 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2007X509TokenProfile does not work WSE 3.0 <--> WSS4J (Java)
Hi all, In our project we are trying to secure web services between WSE 3.0 and Java (WSS4J) using the X509Token profile. When trying to establish the connection, we receive an error message from the java side. Has anyone had the same experience? Here are the gory details: Software: Tomcat 4.1.27 with Axis 1.2.1 og WSS4J 1.1.0 VS2005.NET with WSE 3.0 I used the Oasis interoperability certificates found in WSS4J, and they are the ones referenced in the policy below. WSE policy: <policy name="EncryptAndSign"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <clientToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=Alice, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" /> </clientToken> <serviceToken> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=Bob, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="" encryptBody="false" /> </protection> </mutualCertificate11Security> </policy> VS-code: localhost.StockQuoteServiceWse service = new WindowsApplication11.localhost.StockQuoteServiceWse(); service.SetPolicy("EncryptAndSign"); String val = service.getQuote("xxx"); Axis deployment wsdd (works with WSE 2.0): <service name="stock-wss-01" provider="java:RPC" style="wrapped" use="literal"> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="no.bekk.PWCallback"/> <parameter name="action" value="Signature Encrypt Timestamp"/> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="decryptionPropFile" value="crypto.properties" /> <parameter name="encryptionPropFile" value="crypto.properties" /> <parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" /> <parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" /> <parameter name="signatureKeyIdentifier" value="X509KeyIdentifier" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="action" value="Timestamp Signature Encrypt"/> <parameter name="user" value="bob"/> <parameter name="passwordCallbackClass" value="no.bekk.PWCallback"/> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="encryptionPropFile" value="crypto.properties" /> <parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" /> <parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" /> <parameter name="encryptionUser" value="alice" /> </handler> </responseFlow> <parameter name="className" value="no.bekk.ws.StockQuoteBekk"/> <parameter name="allowedMethods" value="getQuote"/> <parameter name="scope" value="application"/> </service> Axis crypto.properties: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=password org.apache.ws.security.crypto.merlin.file=keystore/interop2.jks The keystore referenced above is the OASIS interoperability keystore from WSS4J which contains the same bob and alice keys as the ones that are being used by WSE (WSE uses imported pfx-files). I have also tried to use the mutualCertificate10Security with the same result. The exception I get in both cases are: org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine.java:1226) at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey(WSSecurityEngine.java:1171) at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey(WSSecurityEngine.java:926) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:349) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:156) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:601) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619) at java.lang.Thread.run(Thread.java:595) Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) at org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine.java:1224) ... 46 more WSS4J 1.1 uses AES128 by default and the default in WSE 3.0 is AES256. Perhaps WSS4J trying the default, and therefore, the key size mismatch. If you haven't already, try adding the following to your web.config or app.config (whichever is appropriate) <securityTokenManager> <add type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" namespace="http://www.w3.org/2001/04/xmlenc#" localName="EncryptedKey" > <keyAlgorithm name="AES128" /> </add> </securityTokenManager> > Hi all, > [quoted text clipped - 203 lines] > org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine.java:1224) > ... 