ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Berger (Jira)" <j...@apache.org>
Subject [jira] [Created] (WSS-663) Missing ECC key support
Date Wed, 05 Feb 2020 08:31:00 GMT
Stefan Berger created WSS-663:
---------------------------------

             Summary: Missing ECC key support
                 Key: WSS-663
                 URL: https://issues.apache.org/jira/browse/WSS-663
             Project: WSS4J
          Issue Type: Bug
            Reporter: Stefan Berger
            Assignee: Colm O hEigeartaigh


Multiple classes in the WSS4J library cannot handle Elliptic Curve Keys.

When you use EC keys when calling SignatureAction.execute() and you don't provide a signature
algorithm, it will throw an "unknownSignatureAlgorithm" exception because it only checks for
"RSA" or "DSA" keys.

You can set the Signature Algorithm property to work around that.

The much bigger problem is that the AlgorithmSuiteValidator.checkAssymetricKeyLength() method
doesn't accept signatures generated with EC keys.

Here is the stack trace, ignore the "No message with ID" message, that's because WSSec.init() 
was not called in time:
{code:java}
A security error was encountered when verifying the message
                at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:236)
                at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:376)
                at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:212)
                at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:85)
                at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:1)
                at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
                at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
                at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
                at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
                at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
                at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
                at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at brave.servlet.TracingFilter.doFilter(TracingFilter.java:65)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at de.aok.epa.accessgateway.authentication.configuration.WebServiceConfiguration.lambda$0(WebServiceConfiguration.java:192)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.springframework.cloud.sleuth.instrument.web.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.java:50)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at brave.servlet.TracingFilter.doFilter(TracingFilter.java:82)
                at org.springframework.cloud.sleuth.instrument.web.LazyTracingFilter.doFilter(TraceWebServletAutoConfiguration.java:138)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
                at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "INVALID_SECURITY"
found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
                at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:212)
                at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:164)
                at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:222)
                at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
                at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:320)
                ... 64 common frames omitted
{code}
There is already some kind of fork with some EC key fixes, but I can't say if it's complete
and correct: [https://github.com/damianskolasa/wss4j-ecc]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message