Discussion:
WS-Security RSA Excrytion exception..
bharath thippireddy
2009-06-10 21:21:17 UTC
Permalink
I could get the User Token encryption working using BountyCastle.But as we cannot use bounty castle can you please let me know if the exception below can be fixed with a setting in jdk/jce.When I try a different algorithm like DES instead of RSA I get a nullpointer exception on the CXF Client.





Jun 10, 2009 5:11:04 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage

WARNING:

org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key t

ransport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5); nested exception is:

java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/PKCS1PADDING

at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:690)

at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:145)

at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:107)

at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:87)



thanks and regards,

Bharath
Daniel Kulp
2009-06-11 02:22:11 UTC
Permalink
Post by bharath thippireddy
I could get the User Token encryption working using BountyCastle.But as we
cannot use bounty castle
Any particular reason why? I'm pretty sure a lot of things WS-Security
related won't work with BouncyCastle. The JDK just doesn't have the
algorithms that are needed. (although java 6 does have a lot more)
Post by bharath thippireddy
can you please let me know if the exception below
can be fixed with a setting in jdk/jce.When I try a different algorithm
like DES instead of RSA I get a nullpointer exception on the CXF Client.
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
I did a little digging and I THINK this particular exception could be fixed
with a simple change in WSS4J. If the line:

cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");

was surrounded with a try/catch that would then try:

cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");

I THINK it would work. Bouncycastle uses "NONE" for the mode whereas the Sun
provider uses ECB. Not sure what the Sun setting for "RSA/NONE/OAEPPADDING"
is. That would need to be investigated more. It would be one of:
OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.

In any case, that would require you to patch WSS4J. If that's an option for
you, you could give that a try.

To the WSS4j folks: why is this method not calling XMLCipher.getInstance like
every other cipher related thing? Should it be? Would that alone fix it?


Dan
Post by bharath thippireddy
Jun 10, 2009 5:11:04 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
org.apache.ws.security.WSSecurityException: An unsupported signature or
encryption algorithm was used (unsupported key t
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
at
org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil
.java:690)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:145)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:107)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
dKeyProcessor.java:87)
thanks and regards,
Bharath
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Werner Dittmann
2009-06-11 11:08:31 UTC
Permalink
Daniel Kulp schrieb:
....
Post by Daniel Kulp
I did a little digging and I THINK this particular exception could be fixed
cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
I THINK it would work. Bouncycastle uses "NONE" for the mode whereas the Sun
provider uses ECB. Not sure what the Sun setting for "RSA/NONE/OAEPPADDING"
OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.
In any case, that would require you to patch WSS4J. If that's an option for
you, you could give that a try.
The notation of a "cipher mode" is not common for public key crypto algorithms
because you can use it in one way only (usually), that's why "NONE" is used here.
(Maybe Sun has invented other modes too ;-) ?)

For symmetric crypto algorithms you can choose between several modes
(ECB - Electronic Code Book, CFB - Cipher Feedback, and a lot of others).
Post by Daniel Kulp
To the WSS4j folks: why is this method not calling XMLCipher.getInstance like
every other cipher related thing? Should it be? Would that alone fix it?
XMLCipher is a specific instance that wraps (or unwraps) the cipher data
(or plain data) according to W3C xmlenc specification. In the above case we need
the plain public key algorithm to encrypt (or decrypt) the ephemeral symmetric
key with the public (private) key of the receiver.

No - it won't fix this particular problem.

Regards,
Werner
Post by Daniel Kulp
Dan
Post by bharath thippireddy
Jun 10, 2009 5:11:04 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
org.apache.ws.security.WSSecurityException: An unsupported signature or
encryption algorithm was used (unsupported key t
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
at
org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil
.java:690)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:145)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:107)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
dKeyProcessor.java:87)
thanks and regards,
Bharath
Daniel Kulp
2009-06-11 11:31:19 UTC
Permalink
Post by Werner Dittmann
....
Post by Daniel Kulp
I did a little digging and I THINK this particular exception could be
cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
I THINK it would work. Bouncycastle uses "NONE" for the mode whereas
the Sun provider uses ECB. Not sure what the Sun setting for
"RSA/NONE/OAEPPADDING" is. That would need to be investigated more. It
would be one of: OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.
In any case, that would require you to patch WSS4J. If that's an option
for you, you could give that a try.
The notation of a "cipher mode" is not common for public key crypto
algorithms because you can use it in one way only (usually), that's why
"NONE" is used here. (Maybe Sun has invented other modes too ;-) ?)
If you look at the Sun docs for their provider at:
http://java.sun.com:80/javase/6/docs/technotes/guides/security/SunProviders.html#SunJCEProvider