46 more After adding the AES128 we get: org.apache.ws.security.WSSecurityException: Referenced security token could not be retrieved. (Reference "#SecurityToken -67179173-5177-4dec-8d4e-68965cd3a697") at org.apache.ws.security.message.token.SecurityTokenReference.getTokenElement(SecurityTokenReference.java:184) at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:501) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:320) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:156) Here is a SOAP message: <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x sd"><soap:Header><wsa:Action/><wsa:MessageID>urn:uuid:e414dc70-8362-42fd-8bff-f2 01679dc935</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/w s/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>http://lo calhost:8080/axis/services/stock-wss-01</wsa:To><wsse:Security soap:mustUnderstand="1"><wsu:Timestamp wsu:Id="Timestamp-5ee883bd-510b-4dd0-b307-3c409f891a1d"><wsu:Created>2006-03-21T07:24:10Z</wsu:Created><wsu:Expires>2006-03-21T07:29:10Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1. 0#Base64Binary" wsu:Id="SecurityToken-1d295b8e-3f79-4d3e-8569-47a0b8b2b0b3">MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</wsse:BinarySecurityToken><xenc:EncryptedKey Id="SecurityToken-7247a9bb-7d9d-49ff-acc3-41fb48175d18" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1. 0#Base64Binary">Xeg55vRyK3ZhAEhEf+YT0z986L0=</wsse:KeyIdentifier></wsse:Security TokenReference></KeyInfo><xenc:CipherData><xenc:CipherValue>r6UW2ErF/pbGURI37VC7 CpBaJryRlDnzo+otmm2oaB2ao8QoIfRClO/DdTd0iEmcvDmXDyBMi315OAaZqE/lDdPa4okyt2zme3Z0 LXH6IU9a3jIoSA6fgJZzLsFyCZPcQYVSXFI2lryJlEF8DYkOCM+X8fzIMvgLaZ2BrgVq4NA=</xenc:C ipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#Enc-9d6e8a02-1340-4684-8307-ea78cc6f1f14"/></xenc:ReferenceList></xenc:EncryptedKey><Signature Id="Sig-c5feb994-a815-418a-b681-a18e63f4fcca" xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethodAlgorithm="http://www.w3.or g/2000/09/xmldsig#hmac-sha1"/><Reference URI="#Timestamp-5ee883bd-510b-4dd0-b307-3c409f891a1d"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>L4phI/XSSrpMR6dFgLwS+fZqpn 4=</DigestValue></Reference><Reference URI="#Id-ec2cb016-c76b-427e-8f83-14fd500d555e"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>HX2u1V4++p9d8G/gzXyssP7fPZ 8=</DigestValue></Reference></SignedInfo><SignatureValue>qTatMTM7XNhUFwQhbv/n3GK syzo=</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-7247a9bb-7d9d-49ff-acc3-41fb48175d18" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" /></wsse:SecurityTokenReference></KeyInfo></Signature><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#Sig-c5feb994-a815-418a-b681-a18e63f4fcca"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>UD+KPKTtFxtcbyd2P0gmg5Bs/o s=</DigestValue></Reference></SignedInfo><SignatureValue>L1c1wnv+O9mn8zfQGMaT1JM C/v26XGy3hwW+sV2n0t+DQa2knLee7SDQmf5625cxinFtFcNKDAlxLd1B38/xA8XMjVtLsFy6AwFiN04 7wgwD43VOcemOiLi/B0pO9w5e9LsxWsNNwhcd4dajTE/DPFIR7HMbcRVRJqojtamymkw=</Signature Value><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-1d295b8e-3f79-4d3e-8569-47a0b8b2b0b3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></so ap:Header><soap:Body wsu:Id="Id-ec2cb016-c76b-427e-8f83-14fd500d555e"><xenc:EncryptedData Id="Enc-9d6e8a02-1340-4684-8307-ea78cc6f1f14" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><xenc:CipherData><xenc:CipherValue >dtCqINlQwi8tdWJzfkrugcPqoOQXEp3VgM/K/VOoywpWNHt7mwNxwe7rFsT6u/zhJ+NBF6JuK0j3Ax1 UNjW74SufYokv3VTlf+Sc7Fqf+2I=</xenc:CipherValue></xenc:CipherData></xenc:Encrypt edData></soap:Body></soap:Envelope> I think I read somewhere that there was a problem with SKIKeyIdentifier and WSS4j. Can anybody verify? Is there any way to change the identifier to x509KeyIdentifier? > WSS4J 1.1 uses AES128 by default and the default in WSE 3.0 is AES256. > Perhaps WSS4J trying the default, and therefore, the key size mismatch. [quoted text clipped - 13 lines] > </add> > </securityTokenManager> A solution to the problem is available here: http://www.oftedal.no/~erlend/?blogid=12 > Hi all, > [quoted text clipped - 203 lines] > org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine.java:1224) > ... 46 more Did you have any success to solve this problem? I have exactly the same problem at the moment. Thx in advance BizTalk Utilities - Frustration free BizTalk Adapters http://www.topxml.com/biztalkutilities Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.