You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "aman kohli (Commented) (JIRA)" <ji...@apache.org> on 2011/10/19 15:12:10 UTC
[jira] [Commented] (CXF-3865) Asymmetric Encryption - alias is null
during decryption using private key
[ https://issues.apache.org/jira/browse/CXF-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13130581#comment-13130581 ]
aman kohli commented on CXF-3865:
---------------------------------
the uploaded example does not contain the wsdl with the ws-security elements:
What's included:
* source code, keystores
* I removed the WS-Security elements from the WSDL as the problem still exists without it
* error log from client
$mvn package
run server:
$ mvn exec:java -Dexec.mainClass=asymmetric.stub.StubCollectionService > log 2>&1
Client
$ mvn exec:java -Dexec.mainClass=asymmetric.client.RegisterCollection -Dexec.args="http://localhost:9198/CitiWS/services/Collection/?wsdl"
> Asymmetric Encryption - alias is null during decryption using private key
> -------------------------------------------------------------------------
>
> Key: CXF-3865
> URL: https://issues.apache.org/jira/browse/CXF-3865
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Environment: actually 2.2.3 is the version
> running on mac osx lion and windows xp; java 1.6
> Reporter: aman kohli
> Attachments: cxf-wss4j-asym-crypto-soap.tgz
>
>
> as raised on mailing list, Colm suggested I upload the test case here. This is the description from the mailing list http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3CCF458CB8-746A-4D98-A89F-9AD647AEE2D1@yahoo.com%3E
> Running into a problem on the server implementation (a cxf soap server) of asymmetric encryption.
> The intention is the soap body is to be encrypted with the server's public key. The client
> (also using cxf) seems to be encrypting the message body ok.
> On receipt of the message, the server implementation raises an exception, with the reason
> the alias is null. Here's the stack:
> org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested
> exception is:
> java.lang.Exception: alias is null
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
> �
> Caused by: java.lang.Exception: alias is null
> at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
> ... 22 more
> I added some println statements to the password callback on the server side to print out the
> type and id:
> *** password callback type 1 class org.apache.ws.security.WSPasswordCallback
> *** password callback id null
> The API is used to configure CXF and WSS4j and not the xml configuration. The messages are
> not being signed, nor are timestamps being used, just encryption/decryption, ep is the endpointimpl
> :
> Map<String,Object> inProps1 = new HashMap<String,Object>();
> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class.getName());
> inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.properties");
> inProps1.put(WSHandlerConstants.USER, "clientkey");
> ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInInterceptor(inProps1));
> And the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.password=storepass
> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
> The server cert is self signed:
> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -keypass ump-pass -storepass
> dummy-service -keystore server-encypt.jks -dname cn=localhost
> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -keypass client-pass -storepass
> dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
> and the certificate was exported using the following:
> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dummy-service -keypass
> client-pass -alias clientkey -file client-cert.cer
> This is the WSDL extract:
> <wsp:Policy wsu:Id="AsymEncryption"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <!-- <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> -->
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> �
> <wsdl:binding name="CollectionImplServiceSoapBinding" type="tns:CollectionService">
> <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#AsymEncryption"/>
> And this is the incoming message:
> <output>
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Address: /FooWS/services/Collection/
> Encoding: UTF-8
> Content-Type: text/xml; charset=UTF-8
> Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive], Host=[localhost:9198],
> Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml;
> charset=U
> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
> Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/
> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#EncDataId-1" /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252" /></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> </output>
> On the client side, the WSS4j is setup as:
> Map<String,Object> outProps1 = new HashMap<String,Object>();
> outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName());
> outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties");
> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
> cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps1));
>
> and the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
> org.apache.ws.security.crypto.merlin.keystore.password=clientpass
> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
> and the cert was imported using the command:
> $ keytool -import -trustcacerts -keystore client-store.jks -storepass clientpass -alias servicekey
> -file client-cert.cer
> Not sure what is going wrong, but there are a lot of steps, so maybe this is a simple error
> on my part.
> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, please let me
> know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira