You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by VijayM <vi...@yahoo.com> on 2009/07/01 11:40:18 UTC
wss4j1.5.5: Decrypting the soap xml results in NP exception for
soap message containing BinarySecurityToken in request.
Decrypting the soap xml results in NP exception for soap message containing
BinarySecurityToken in request.
I am using wss4j 1.5.5 to decrypt the soap message.
The client encrypt the soap message by setting action =Encrypt and
encryptionKeyIdentifier=DirectReference.
At receiving end the receiver handler config is:
<requestFlow>
<handler name="DoSecurityReceiver"
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="Encrypt"/>
<parameter name="decryptionPropFile"
value="server.crypto.properties"/>
<parameter name="passwordCallbackClass"
value="com.ws.server.PWCallback"/>
</handler>
</requestFlow>
At receiving end when decrypting this message, The null pointer occurs (
exception trace shown below).
The exception occurs only when "DirectReference" key identifier is used in
message encryption ie the request contains token embedded in
"BinarySecurityToken" element.
The exception does not occur when "IssuerSerial" identifier is used.
Debugging the code further I observed that
BinarySecurityTokenProcessor.getCertificatesTokenReference(Element elem,
Crypto crypto)
uses Signature Crypto instance to parse the security token from request.
Since signature crypto is null,it results in null pointer exception.
Signature crypto is null because the action is "Encrypt" only. It should be
using decryption crypto instance instead.
My understanding so far is:
if action is Signature -> Signature Crypto will be initialized.
If action is Encrypt - > Encryption crypto will be initialized.
If action is "Signature Encrypt" -> Both sign /encrypt crypto will be
initialized.
For encrypted message BinarySecurityTokenProcessor should use encryption
crypto instance to parse the
binary token instead of signature crypto.
Any comments greatly appreciated.
Exception trace:
Caused by: java.lang.NullPointerException
at
org.apache.ws.security.message.token.X509Security.getX509Certificate(
X509Security.java:94)
at
org.apache.ws.security.processor.BinarySecurityTokenProcessor.getCert
ificatesTokenReference(BinarySecurityTokenProcessor.java:93)
at
org.apache.ws.security.processor.BinarySecurityTokenProcessor.handleT
oken(BinarySecurityTokenProcessor.java:74)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:243)
at
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
va:162)
--
View this message in context: http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-xml-results-in-NP-exception-for-soap-message-containing-BinarySecurityToken-in-request.-tp24286989p24286989.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: wss4j1.5.5: Decrypting the soap xml results in NP exception for soap message containing BinarySecurityToken in request.
Posted by Colm O hEigeartaigh <co...@progress.com>.
It's fixed in the latest release: 1.5.8
Colm.
-----Original Message-----
From: VijayM [mailto:vijumali@yahoo.com]
Sent: 08 August 2009 08:12
To: wss4j-dev@ws.apache.org
Subject: RE: wss4j1.5.5: Decrypting the soap xml results in NP exception
for soap message containing BinarySecurityToken in request.
Hi Colm,
Thank you very much for the fix. Can you specify the build I should be
consuming to get the fix.
Best Regards,
Vijay Mali
Colm O hEigeartaigh wrote:
>
>
> Good catch! I'm surprised no-one has run into this before. I'll commit
a
> fix for this in a few minutes.
>
> The BinarySecurityTokenProcessor only uses the crypto instance to
> construct the certificate(s) from XML, so a simple fix is to just
check
> for null on the signature crypto instance. There's no way of telling
> whether the BST being processed is used for encryption or signature in
> advance. It's a reasonable assumption though that the same abstract
> Crypto implementation (e.g. CryptoBase) is being used for signature
and
> encryption, even if the subclasses are different, etc.
>
> I also spotted the ReferenceListProcessor uses the wrong crypto
instance
> when I checked the others.
>
> Thanks,
>
> Colm.
>
> -----Original Message-----
> From: VijayM [mailto:vijumali@yahoo.com]
> Sent: 01 July 2009 10:40
> To: wss4j-dev@ws.apache.org
> Subject: wss4j1.5.5: Decrypting the soap xml results in NP exception
for
> soap message containing BinarySecurityToken in request.
>
>
> Decrypting the soap xml results in NP exception for soap message
> containing
> BinarySecurityToken in request.
>
> I am using wss4j 1.5.5 to decrypt the soap message.
> The client encrypt the soap message by setting action =Encrypt and
> encryptionKeyIdentifier=DirectReference.
>
> At receiving end the receiver handler config is:
> <requestFlow>
> <handler name="DoSecurityReceiver"
> type="java:org.apache.ws.axis.security.WSDoAllReceiver">
> <parameter name="action" value="Encrypt"/>
> <parameter name="decryptionPropFile"
> value="server.crypto.properties"/>
> <parameter name="passwordCallbackClass"
> value="com.ws.server.PWCallback"/>
> </handler>
> </requestFlow>
>
> At receiving end when decrypting this message, The null pointer occurs
(
> exception trace shown below).
