You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Dittmann Werner <we...@siemens.com> on 2004/11/15 15:49:33 UTC
AW: Problem with multiple Certificate in WSSecurityEngine
Erik,
thanks for the info. Can you report it in JIRA too?
(just to document it) Thanks.
In the meantime I'll have a look at it to see where
to fix it. AFAIK we had a similar problem some time
ago. I'll check how we solved it at that time.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: Erik Hansen [mailto:ehansen2@csc.com]
> Gesendet: Montag, 15. November 2004 15:24
> An: werner@apache.org
> Betreff:
>
>
>
> Hi
>
> I have found a problem in decryption of a SOAP request.
>
> Scenario:::
> I am testing a WebService deployed in AXIS 1.2 Beta3 and
> using the latest
> WSS4J source code..
> The Webservice client is a .NET client using WSE 2.0 sp1.
> It seems that the WSE 2.0 uses the "509SubjectKeyIdentifier"
> to identify
> the "Encryption" certificate.
>
>
> Problem::::
> The client sends the following XML to identify the Encryption
> certificate.
>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-t
> oken-profile-1.0
> #X509SubjectKeyIdentifier
> ">
> fFQvqAg/jmQ4bGbCKvdqaTLAVs0=
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </KeyInfo>
> ...
> </xenc:EncryptedKey>
>
> The problem is in the "WSSecurityEngine" class.
> The method "public void handleEncryptedKey(Element xencEncryptedKey,
> CallbackHandler cb, Crypto crypto) throws
> WSSecurityException" throws an
> exception, when trying to find the "Encryption" certificate in the
> certificate-store.
>
> The following code is the part, where the problem occurs..
>
> * If wsse:KeyIdentifier found, then the public key of the
> attached cert was used to
> * encrypt the session (symmetric) key that
> encrypts the data.
> Extract the certificate
> * using the BinarySecurity token (was enhanced to handle
> KeyIdentifier too).
> * This method is _not_recommended by OASIS WS-S
> specification,
> X509 profile
> */
> else if (secRef.containsKeyIdentifier()) {
> X509Certificate[] certs =
> secRef.getKeyIdentifier(crypto);
> if (certs == null || certs.length != 1 ||
> certs[0] == null)
> {
> throw new
> WSSecurityException(WSSecurityException.FAILURE,
> "invalidX509Data", new
> Object[]{"for decryption
> (KeyId)"});
> }
>
> The call to the method "secRef.getKeyIdentifier(crypto)"
> return not only
> the "Encryption" certificate, but the complete certificate chain.
> So the Array of Certificates contains more then one certificate and
> therefore a "WSSecurityException" is thrown.
>
> I have changed the source code as follows;
>
> if (certs == null || certs[0] == null) {
>
> allowing more then one certificate to be returned. This change does
> however assume that the "Encryption" certificate is the first
> one in the
> array.
>
>
> I am not sure where to do the change, but it is properly more
> feasible to
> make a change in "SecurityTokenReference.java"
> in method "public X509Certificate[] getKeyIdentifier(Crypto crypto)".
>
> Instead of returning the certificate chain, then only the
> main certificate
> should be returned.
>
> #### (existing code )
>
> } else if (value.equals(SKI_URI)) {
> String alias = getX509SKIAlias(crypto);
> if (alias != null) {
> return crypto.getCertificates(alias); ####
> returning
> certificate chain.
> }
> }
> return null;
>
> ####
>
>
> Best Regards
> EriK Hansen
>
>
>
>