot recover key
> >> at
> >> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
> >>
> >> at
> >> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
> >>
> >>
> >> I also tried a keystore of which the private key used to sign had a
> >> different password.
> >>
> >> Seems like its working as expected !
> >>
> >> Can you help reproduce this issue.
> >
> > Yes, I can reproduce it. I just created a PKCS12 file, which has
> > different MAC (KeyStore) password and export (PrivateKey) password.
> > The passwords are "first" and "second".
> > When I specify
> >
> > org.apache.ws.security.crypto.merlin.file=server2.p12
> > org.apache.ws.security.crypto.merlin.keystore.password=first
> >
> > in crypto.properties and in client-config.wsdd I have
> >
> > <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> > <parameter name="user" value="michalUser"/>
> > <parameter name="passwordCallbackClass"
> > value="cz.makub.PWCallback"/>
> >
> > and the cz.makub.PWCallback class is:
> >
> > public class PWCallback implements CallbackHandler {
> > static Logger log = Logger.getLogger(PWCallback.class);
> > public void handle(Callback[] callbacks) throws IOException,
> > UnsupportedCallbackException {
> > for (int i = 0; i < callbacks.length; i++) {
> > if (callbacks[i] instanceof WSPasswordCallback) {
> > WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> > // set the password given a username
> > log.debug("getIdentifier()="+pc.getIdentifer());
> > if ("michalUser".equals(pc.getIdentifer())) {
> > pc.setPassword("second"); return; }
> > } else {
> > throw new UnsupportedCallbackException(callbacks[i],
> > "Unrecognized Callback");
> > }
> > }
> > }
> > }
> >
> > then I get the following exception:
> >
> > java.io.IOException: exception decrypting data -
> > javax.crypto.BadPaddingException: pad block corrupted
> > at
> > org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> > at
> > org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> > at java.security.KeyStore.load(KeyStore.java:1150)
> > at
> > org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
> >
> >
> >
> > The interesting point is that my callback handler is never called !
> > It is not even created ! Otherwise I would see its debug output.
> >
> > So it looks like WSS4J just wants the callback class to be specified,
> > but it never uses it, it uses the keystore password for the
> > key.
> >
> > Martin
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Werner Dittmann <We...@t-online.de>.
BTW, I forgot: the java keystore implemntation (maybe also the BC)
have the behavior as described by Martin: if key store password _and_
key password are the same the keystroe implementation does not request
the second password. This is a key store behavior, not WSS4J.
Werner
Martin Kuba wrote:
> Ruchith Fernando wrote:
>> Hi Martin,
>>
>> I just tried changing the password of my private key in one of my test
>> cases that does signature only. Then I got this error:
>>
>> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
>> error during message
>> procesingorg.apache.ws.security.WSSecurityException: Signature
>> creation failed; nested exception is:
>> java.security.UnrecoverableKeyException: Cannot recover key
>> at
>> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>>
>> at
>> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>>
>>
>> I also tried a keystore of which the private key used to sign had a
>> different password.
>>
>> Seems like its working as expected !
>>
>> Can you help reproduce this issue.
>
> Yes, I can reproduce it. I just created a PKCS12 file, which has
> different MAC (KeyStore) password and export (PrivateKey) password.
> The passwords are "first" and "second".
> When I specify
>
> org.apache.ws.security.crypto.merlin.file=server2.p12
> org.apache.ws.security.crypto.merlin.keystore.password=first
>
> in crypto.properties and in client-config.wsdd I have
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michalUser"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
>
> and the cz.makub.PWCallback class is:
>
> public class PWCallback implements CallbackHandler {
> static Logger log = Logger.getLogger(PWCallback.class);
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> // set the password given a username
> log.debug("getIdentifier()="+pc.getIdentifer());
> if ("michalUser".equals(pc.getIdentifer())) {
> pc.setPassword("second"); return; }
> } else {
> throw new UnsupportedCallbackException(callbacks[i],
> "Unrecognized Callback");
> }
> }
> }
> }
>
> then I get the following exception:
>
> java.io.IOException: exception decrypting data -
> javax.crypto.BadPaddingException: pad block corrupted
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1150)
> at
> org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
>
>
>
> The interesting point is that my callback handler is never called !
