ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Unsupported parameter: javax.crypto.spec.IvParameterSpec when decrypting a gcm message on java 8
Date Mon, 14 Mar 2016 14:16:52 GMT
The code has already changed a good bit in this area. WSS4J 2.1.5 should be
available fairly soon. Perhaps you could grab the latest source(s) and
build them to see if it works?

Colm.

On Mon, Mar 14, 2016 at 7:06 AM, Stefan Müller <mueller.stefan07@gmail.com>
wrote:

> Hi,
>
> first of all, I know there are some jira tickets about this bug and they
> are closed but we already use the fixed versions of the corresponding
> libraries.
>
> In our project we use the following libraries:
> apache wss4j 2.1.3
> bouncycaste 1.51
> apache santuario 2.0.5
>
>
> Our test setup consists of two instances of our product. When we send a
> gcm encrypted webservice request from "Instance A" to "Instance B" we get
> the following exception is thrown:
>
> org.apache.wss4j.common.ext.WSSecurityException: java.security.InvalidAlgorithmParameterException:
Unsupported parameter: javax.crypto.spec.IvParameterSpec
>
> This occurs only on when decrypting the message and only on java 8
> (1.8.0_73), on java7 everything works as expected.
>
> This is our policy file (not mentioend in this file: RSA_SHA256 as our
> "signatureMethod"):
> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
>             xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>             xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>             xmlns:sp13="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
>             wsu:Id="testpolicy">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding>
>                 <wsp:Policy>
>                     <sp:InitiatorToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>                                     sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorToken>
>                     <sp:RecipientToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>                                     sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientToken>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Strict/>
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:OnlySignEntireHeadersAndBody/>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="
> http://custom/security-policy"/>
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <wsp:ExactlyOne>
>                 <wsp:All>
>                     <sp:SignedParts>
>                         <sp:Body/>
>                         <sp:Header Namespace="
> http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>                                    Name="Messaging"/>
>                         <sp:Attachments>
>                             <sp13:ContentSignatureTransform/>
>                         </sp:Attachments>
>                     </sp:SignedParts>
>                     <sp:EncryptedParts>
>                         <sp:Attachments/>
>                     </sp:EncryptedParts>
>                 </wsp:All>
>             </wsp:ExactlyOne>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>
> The stacktrace:
>
> org.apache.cxf.binding.soap.SoapFault: A security error was encountered
> when verifying the message at
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:218)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:78)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:65)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:155)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1527)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1484)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745) Caused by:
> org.apache.wss4j.common.ext.WSSecurityException:
> java.security.InvalidAlgorithmParameterException: Unsupported parameter:
> javax.crypto.spec.IvParameterSpec@70a858b3 Original Exception was
> java.io.IOException: java.security.InvalidAlgorithmParameterException:
> Unsupported parameter: javax.crypto.spec.IvParameterSpec@70a858b3 at
> org.apache.wss4j.dom.util.EncryptionUtils.decryptAttachment(EncryptionUtils.java:319)
> at
> org.apache.wss4j.dom.util.EncryptionUtils.decryptEncryptedData(EncryptionUtils.java:137)
> at
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550)
> at
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481)
> at
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199)
> at
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76)
> at
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:429)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
> ... 68 more Caused by: java.io.IOException:
> java.security.InvalidAlgorithmParameterException: Unsupported parameter:
> javax.crypto.spec.IvParameterSpec@70a858b3 at
> org.apache.wss4j.common.util.AttachmentUtils$1.initCipher(AttachmentUtils.java:502)
> at
> org.apache.wss4j.common.util.AttachmentUtils$1.read(AttachmentUtils.java:509)
> at
> org.apache.wss4j.common.util.AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(AttachmentUtils.java:440)
> at
> org.apache.wss4j.dom.util.EncryptionUtils.decryptAttachment(EncryptionUtils.java:308)
> ... 75 more Caused by: java.security.InvalidAlgorithmParameterException:
> Unsupported parameter: javax.crypto.spec.IvParameterSpec@70a858b3 at
> com.sun.crypto.provider.CipherCore.init(CipherCore.java:509) at
> com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339) at
> javax.crypto.Cipher.init(Cipher.java:1394) at
> javax.crypto.Cipher.init(Cipher.java:1327) at
> org.apache.wss4j.common.util.AttachmentUtils$1.initCipher(AttachmentUtils.java:500)
> ... 78 more
>
> The soap request is also available. Just let me know if you need it.
>
>
>
> Greets
> Stefan
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message