You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Jennifer Ruttan <je...@indivica.com> on 2013/08/29 19:05:16 UTC

Receiving and Decrypting Encrypted MTOM Attachments

Hi all,

I have a web service that responds to me with an encrypted MTOM attachment. The MTOM attachment is a complex type that contains several fields (base64-encoded data, a string, integer, and another complex type).

The response is encrypted as follows (I received this from the web service supplier):
- The response is encrypted using the public key of the certificate that was used to sign the incoming message
- All bits of the public key are used
- The secret key is encrypted using an RSA cipher with PKCS1 padding; the secret key itself is 128 bits long, but encrypts to 128 bytes then base64 encodes to 172 bytes
- The initialization vector is the first 16 bytes of the cipher value in the body; to recover the IV, base64 decode the CipherValue and take the first 16 bytes from it; the remainder is the decrypted message
- The response message encryption scheme is AES cipher with CBC block mechanism and PKCS5 padding

With all of that said, I have configured the bindingprovider on the client to enable MTOM support, as follows:
BindingProvider bp = (BindingProvider)port;
SOAPBinding binding = (SOAPBinding) bp.getBinding();
binding.setMTOMEnabled(true);

All of the responses that this web service delivers are encrypted, but this is the only type that I can't decrypt automatically via CXF's built-in logic. I receive a WSSecurityException ("The signature or decryption was invalid") when I run the method on the port that responds with an encrypted MTOM attachment.

By any chance if anybody knows the best way to proceed and configure the service so that it decrypts this message type properly, I would appreciate any suggestions.

Thanks
Jennifer

Re: Receiving and Decrypting Encrypted MTOM Attachments

Posted by Cosmic <co...@yahoo.com>.

Jennifer Ruttan wrote
> decrypt automatically via CXF's built-in logic. I receive a
> WSSecurityException ("The signature or decryption was invalid") when I run
> the method on the port that responds with an encrypted MTOM attachment. 

The encryption looks standard and if you are able to get the other responses
it suggests it is functioning.
"The signature or decryption was invalid" suggests several things.
CXF as an interpretative tool and may not recognize more than one
ephemeral(secret) key(s) one for the message and one for the MTOM (depends
on their webgate appliance settings). This also suggests WSE and WCF
frameworks in the .NET world would fail.
Possibly a malformed header in the MTOM container.
Order of operation: Whether it is MTOM/encrypted or encrypted/MTOM (huge
impact). 
Lastly whether the container is base64 content.
IMHO WSS4J is a red herring.
I would suggest grabbing the MTOM and de-crypto it outside of CXF to see
what you are receiving.



--
View this message in context: http://cxf.547215.n5.nabble.com/Receiving-and-Decrypting-Encrypted-MTOM-Attachments-tp5733291p5735127.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Receiving and Decrypting Encrypted MTOM Attachments

Posted by Jennifer Ruttan <je...@indivica.com>.

Hi, thanks for the info. I had no idea it wasn't completely supported. In the absence of support for MTOM and WS-Security support in CXF, could you recommend an alternative platform to develop on that does support that combination?