> It is not even created ! Otherwise I would see its debug output.
>
> So it looks like WSS4J just wants the callback class to be specified,
> but it never uses it, it uses the keystore password for the
> key.
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Werner Dittmann <We...@t-online.de>.
BTW, I forgot: the java keystore implemntation (maybe also the BC)
have the behavior as described by Martin: if key store password _and_
key password are the same the keystroe implementation does not request
the second password. This is a key store behavior, not WSS4J.
Werner
Martin Kuba wrote:
> Ruchith Fernando wrote:
>> Hi Martin,
>>
>> I just tried changing the password of my private key in one of my test
>> cases that does signature only. Then I got this error:
>>
>> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
>> error during message
>> procesingorg.apache.ws.security.WSSecurityException: Signature
>> creation failed; nested exception is:
>> java.security.UnrecoverableKeyException: Cannot recover key
>> at
>> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>>
>> at
>> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>>
>>
>> I also tried a keystore of which the private key used to sign had a
>> different password.
>>
>> Seems like its working as expected !
>>
>> Can you help reproduce this issue.
>
> Yes, I can reproduce it. I just created a PKCS12 file, which has
> different MAC (KeyStore) password and export (PrivateKey) password.
> The passwords are "first" and "second".
> When I specify
>
> org.apache.ws.security.crypto.merlin.file=server2.p12
> org.apache.ws.security.crypto.merlin.keystore.password=first
>
> in crypto.properties and in client-config.wsdd I have
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michalUser"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
>
> and the cz.makub.PWCallback class is:
>
> public class PWCallback implements CallbackHandler {
> static Logger log = Logger.getLogger(PWCallback.class);
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> // set the password given a username
> log.debug("getIdentifier()="+pc.getIdentifer());
> if ("michalUser".equals(pc.getIdentifer())) {
> pc.setPassword("second"); return; }
> } else {
> throw new UnsupportedCallbackException(callbacks[i],
> "Unrecognized Callback");
> }
> }
> }
> }
>
> then I get the following exception:
>
> java.io.IOException: exception decrypting data -
> javax.crypto.BadPaddingException: pad block corrupted
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1150)
> at
> org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
>
>
>
> The interesting point is that my callback handler is never called !
> It is not even created ! Otherwise I would see its debug output.
>
> So it looks like WSS4J just wants the callback class to be specified,
> but it never uses it, it uses the keystore password for the
> key.
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Werner Dittmann <We...@t-online.de>.
Martin, Ruchith,
well to me it seems that the wrong callback class was called - maybe a
problem in the class path setting? The error message from the keysstore
(pad block corrupted) usually shows the the wrong password was give when
trying to get the private key.
Can you check which callbacks you have an if the client-config.wsdd is
really found by your client?
Regards,
Werner
Martin Kuba wrote:
> Ruchith Fernando wrote:
>> Hi Martin,
>>
>> I just tried changing the password of my private key in one of my test
>> cases that does signature only. Then I got this error:
>>
>> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
>> error during message
>> procesingorg.apache.ws.security.WSSecurityException: Signature
>> creation failed; nested exception is:
>> java.security.UnrecoverableKeyException: Cannot recover key
>> at
>> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>>
>> at
>> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>>
>>
>> I also tried a keystore of which the private key used to sign had a
>> different password.
>>
>> Seems like its working as expected !
>>
>> Can you help reproduce this issue.
>
> Yes, I can reproduce it. I just created a PKCS12 file, which has
> different MAC (KeyStore) password and export (PrivateKey) password.
> The passwords are "first" and "second".
> When I specify
>
> org.apache.ws.security.crypto.merlin.file=server2.p12
> org.apache.ws.security.crypto.merlin.keystore.password=first
>
> in crypto.properties and in client-config.wsdd I have
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michalUser"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
>
> and the cz.makub.PWCallback class is:
>
> public class PWCallback implements CallbackHandler {
> static Logger log = Logger.getLogger(PWCallback.class);
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> // set the password given a username
> log.debug("getIdentifier()="+pc.getIdentifer());
> if ("michalUser".equals(pc.getIdentifer())) {
> pc.setPassword("second"); return; }
> } else {
> throw new UnsupportedCallbackException(callbacks[i],
> "Unrecognized Callback");
> }
> }
> }
> }
>
> then I get the following exception:
>
> java.io.IOException: exception decrypting data -
> javax.crypto.BadPaddingException: pad block corrupted
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1150)
> at
> org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
>
>
>
> The interesting point is that my callback handler is never called !