you can see what modes and Paddings they support. It would be good if it
would be possible to fallback to the Sun provider if BC isn't found. Not
having BC may not work in all cases, but it should work for many, especially
on the latest JDK's.
Post by Werner Dittmann
For symmetric crypto algorithms you can choose between several modes
(ECB - Electronic Code Book, CFB - Cipher Feedback, and a lot of others).
Post by Daniel Kulp
To the WSS4j folks: why is this method not calling XMLCipher.getInstance
like every other cipher related thing? Should it be? Would that alone
fix it?
XMLCipher is a specific instance that wraps (or unwraps) the cipher data
(or plain data) according to W3C xmlenc specification. In the above case we
need the plain public key algorithm to encrypt (or decrypt) the ephemeral
symmetric key with the public (private) key of the receiver.
No - it won't fix this particular problem.
Ah. Ok. But do they have a method someplace (dont have the code right now)
that would map the WS keys (like http://www.w3.org/2001/04/xmlenc#rsa-1_5)
into Cipher objects? Not a big deal.

Dan
Post by Werner Dittmann
Regards,
Werner
Post by Daniel Kulp
Dan
Post by bharath thippireddy
Jun 10, 2009 5:11:04 PM
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
org.apache.ws.security.WSSecurityException: An unsupported signature or
encryption algorithm was used (unsupported key t
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
at
org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityU
til .java:690)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(E ncryptedKeyProcessor.java:145)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(E ncryptedKeyProcessor.java:107)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encry
pte dKeyProcessor.java:87)
thanks and regards,
Bharath
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-11 16:56:20 UTC
Permalink
Post by Daniel Kulp
Post by Werner Dittmann
Post by Daniel Kulp
To the WSS4j folks: why is this method not calling
XMLCipher.getInstance like every other cipher related thing? Should it
be? Would that alone fix it?
XMLCipher is a specific instance that wraps (or unwraps) the cipher data
(or plain data) according to W3C xmlenc specification. In the above case
we need the plain public key algorithm to encrypt (or decrypt) the
ephemeral symmetric key with the public (private) key of the receiver.
No - it won't fix this particular problem.
Ah. Ok. But do they have a method someplace (dont have the code right
now) that would map the WS keys (like
http://www.w3.org/2001/04/xmlenc#rsa-1_5) into Cipher objects? Not a big
deal.
Actually, did a little digging. xmlsec DOES have a class to map these.
JCEMapper has methods to map the URI's to JCE ids:
JCEMapper.translateURItoJCEID

In the case of xmlsec, the config file specifies:

<Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
Description="Key Transport RSA-v1.5"
AlgorithmClass="KeyTransport"
RequirementLevel="REQUIRED"
RequiredKey="RSA"
JCEName="RSA/ECB/PKCS1Padding"/>

<Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
Description="Key Transport RSA-OAEP"
AlgorithmClass="KeyTransport"
RequirementLevel="REQUIRED"
RequiredKey="RSA"
JCEName="RSA/ECB/OAEPWithSHA1AndMGF1Padding"/>

Thus, for those URI's, xmlsec always uses the provider in the JDK. IMO,
WSS4J should match this, preferably by just calling into JCEMapper so it
always will use the same mapping.

If there are no objections, I'll change the code to do just that.
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-11 17:18:31 UTC
Permalink
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK. IMO,
WSS4J should match this, preferably by just calling into JCEMapper so it
always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed to
be pulled back to 1.5.x branch.
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
bharath thippireddy
2009-06-11 19:22:00 UTC
Permalink
Dan , Can you please let me know how to pull in this fix?