> On Aug 29, 2013, at 10:47 PM, Freeman Fang <fr...@gmail.com> wrote:
> 
> Hi,
> 
> WSS4J and MTOM doesn't really work well in CXF currently, please see the related discussion [1] &[2], the coming WSS4J 2.0 should be the final solution
> 
> [1]http://cxf.547215.n5.nabble.com/Signature-digest-mismatch-when-NET-supplies-MTOM-attachment-td3270961.html
> [2]http://mail-archives.apache.org/mod_mbox/cxf-users/201301.mbox/%3CCAB8XdGA-1aUajDdpN=w5JMaxmQEbvHgHZQN3OYcp2q5od3Cmgw@mail.gmail.com%3E
> －－－－－－－－－－－－－
> Freeman(Yue) Fang
> 
> Red Hat, Inc. 
> FuseSource is now part of Red Hat
> Web: http://fusesource.com | http://www.redhat.com/
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
> http://blog.sina.com.cn/u/1473905042
> weibo: @Freeman小屋
> 
> 
> 
>> On 2013-8-30, at 上午1:05, Jennifer Ruttan wrote:
>> 
>> Hi all,
>> 
>> I have a web service that responds to me with an encrypted MTOM attachment. The MTOM attachment is a complex type that contains several fields (base64-encoded data, a string, integer, and another complex type).
>> 
>> The response is encrypted as follows (I received this from the web service supplier):
>> - The response is encrypted using the public key of the certificate that was used to sign the incoming message
>> - All bits of the public key are used
>> - The secret key is encrypted using an RSA cipher with PKCS1 padding; the secret key itself is 128 bits long, but encrypts to 128 bytes then base64 encodes to 172 bytes
>> - The initialization vector is the first 16 bytes of the cipher value in the body; to recover the IV, base64 decode the CipherValue and take the first 16 bytes from it; the remainder is the decrypted message
>> - The response message encryption scheme is AES cipher with CBC block mechanism and PKCS5 padding
>> 
>> With all of that said, I have configured the bindingprovider on the client to enable MTOM support, as follows:
>> BindingProvider bp = (BindingProvider)port;
>> SOAPBinding binding = (SOAPBinding) bp.getBinding();
>> binding.setMTOMEnabled(true);
>> 
>> All of the responses that this web service delivers are encrypted, but this is the only type that I can't decrypt automatically via CXF's built-in logic. I receive a WSSecurityException ("The signature or decryption was invalid") when I run the method on the port that responds with an encrypted MTOM attachment.
>> 
>> By any chance if anybody knows the best way to proceed and configure the service so that it decrypts this message type properly, I would appreciate any suggestions.
>> 
>> Thanks
>> Jennifer
>

Re: Receiving and Decrypting Encrypted MTOM Attachments

Posted by Freeman Fang <fr...@gmail.com>.

Hi,

WSS4J and MTOM doesn't really work well in CXF currently, please see the related discussion [1] &[2], the coming WSS4J 2.0 should be the final solution

[1]http://cxf.547215.n5.nabble.com/Signature-digest-mismatch-when-NET-supplies-MTOM-attachment-td3270961.html
[2]http://mail-archives.apache.org/mod_mbox/cxf-users/201301.mbox/%3CCAB8XdGA-1aUajDdpN=w5JMaxmQEbvHgHZQN3OYcp2q5od3Cmgw@mail.gmail.com%3E
－－－－－－－－－－－－－
Freeman(Yue) Fang

Red Hat, Inc. 
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋



On 2013-8-30, at 上午1:05, Jennifer Ruttan wrote:

> Hi all,
> 
> I have a web service that responds to me with an encrypted MTOM attachment. The MTOM attachment is a complex type that contains several fields (base64-encoded data, a string, integer, and another complex type).
> 
> The response is encrypted as follows (I received this from the web service supplier):
> - The response is encrypted using the public key of the certificate that was used to sign the incoming message
> - All bits of the public key are used
> - The secret key is encrypted using an RSA cipher with PKCS1 padding; the secret key itself is 128 bits long, but encrypts to 128 bytes then base64 encodes to 172 bytes
> - The initialization vector is the first 16 bytes of the cipher value in the body; to recover the IV, base64 decode the CipherValue and take the first 16 bytes from it; the remainder is the decrypted message
> - The response message encryption scheme is AES cipher with CBC block mechanism and PKCS5 padding
> 
> With all of that said, I have configured the bindingprovider on the client to enable MTOM support, as follows:
> BindingProvider bp = (BindingProvider)port;
> SOAPBinding binding = (SOAPBinding) bp.getBinding();
> binding.setMTOMEnabled(true);
> 
> All of the responses that this web service delivers are encrypted, but this is the only type that I can't decrypt automatically via CXF's built-in logic. I receive a WSSecurityException ("The signature or decryption was invalid") when I run the method on the port that responds with an encrypted MTOM attachment.
> 
> By any chance if anybody knows the best way to proceed and configure the service so that it decrypts this message type properly, I would appreciate any suggestions.
> 
> Thanks
> Jennifer
> 
> 
>