InvalidKeyException: Wrong key usage (Apache Rampart SOAP WS_Security Encryption/Signature issue with public key of server certificate)

[Ramakrishnan <ra...@servion.com>]

Hi,

My requirement is to access a webservice written in .net WCF framework from JAVA. I have used apache rampart to achieve this WS_Security on SOAP request.

I was able to create the expected encrypted request using self signed certificate which has key usage as Key_Encipherment.

But the cer file given from server certificate which has the public key is giving Invalid key usage Exception while encrypting symmetric key using public key.

My Policy file looks like,

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy wsu:Id="SignEncr" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>

<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>ClientAliasname</ramp:user>
<ramp:encryptionUser>serveraliasName</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.test.mobile.customer.impl.PWCBHandler</ramp:passwordCallbackClass>

<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">test@123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">Server.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">rampart</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>

</ramp:RampartConfig>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>


The exception I'm getting is: Caused by: java.security.InvalidKeyException: Wrong key usage
Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data


My expected WS_Security SOAP request should look alike:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-e6d3ae0f-1556-45df-a5f0-c27a64c6be60-1">
<u:Created>2013-08-27T06:30:57.637Z</u:Created>
<u:Expires>2013-08-27T06:35:57.637Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-5e9adb1a-6474-4eed-b5b5-d19d65eaa4e6-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIFRTCCBC2gAwIBAgIKUQcS6Qu......BwmNluUWXlCDrUEsGfiDnTSMEBiNHkWFQmT3Ji9VP6qR0g8wUmFJyOhe6OVLWVeGB4QDdCToJfMIIC2vboftZAM4524+jmE8sY0cXqH5wTWbxbcl9+BlCZmwm1j5G87KR8ODFdS9MCEI</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">INvA3X4oDuV0Yds3XRt2ZfuphgU=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>u3wEG1qIPaLWmIvdyphDNzQtdLBNzTcmT3Qix+pnd6PyCVlSdj3DzuAiS6KjSIr19l2M1I4dBHYx5cFCBnj0paiuiNQTfn1gYv4fLQe01irUW+OAZJXKEMncKZhX4j7k8fvKdSC3opY3ZFE0vKHn45w5xPr3zdfGXtKy5Ww==</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<eataReference URI="#_2"/>
<eataReference URI="#_3"/>
</e:ReferenceList>
</e:EncryptedKey>
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<e:CipherData>
<e:CipherValue>RRuVqpKmDzga1IXKhq98qvXQyz+Ew+jR6nqaFFnGyzCxBmjXkXuprWKarA/VHqh6XgqL4EVRADAkARwhuM2d0eeKpktOoBF+NJzs4rlhEfmDS0GwaFUI36DRxVXh8L......................eybyvdJCUd9CORKt1qPsmYkqsEI8oFRv7Hpv6f9BedZoFBwUlbKB7FNVWIq8/SG2IMorvLv5pEjKT85J+l05IoD0pqorvBWpY7NzuTd4wR6eYDRzNTExuJ52+mm5wi1fQ8wzHTOIn5Ea7VYg==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<e:CipherData>
<e:CipherValue>HVfBtgRktBhX6T0qDuhE8U+jrx4IFIOaCUlHuodEmBZ5Ug+B8W5SnaVzCIxt5PH/maXbpxd9V/feDPRD995ppndRF34qBIDXOBAra75kuhfDjIJkmkylyfd7sRR1S3acT3asMI6DbmA9JjPuIbn22L1cUe4zsMnwtWkTeXY1oQw8oZig9yhMhf607Kx1zAlqsIE/JzusXNlLKpatUQzxQ75xDUGNEbHpQjIn0hAJmBjtY7gy7kGxNA........</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>


While I'm using the public key of the server certificate I'm getting the above mentioned error. I want to know whether the public cert should need to have key_encipherment as its key usage. If it has then I can able to create it successfully.

But the partner is denying to provide the key_encipherment enabled public certificate and says every other clients are using the same certificate to access their webservice.

I'm spending my time on this for the past 4 weeks. Any help would be much helpful.

Thanks,
Ramakrishnan T
The information contained in this e-mail message or messages (which includes any attachments) is confidential and may be legally privileged. It is intended only for the use of the person or entity to which it is addressed.