Thanks and regards,
Bharath

-----Original Message-----
From: Daniel Kulp [mailto:dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org]
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Cc: users-qJ/***@public.gmane.org; wss4j-dev-***@public.gmane.org; bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK. IMO,
WSS4J should match this, preferably by just calling into JCEMapper so it
always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed to
be pulled back to 1.5.x branch.

--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-11 19:32:35 UTC
Permalink
Post by bharath thippireddy
Dan , Can you please let me know how to pull in this fix?
Just replace your wss4j jar with the latest snapshot from:

http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/

That should do it.

Dan
Post by bharath thippireddy
Thanks and regards,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK. IMO,
WSS4J should match this, preferably by just calling into JCEMapper so it
always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed
to be pulled back to 1.5.x branch.
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
bharath thippireddy
2009-06-11 19:50:48 UTC
Permalink
Dan,

I see the following exception once I replace the wss4j jar as mentioned below.

java.lang.NoClassDefFoundError: org/bouncycastle/asn1/x509/X509Name
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:302)
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:272)
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:560)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:202)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:107)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:87)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)

Is wss4j using bouncycastle classes ?

Thanks,
Bharath

-----Original Message-----
From: Daniel Kulp [mailto:dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org]
Sent: Thursday, June 11, 2009 3:33 PM
To: users-qJ/***@public.gmane.org
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
Dan , Can you please let me know how to pull in this fix?
Just replace your wss4j jar with the latest snapshot from:

http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/

That should do it.

Dan
Post by bharath thippireddy
Thanks and regards,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK. IMO,
WSS4J should match this, preferably by just calling into JCEMapper so it
always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed
to be pulled back to 1.5.x branch.
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-11 21:09:16 UTC
Permalink
Shoot. Yep. The code in the latest snaps did take on a direct dependency to
BC. I just fixed that and a new SNAPSHOT is uploading now. Can you try
again?

Dan
Post by bharath thippireddy
Dan,
I see the following exception once I replace the wss4j jar as mentioned below.
java.lang.NoClassDefFoundError: org/bouncycastle/asn1/x509/X509Name
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(Cr
yptoBase.java:302)
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(Cry
ptoBase.java:272)
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSe
rialAlias(SecurityTokenReference.java:560)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:202)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:107)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
dKeyProcessor.java:87)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
ine.java:326)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
ine.java:243)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
terceptor.java:179)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
terceptor.java:77)
Is wss4j using bouncycastle classes ?
Thanks,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 3:33 PM
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
Dan , Can you please let me know how to pull in this fix?
http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/
That should do it.
Dan
Post by bharath thippireddy
Thanks and regards,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK.
IMO, WSS4J should match this, preferably by just calling into JCEMapper
so it always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed
to be pulled back to 1.5.x branch.
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
bharath thippireddy
2009-06-11 21:43:50 UTC
Permalink
That did the trick Dan.Thanks a lot for the quick turn around.As we are planning to use the cxf 2.2.2 for our release,just wanted to know if this version of wss4j will be included with cxf 2.2.2.If it's a different version can you let us know which one will that be.

-----Original Message-----
From: Daniel Kulp [mailto:dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org]
Sent: Thursday, June 11, 2009 5:09 PM
To: users-qJ/***@public.gmane.org
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..


Shoot. Yep. The code in the latest snaps did take on a direct dependency to
BC. I just fixed that and a new SNAPSHOT is uploading now. Can you try
again?

