ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Encryption with symmetric key and Basic Security Profile compliance
Date Wed, 14 Mar 2012 13:43:02 GMT
What does your EncryptedData Element look like?

Colm.

On Wed, Mar 14, 2012 at 9:53 AM, Giovanni Bussu <bussu@link.it> wrote:
> Hi,
> I have an issue using symmetric key encryption in WSS4J. My problem is
> the following:
>
> My goal is to configure WSS4J to encrypt a (part of) message with a
> symmetric key (both client and server know in advance that key).
> I'm using CXF 2.5.1, and WSS4J 1.6.0
>
> I created a symmetricStore with keytool (JDK 1.6.0), and I configured
> the client:
>
> action: Encrypt
> embeddedKeyCallbackClass:
> org.openspcoop.wssecurity.SymmetricCallbackHandler
> encryptionKeyIdentifier: EmbeddedKeyName
> encryptionPropFile: symmetric-crypto.properties
> isBSPCompliant: false
> user: symmetric
>
> and the server:
>
> action: Encrypt
> decryptionPropFile: symmetric-crypto.properties
> encryptionKeyIdentifier: EmbeddedKeyName
> isBSPCompliant: false
> PasswordCallbackClass:
> org.openspcoop.wssecurity.SymmetricCallbackHandler
>
> org.openspcoop.wssecurity.SymmetricCallbackHandler class is a custom
> CallbackHandler which does nothing but set the key in the
> WsPasswordCallback by calling the setKey(byte[]) method.
>
> With such a configuration message is encypted and decrypted correctly.
> My problem is that such a configuration is not Basic Security Profile
> compliant. If I set isBSPCompliant to true, I get the following
> exception on receiver side:
>
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: EncryptedKey
> does not contain ds:KeyInfo/wsse:SecurityTokenReference)
>        at
> org.apache.ws.security.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:197)
>        at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:137)
>        at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:96)
>        at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:63)
>        at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:248)
>
> In fact, monitoring the message which is passing, I saw that no
> SecurityTokenReference is included, and the wsse:Security header looks
> like:
>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>         <xenc:ReferenceList
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>            <xenc:DataReference URI="#ED-29"/>
>         </xenc:ReferenceList>
> </wsse:Security>
>
> I checked the Basic Profile specs about it:
> http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#Exactly_One_SecurityTokenReference_Child_Element
> and I'm not sure wheter this SecurityTokenReference should be included:
> it seems to me that, IF a SecurityTokenReference is provided, it must
> have exactly one child.
>
> Am i getting this right? and if I'm wrong, anybody knows how can I
> achieve encrypting with symmetric key, in a BSPCompliant way?
>
> Thanks in advance!
> --
> Giovanni Bussu
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message