> It is not even created ! Otherwise I would see its debug output.
>
> So it looks like WSS4J just wants the callback class to be specified,
> but it never uses it, it uses the keystore password for the
> key.
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Werner Dittmann <We...@t-online.de>.
Martin, Ruchith,
well to me it seems that the wrong callback class was called - maybe a
problem in the class path setting? The error message from the keysstore
(pad block corrupted) usually shows the the wrong password was give when
trying to get the private key.
Can you check which callbacks you have an if the client-config.wsdd is
really found by your client?
Regards,
Werner
Martin Kuba wrote:
> Ruchith Fernando wrote:
>> Hi Martin,
>>
>> I just tried changing the password of my private key in one of my test
>> cases that does signature only. Then I got this error:
>>
>> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
>> error during message
>> procesingorg.apache.ws.security.WSSecurityException: Signature
>> creation failed; nested exception is:
>> java.security.UnrecoverableKeyException: Cannot recover key
>> at
>> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>>
>> at
>> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>>
>>
>> I also tried a keystore of which the private key used to sign had a
>> different password.
>>
>> Seems like its working as expected !
>>
>> Can you help reproduce this issue.
>
> Yes, I can reproduce it. I just created a PKCS12 file, which has
> different MAC (KeyStore) password and export (PrivateKey) password.
> The passwords are "first" and "second".
> When I specify
>
> org.apache.ws.security.crypto.merlin.file=server2.p12
> org.apache.ws.security.crypto.merlin.keystore.password=first
>
> in crypto.properties and in client-config.wsdd I have
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michalUser"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
>
> and the cz.makub.PWCallback class is:
>
> public class PWCallback implements CallbackHandler {
> static Logger log = Logger.getLogger(PWCallback.class);
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> // set the password given a username
> log.debug("getIdentifier()="+pc.getIdentifer());
> if ("michalUser".equals(pc.getIdentifer())) {
> pc.setPassword("second"); return; }
> } else {
> throw new UnsupportedCallbackException(callbacks[i],
> "Unrecognized Callback");
> }
> }
> }
> }
>
> then I get the following exception:
>
> java.io.IOException: exception decrypting data -
> javax.crypto.BadPaddingException: pad block corrupted
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1150)
> at
> org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
>
>
>
> The interesting point is that my callback handler is never called !
> It is not even created ! Otherwise I would see its debug output.
>
> So it looks like WSS4J just wants the callback class to be specified,
> but it never uses it, it uses the keystore password for the
> key.
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Martin Kuba <ma...@ics.muni.cz>.
Ruchith Fernando wrote:
> Hi Martin,
>
> I just tried changing the password of my private key in one of my test
> cases that does signature only. Then I got this error:
>
> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
> error during message
> procesingorg.apache.ws.security.WSSecurityException: Signature
> creation failed; nested exception is:
> java.security.UnrecoverableKeyException: Cannot recover key
> at
> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>
> at
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>
> I also tried a keystore of which the private key used to sign had a
> different password.
>
> Seems like its working as expected !
>
> Can you help reproduce this issue.
Yes, I can reproduce it. I just created a PKCS12 file, which has
different MAC (KeyStore) password and export (PrivateKey) password.
The passwords are "first" and "second".
When I specify
org.apache.ws.security.crypto.merlin.file=server2.p12
org.apache.ws.security.crypto.merlin.keystore.password=first
in crypto.properties and in client-config.wsdd I have
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="user" value="michalUser"/>
<parameter name="passwordCallbackClass"
value="cz.makub.PWCallback"/>
and the cz.makub.PWCallback class is:
public class PWCallback implements CallbackHandler {
static Logger log = Logger.getLogger(PWCallback.class);
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
// set the password given a username
log.debug("getIdentifier()="+pc.getIdentifer());
if ("michalUser".equals(pc.getIdentifer())) {
pc.setPassword("second"); return; }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}
then I get the following exception:
java.io.IOException: exception decrypting data -
javax.crypto.BadPaddingException: pad block corrupted
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown
Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown
Source)
at java.security.KeyStore.load(KeyStore.java:1150)
at
org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
The interesting point is that my callback handler is never called !