> The exception occurs only when "DirectReference" key identifier is
used
> in
> message encryption ie the request contains token embedded in
> "BinarySecurityToken" element.
> The exception does not occur when "IssuerSerial" identifier is used.
>
> Debugging the code further I observed that
> BinarySecurityTokenProcessor.getCertificatesTokenReference(Element
elem,
> Crypto crypto)
> uses Signature Crypto instance to parse the security token from
request.
> Since signature crypto is null,it results in null pointer exception.
> Signature crypto is null because the action is "Encrypt" only. It
should
> be
> using decryption crypto instance instead.
>
> My understanding so far is:
> if action is Signature -> Signature Crypto will be initialized.
> If action is Encrypt - > Encryption crypto will be initialized.
> If action is "Signature Encrypt" -> Both sign /encrypt crypto will be
> initialized.
>
> For encrypted message BinarySecurityTokenProcessor should use
encryption
> crypto instance to parse the
> binary token instead of signature crypto.
>
> Any comments greatly appreciated.
>
> Exception trace:
> Caused by: java.lang.NullPointerException
> at
> org.apache.ws.security.message.token.X509Security.getX509Certificate(
> X509Security.java:94)
> at
> org.apache.ws.security.processor.BinarySecurityTokenProcessor.getCert
> ificatesTokenReference(BinarySecurityTokenProcessor.java:93)
> at
> org.apache.ws.security.processor.BinarySecurityTokenProcessor.handleT
> oken(BinarySecurityTokenProcessor.java:74)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
> ityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
> ityEngine.java:243)
> at
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> va:162)
>
>
>
>
>
> --
> View this message in context:
>
http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-xml-results-in-N
>
P-exception-for-soap-message-containing-BinarySecurityToken-in-request.-
> tp24286989p24286989.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context:
http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-message-containi
ng-BinarySecurityToken-results-in-NP-exception-tp24286989p24875646.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: wss4j1.5.5: Decrypting the soap xml results in NP exception for
soap message containing BinarySecurityToken in request.
Posted by VijayM <vi...@yahoo.com>.
Hi Colm,
Thank you very much for the fix. Can you specify the build I should be
consuming to get the fix.
Best Regards,
Vijay Mali
Colm O hEigeartaigh wrote:
>
>
> Good catch! I'm surprised no-one has run into this before. I'll commit a
> fix for this in a few minutes.
>
> The BinarySecurityTokenProcessor only uses the crypto instance to
> construct the certificate(s) from XML, so a simple fix is to just check
> for null on the signature crypto instance. There's no way of telling
> whether the BST being processed is used for encryption or signature in
> advance. It's a reasonable assumption though that the same abstract
> Crypto implementation (e.g. CryptoBase) is being used for signature and
> encryption, even if the subclasses are different, etc.
>
> I also spotted the ReferenceListProcessor uses the wrong crypto instance
> when I checked the others.
>
> Thanks,
>
> Colm.
>
> -----Original Message-----
> From: VijayM [mailto:vijumali@yahoo.com]
> Sent: 01 July 2009 10:40
> To: wss4j-dev@ws.apache.org
> Subject: wss4j1.5.5: Decrypting the soap xml results in NP exception for
> soap message containing BinarySecurityToken in request.
>
>
> Decrypting the soap xml results in NP exception for soap message
> containing
> BinarySecurityToken in request.
>
> I am using wss4j 1.5.5 to decrypt the soap message.
> The client encrypt the soap message by setting action =Encrypt and
> encryptionKeyIdentifier=DirectReference.
>
> At receiving end the receiver handler config is:
> <requestFlow>
> <handler name="DoSecurityReceiver"
> type="java:org.apache.ws.axis.security.WSDoAllReceiver">
> <parameter name="action" value="Encrypt"/>
> <parameter name="decryptionPropFile"
> value="server.crypto.properties"/>
> <parameter name="passwordCallbackClass"
> value="com.ws.server.PWCallback"/>
> </handler>
> </requestFlow>
>
> At receiving end when decrypting this message, The null pointer occurs (
> exception trace shown below).
> The exception occurs only when "DirectReference" key identifier is used
> in
> message encryption ie the request contains token embedded in
> "BinarySecurityToken" element.
> The exception does not occur when "IssuerSerial" identifier is used.
>
> Debugging the code further I observed that
> BinarySecurityTokenProcessor.getCertificatesTokenReference(Element elem,
> Crypto crypto)
> uses Signature Crypto instance to parse the security token from request.
