You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by Mike <mc...@gmail.com> on 2009/02/11 12:58:20 UTC

WSS4J 1.5.5 - Broken decryption

Hi All

I recently upgraded to Wss4J 1.5.5 from 1.5.4 (and xml-sec 1.4.2 from
1.4.0), after a spelling fix (what is an identifir anyway?! :P) in my
callback handler I tried to run my system (which is a B2B messaging server
using ebXML) but it failed to work on the receiving end.

I receive a stack trace and the identifier in the callback handle method is
null?!?

I'm not exactly sure what is going on, I did some digging and found that the
alias was unassigned just before the callback occurred. I have also noted
that I supply a null actor to the 'processSecurityHeader' method since I
don't have access to it at the time. Is the actor fundamental to decryption?

The same code worked perfectly on WSS4j 1.5.4.

Versions:

Wss4j 1.5.5

xml-sec 1.4.2

BouncyCastle JDK15-141

Java 1.5.0_16

Axis 1.4 1855 April 22 2006

Metro 1.4

Thanks,

Mike

Stack Trace:

> Caused by: org.apache.ws.security.WSSecurityException: General security
> error (WSSecurityEngine: Callback supplied no password for: null)
>  at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:290)
>  at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:92)
>  at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:80)
>  at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>  at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>  at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:196)
>


Encryption Code:

>   Utils.trace(this.getClass(), "WSS Encrypting SOAP Envelope");
>
>   WSSecEncrypt encrypt = new WSSecEncrypt();
>   encrypt.setEncCanonicalization(encCanonAlgo);
>   encrypt.setKeyEncAlgo(encKeyAlgo);
>   encrypt.setSymmetricEncAlgorithm(encSymAlgo);
>
>   if (encCert != null) {
>     Utils.trace(this.getClass(), "Encrypting with Configuration provided
> Certificate");
>     encrypt.setUseThisCert(encCert);
>   } else {
>     Utils.trace(this.getClass(), "Encrypting with Keystore provided
> Certificate");
>     encrypt.setUserInfo(encryptAlias);
>   }
>
>   if (!signalMessage) {
>     encrypt.setParts(getEncryptionParts(pMode, event));
>   } else {
>     encrypt.setParts(getSignalParts());
>   }
>
>   encrypt.prepare(doc, crypto);
>
>   encrypt.prependToHeader(secHeader);
>
>   doc = encrypt.build(doc, crypto, secHeader);
>
>
>   Utils.trace(this.getClass(), "WSS Encrypted SOAP Envelope");
>

RE: WSS4J 1.5.5 - Broken decryption

Posted by Colm O hEigeartaigh <co...@progress.com>.

This is the problem I think:

 

encrypt.prepare(doc, crypto);

 

encrypt.prependToHeader(secHeader);
   
doc = encrypt.build(doc, crypto, secHeader);

 

I noticed that there were two EncryptedKey elements in the security
header with the same Id, which looked odd ;-)

All you need here is:

 

doc = encrypt.build(doc, crypto, secHeader);

 

Colm.

 

________________________________

From: Colm O hEigeartaigh [mailto:coheigea@progress.com] 
Sent: 23 February 2009 17:09
To: Mike; wss4j-dev@ws.apache.org
Subject: RE: WSS4J 1.5.5 - Broken decryption

 

Hi Mike,

 

Can you give me a simpler example to work with? The request has both
signature and encryption in it, as well as multiple EncryptedKey
elements. Can you also add the code you're using to process the request?

Ideally, could you create a test-case for it?

 

Colm.

 

________________________________

From: Mike [mailto:mcanix@gmail.com] 
Sent: 11 February 2009 11:58
To: wss4j-dev@ws.apache.org
Subject: WSS4J 1.5.5 - Broken decryption

 

Hi All

I recently upgraded to Wss4J 1.5.5 from 1.5.4 (and xml-sec 1.4.2 from
1.4.0), after a spelling fix (what is an identifir anyway?! :P) in my
callback handler I tried to run my system (which is a B2B messaging
server using ebXML) but it failed to work on the receiving end.

I receive a stack trace and the identifier in the callback handle method
is null?!? 

I'm not exactly sure what is going on, I did some digging and found that
the alias was unassigned just before the callback occurred. I have also
noted that I supply a null actor to the 'processSecurityHeader' method
since I don't have access to it at the time. Is the actor fundamental to
decryption?

The same code worked perfectly on WSS4j 1.5.4.