It is not even created ! Otherwise I would see its debug output.
So it looks like WSS4J just wants the callback class to be specified,
but it never uses it, it uses the keystore password for the
key.
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
Re: two password bug when signing
Posted by Martin Kuba <ma...@ics.muni.cz>.
Ruchith Fernando wrote:
> Hi Martin,
>
> I just tried changing the password of my private key in one of my test
> cases that does signature only. Then I got this error:
>
> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
> error during message
> procesingorg.apache.ws.security.WSSecurityException: Signature
> creation failed; nested exception is:
> java.security.UnrecoverableKeyException: Cannot recover key
> at
> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>
> at
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>
> I also tried a keystore of which the private key used to sign had a
> different password.
>
> Seems like its working as expected !
>
> Can you help reproduce this issue.
Yes, I can reproduce it. I just created a PKCS12 file, which has
different MAC (KeyStore) password and export (PrivateKey) password.
The passwords are "first" and "second".
When I specify
org.apache.ws.security.crypto.merlin.file=server2.p12
org.apache.ws.security.crypto.merlin.keystore.password=first
in crypto.properties and in client-config.wsdd I have
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="user" value="michalUser"/>
<parameter name="passwordCallbackClass"
value="cz.makub.PWCallback"/>
and the cz.makub.PWCallback class is:
public class PWCallback implements CallbackHandler {
static Logger log = Logger.getLogger(PWCallback.class);
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
// set the password given a username
log.debug("getIdentifier()="+pc.getIdentifer());
if ("michalUser".equals(pc.getIdentifer())) {
pc.setPassword("second"); return; }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}
then I get the following exception:
java.io.IOException: exception decrypting data -
javax.crypto.BadPaddingException: pad block corrupted
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown
Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown
Source)
at java.security.KeyStore.load(KeyStore.java:1150)
at
org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
The interesting point is that my callback handler is never called !
It is not even created ! Otherwise I would see its debug output.
So it looks like WSS4J just wants the callback class to be specified,
but it never uses it, it uses the keystore password for the
key.
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
Re: two password bug when signing
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Martin,
I just tried changing the password of my private key in one of my test
cases that does signature only. Then I got this error:
org.apache.ws.security.WSSecurityException: WSHandler: Signature:
error during message
procesingorg.apache.ws.security.WSSecurityException: Signature
creation failed; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
I also tried a keystore of which the private key used to sign had a
different password.
Seems like its working as expected !
Can you help reproduce this issue.
Thanks,
Ruchith
On 6/14/06, Martin Kuba <ma...@ics.muni.cz> wrote:
> Hi,
>
> I am trying to use WSS4J 1.5.0 for message signing, and I found the
> following problem. I have to specify the keystore password twice,
> first in callback class using client-config.wsdd:
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/"
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
> <transport name="http"
> pivot="java:org.apache.axis.transport.http.HTTPSender"/>
> <globalConfiguration>
> <requestFlow>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michal"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
> <parameter name="action" value="Signature"/>
> <parameter name="signaturePropFile"
> value="crypto.properties"/>
> </handler>
> </requestFlow>
> </globalConfiguration>
> </deployment>
>
> and then second time in crypto.properties:
>
> org.apache.ws.security.crypto.merlin.file=server1.p12
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
> org.apache.ws.security.crypto.merlin.keystore.password=michal
>
> Only the one from crypto.properties is used ! But I have
> to provide also the callback class, if I don't, I get
> an exception:
>
> Exception in thread "main" org.apache.ws.security.WSSecurityException:
> WSHandler: application provided null or empty password
>
> The callback class must be specified and it must provide a password,
> but the password in not used then, as I can specify a wrong password
> there and it still works.
>
>
> Martin
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno Martin Kuba
> Institute of Computer Science email: makub@ics.muni.cz
> Masaryk University http://www.ics.muni.cz/~makub/
> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> --------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Martin,
I just tried changing the password of my private key in one of my test
cases that does signature only. Then I got this error:
org.apache.ws.security.WSSecurityException: WSHandler: Signature:
error during message
procesingorg.apache.ws.security.WSSecurityException: Signature
creation failed; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
I also tried a keystore of which the private key used to sign had a
different password.