> Since signature crypto is null,it results in null pointer exception.
> Signature crypto is null because the action is "Encrypt" only. It should
> be
> using decryption crypto instance instead.
>
> My understanding so far is:
> if action is Signature -> Signature Crypto will be initialized.
> If action is Encrypt - > Encryption crypto will be initialized.
> If action is "Signature Encrypt" -> Both sign /encrypt crypto will be
> initialized.
>
> For encrypted message BinarySecurityTokenProcessor should use encryption
> crypto instance to parse the
> binary token instead of signature crypto.
>
> Any comments greatly appreciated.
>
> Exception trace:
> Caused by: java.lang.NullPointerException
> at
> org.apache.ws.security.message.token.X509Security.getX509Certificate(
> X509Security.java:94)
> at
> org.apache.ws.security.processor.BinarySecurityTokenProcessor.getCert
> ificatesTokenReference(BinarySecurityTokenProcessor.java:93)
> at
> org.apache.ws.security.processor.BinarySecurityTokenProcessor.handleT
> oken(BinarySecurityTokenProcessor.java:74)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
> ityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
> ityEngine.java:243)
> at
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> va:162)
>
>
>
>
>
> --
> View this message in context:
> http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-xml-results-in-N
> P-exception-for-soap-message-containing-BinarySecurityToken-in-request.-
> tp24286989p24286989.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-message-containing-BinarySecurityToken-results-in-NP-exception-tp24286989p24875646.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: wss4j1.5.5: Decrypting the soap xml results in NP exception for soap message containing BinarySecurityToken in request.
Posted by Colm O hEigeartaigh <co...@progress.com>.
Good catch! I'm surprised no-one has run into this before. I'll commit a
fix for this in a few minutes.
The BinarySecurityTokenProcessor only uses the crypto instance to
construct the certificate(s) from XML, so a simple fix is to just check
for null on the signature crypto instance. There's no way of telling
whether the BST being processed is used for encryption or signature in
advance. It's a reasonable assumption though that the same abstract
Crypto implementation (e.g. CryptoBase) is being used for signature and
encryption, even if the subclasses are different, etc.
I also spotted the ReferenceListProcessor uses the wrong crypto instance
when I checked the others.
Thanks,
Colm.
-----Original Message-----
From: VijayM [mailto:vijumali@yahoo.com]
Sent: 01 July 2009 10:40
To: wss4j-dev@ws.apache.org
Subject: wss4j1.5.5: Decrypting the soap xml results in NP exception for
soap message containing BinarySecurityToken in request.
Decrypting the soap xml results in NP exception for soap message
containing
BinarySecurityToken in request.
I am using wss4j 1.5.5 to decrypt the soap message.
The client encrypt the soap message by setting action =Encrypt and
encryptionKeyIdentifier=DirectReference.
At receiving end the receiver handler config is:
<requestFlow>
<handler name="DoSecurityReceiver"
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="Encrypt"/>
<parameter name="decryptionPropFile"
value="server.crypto.properties"/>
<parameter name="passwordCallbackClass"
value="com.ws.server.PWCallback"/>
</handler>
</requestFlow>
At receiving end when decrypting this message, The null pointer occurs (
exception trace shown below).
The exception occurs only when "DirectReference" key identifier is used
in
message encryption ie the request contains token embedded in
"BinarySecurityToken" element.
The exception does not occur when "IssuerSerial" identifier is used.
Debugging the code further I observed that
BinarySecurityTokenProcessor.getCertificatesTokenReference(Element elem,
Crypto crypto)
uses Signature Crypto instance to parse the security token from request.
Since signature crypto is null,it results in null pointer exception.
Signature crypto is null because the action is "Encrypt" only. It should
be
using decryption crypto instance instead.
My understanding so far is:
if action is Signature -> Signature Crypto will be initialized.
If action is Encrypt - > Encryption crypto will be initialized.
If action is "Signature Encrypt" -> Both sign /encrypt crypto will be
initialized.
For encrypted message BinarySecurityTokenProcessor should use encryption
crypto instance to parse the
binary token instead of signature crypto.
Any comments greatly appreciated.
Exception trace:
Caused by: java.lang.NullPointerException
at
org.apache.ws.security.message.token.X509Security.getX509Certificate(
X509Security.java:94)
at
org.apache.ws.security.processor.BinarySecurityTokenProcessor.getCert
ificatesTokenReference(BinarySecurityTokenProcessor.java:93)
at
org.apache.ws.security.processor.BinarySecurityTokenProcessor.handleT
oken(BinarySecurityTokenProcessor.java:74)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:243)
at
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
va:162)
--
View this message in context:
http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-xml-results-in-N
P-exception-for-soap-message-containing-BinarySecurityToken-in-request.-
tp24286989p24286989.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org