Versions:

Wss4j 1.5.5

xml-sec 1.4.2

BouncyCastle JDK15-141

Java 1.5.0_16

Axis 1.4 1855 April 22 2006

Metro 1.4

Thanks,

Mike

Stack Trace:

	Caused by: org.apache.ws.security.WSSecurityException: General
security error (WSSecurityEngine: Callback supplied no password for:
null)

	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:290)
	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:92)
	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encry
ptedKeyProcessor.java:80)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:326)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:243)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:196)

 

Encryption Code:

	  Utils.trace(this.getClass(), "WSS Encrypting SOAP Envelope");
	   
	  WSSecEncrypt encrypt = new WSSecEncrypt();
	  encrypt.setEncCanonicalization(encCanonAlgo);
	  encrypt.setKeyEncAlgo(encKeyAlgo);
	  encrypt.setSymmetricEncAlgorithm(encSymAlgo);
	   
	  if (encCert != null) {
	    Utils.trace(this.getClass(), "Encrypting with Configuration
provided Certificate");
	    encrypt.setUseThisCert(encCert);
	  } else {
	    Utils.trace(this.getClass(), "Encrypting with Keystore
provided Certificate");
	    encrypt.setUserInfo(encryptAlias);
	  }
	   
	  if (!signalMessage) {
	    encrypt.setParts(getEncryptionParts(pMode, event));
	  } else {
	    encrypt.setParts(getSignalParts());
	  }
	   
	  encrypt.prepare(doc, crypto);
	   
	  encrypt.prependToHeader(secHeader);
	   
	  doc = encrypt.build(doc, crypto, secHeader);
	   

	  Utils.trace(this.getClass(), "WSS Encrypted SOAP Envelope");

RE: WSS4J 1.5.5 - Broken decryption

Posted by Colm O hEigeartaigh <co...@progress.com>.

Hi Mike,

 

Can you give me a simpler example to work with? The request has both
signature and encryption in it, as well as multiple EncryptedKey
elements. Can you also add the code you're using to process the request?

Ideally, could you create a test-case for it?

 

Colm.

 

________________________________

From: Mike [mailto:mcanix@gmail.com] 
Sent: 11 February 2009 11:58
To: wss4j-dev@ws.apache.org
Subject: WSS4J 1.5.5 - Broken decryption

 

Hi All

I recently upgraded to Wss4J 1.5.5 from 1.5.4 (and xml-sec 1.4.2 from
1.4.0), after a spelling fix (what is an identifir anyway?! :P) in my
callback handler I tried to run my system (which is a B2B messaging
server using ebXML) but it failed to work on the receiving end.

I receive a stack trace and the identifier in the callback handle method
is null?!? 

I'm not exactly sure what is going on, I did some digging and found that
the alias was unassigned just before the callback occurred. I have also
noted that I supply a null actor to the 'processSecurityHeader' method
since I don't have access to it at the time. Is the actor fundamental to
decryption?

The same code worked perfectly on WSS4j 1.5.4.

Versions:

Wss4j 1.5.5

xml-sec 1.4.2

BouncyCastle JDK15-141

Java 1.5.0_16

Axis 1.4 1855 April 22 2006

Metro 1.4

Thanks,

Mike

Stack Trace:

	Caused by: org.apache.ws.security.WSSecurityException: General
security error (WSSecurityEngine: Callback supplied no password for:
null)

	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:290)
	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:92)
	 at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encry
ptedKeyProcessor.java:80)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:326)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:243)
	 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:196)

 

Encryption Code:

	  Utils.trace(this.getClass(), "WSS Encrypting SOAP Envelope");
	   
	  WSSecEncrypt encrypt = new WSSecEncrypt();
	  encrypt.setEncCanonicalization(encCanonAlgo);
	  encrypt.setKeyEncAlgo(encKeyAlgo);
	  encrypt.setSymmetricEncAlgorithm(encSymAlgo);
	   
	  if (encCert != null) {
	    Utils.trace(this.getClass(), "Encrypting with Configuration
provided Certificate");
	    encrypt.setUseThisCert(encCert);
	  } else {
	    Utils.trace(this.getClass(), "Encrypting with Keystore
provided Certificate");
	    encrypt.setUserInfo(encryptAlias);
	  }
	   
	  if (!signalMessage) {
	    encrypt.setParts(getEncryptionParts(pMode, event));
	  } else {
	    encrypt.setParts(getSignalParts());
	  }
	   
	  encrypt.prepare(doc, crypto);
	   
	  encrypt.prependToHeader(secHeader);
	   
	  doc = encrypt.build(doc, crypto, secHeader);
	   

	  Utils.trace(this.getClass(), "WSS Encrypted SOAP Envelope");