Seems like its working as expected !
Can you help reproduce this issue.
Thanks,
Ruchith
On 6/14/06, Martin Kuba <ma...@ics.muni.cz> wrote:
> Hi,
>
> I am trying to use WSS4J 1.5.0 for message signing, and I found the
> following problem. I have to specify the keystore password twice,
> first in callback class using client-config.wsdd:
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/"
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
> <transport name="http"
> pivot="java:org.apache.axis.transport.http.HTTPSender"/>
> <globalConfiguration>
> <requestFlow>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michal"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
> <parameter name="action" value="Signature"/>
> <parameter name="signaturePropFile"
> value="crypto.properties"/>
> </handler>
> </requestFlow>
> </globalConfiguration>
> </deployment>
>
> and then second time in crypto.properties:
>
> org.apache.ws.security.crypto.merlin.file=server1.p12
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
> org.apache.ws.security.crypto.merlin.keystore.password=michal
>
> Only the one from crypto.properties is used ! But I have
> to provide also the callback class, if I don't, I get
> an exception:
>
> Exception in thread "main" org.apache.ws.security.WSSecurityException:
> WSHandler: application provided null or empty password
>
> The callback class must be specified and it must provide a password,
> but the password in not used then, as I can specify a wrong password
> there and it still works.
>
>
> Martin
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno Martin Kuba
> Institute of Computer Science email: makub@ics.muni.cz
> Masaryk University http://www.ics.muni.cz/~makub/
> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> --------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Fred Dushin <fd...@iona.com>.
Not sure that's right -- the keystore password is for the keystore. The
signing password is for the (encrypted) key in the keystore.
-Fred
Martin Kuba wrote:
> Hi,
>
> I am trying to use WSS4J 1.5.0 for message signing, and I found the
> following problem. I have to specify the keystore password twice,
> first in callback class using client-config.wsdd:
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/"
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
> <transport name="http"
> pivot="java:org.apache.axis.transport.http.HTTPSender"/>
> <globalConfiguration>
> <requestFlow>
> <handler
> type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michal"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
> <parameter name="action" value="Signature"/>
> <parameter name="signaturePropFile"
> value="crypto.properties"/>
> </handler>
> </requestFlow>
> </globalConfiguration>
> </deployment>
>
> and then second time in crypto.properties:
>
> org.apache.ws.security.crypto.merlin.file=server1.p12
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
> org.apache.ws.security.crypto.merlin.keystore.password=michal
>
> Only the one from crypto.properties is used ! But I have
> to provide also the callback class, if I don't, I get
> an exception:
>
> Exception in thread "main" org.apache.ws.security.WSSecurityException:
> WSHandler: application provided null or empty password
>
> The callback class must be specified and it must provide a password,
> but the password in not used then, as I can specify a wrong password
> there and it still works.
>
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: two password bug when signing
Posted by Fred Dushin <fd...@iona.com>.
Not sure that's right -- the keystore password is for the keystore. The
signing password is for the (encrypted) key in the keystore.
-Fred
Martin Kuba wrote:
> Hi,
>
> I am trying to use WSS4J 1.5.0 for message signing, and I found the
> following problem. I have to specify the keystore password twice,
> first in callback class using client-config.wsdd:
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/"
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
> <transport name="http"
> pivot="java:org.apache.axis.transport.http.HTTPSender"/>
> <globalConfiguration>
> <requestFlow>
> <handler
> type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michal"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
> <parameter name="action" value="Signature"/>
> <parameter name="signaturePropFile"
> value="crypto.properties"/>
> </handler>
> </requestFlow>
> </globalConfiguration>
> </deployment>
>
> and then second time in crypto.properties:
>
> org.apache.ws.security.crypto.merlin.file=server1.p12
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
> org.apache.ws.security.crypto.merlin.keystore.password=michal
>
> Only the one from crypto.properties is used ! But I have
> to provide also the callback class, if I don't, I get
> an exception:
>
> Exception in thread "main" org.apache.ws.security.WSSecurityException:
> WSHandler: application provided null or empty password
>
> The callback class must be specified and it must provide a password,
> but the password in not used then, as I can specify a wrong password
> there and it still works.
>
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org