Dan
Post by bharath thippireddy
Dan,
I see the following exception once I replace the wss4j jar as mentioned below.
java.lang.NoClassDefFoundError: org/bouncycastle/asn1/x509/X509Name
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(Cr
yptoBase.java:302)
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(Cry
ptoBase.java:272)
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSe
rialAlias(SecurityTokenReference.java:560)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:202)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:107)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
dKeyProcessor.java:87)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
ine.java:326)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
ine.java:243)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
terceptor.java:179)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
terceptor.java:77)
Is wss4j using bouncycastle classes ?
Thanks,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 3:33 PM
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
Dan , Can you please let me know how to pull in this fix?
http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/
That should do it.
Dan
Post by bharath thippireddy
Thanks and regards,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK.
IMO, WSS4J should match this, preferably by just calling into JCEMapper
so it always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just needed
to be pulled back to 1.5.x branch.
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-12 13:30:21 UTC
Permalink
Post by bharath thippireddy
That did the trick Dan.Thanks a lot for the quick turn around.As we are
planning to use the cxf 2.2.2 for our release,just wanted to know if this
version of wss4j will be included with cxf 2.2.2.If it's a different
version can you let us know which one will that be.
2.2.2 was released two weeks ago. Thus, it definitely doesn't have that fix
in it. We will probably do 2.2.3 in July sometime. I'll definitely make sure
to get a new version of wss4j out before then.

Dan
Post by bharath thippireddy
-----Original Message-----
Sent: Thursday, June 11, 2009 5:09 PM
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Shoot. Yep. The code in the latest snaps did take on a direct dependency
to BC. I just fixed that and a new SNAPSHOT is uploading now. Can you
try again?
Dan
Post by bharath thippireddy
Dan,
I see the following exception once I replace the wss4j jar as mentioned below.
java.lang.NoClassDefFoundError: org/bouncycastle/asn1/x509/X509Name
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(
Cr yptoBase.java:302)
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(C
ry ptoBase.java:272)
org.apache.ws.security.message.token.SecurityTokenReference.getX509Issuer
Se rialAlias(SecurityTokenReference.java:560)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
(E ncryptedKeyProcessor.java:202)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
(E ncryptedKeyProcessor.java:107)
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encryp
te dKeyProcessor.java:87)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE
ng ine.java:326)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE
ng ine.java:243)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn
In terceptor.java:179)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn
In terceptor.java:77)
Is wss4j using bouncycastle classes ?
Thanks,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 3:33 PM
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
Dan , Can you please let me know how to pull in this fix?
http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/
That should do it.
Dan
Post by bharath thippireddy
Thanks and regards,
Bharath
-----Original Message-----
Sent: Thursday, June 11, 2009 1:19 PM
To: Werner Dittmann
Subject: Re: WS-Security RSA Excrytion exception..
Post by Daniel Kulp
Thus, for those URI's, xmlsec always uses the provider in the JDK.
IMO, WSS4J should match this, preferably by just calling into
JCEMapper so it always will use the same mapping.
If there are no objections, I'll change the code to do just that.
Just discovered Colm had already done this for trunk. Thus, just
needed to be pulled back to 1.5.x branch.
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
bharath thippireddy
2009-06-11 16:26:21 UTC
Permalink
Is there a way to specify the modes/padding using some configuration(serverKeyStore.properties)?.What I don't understand is that the encryption works fine and the issue below is when the UT is being decrypted back on the server side.

Thanks,
Bharath



-----Original Message-----
From: Daniel Kulp [mailto:dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org]
Sent: Wednesday, June 10, 2009 10:22 PM
To: users-qJ/***@public.gmane.org; wss4j-dev-***@public.gmane.org
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
I could get the User Token encryption working using BountyCastle.But as we
cannot use bounty castle
Any particular reason why? I'm pretty sure a lot of things WS-Security
related won't work with BouncyCastle. The JDK just doesn't have the
algorithms that are needed. (although java 6 does have a lot more)
Post by bharath thippireddy
can you please let me know if the exception below
can be fixed with a setting in jdk/jce.When I try a different algorithm
like DES instead of RSA I get a nullpointer exception on the CXF Client.
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
I did a little digging and I THINK this particular exception could be fixed
with a simple change in WSS4J. If the line:

cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");

was surrounded with a try/catch that would then try:

cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");

I THINK it would work. Bouncycastle uses "NONE" for the mode whereas the Sun
provider uses ECB. Not sure what the Sun setting for "RSA/NONE/OAEPPADDING"
is. That would need to be investigated more. It would be one of:
OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.

In any case, that would require you to patch WSS4J. If that's an option for
you, you could give that a try.

To the WSS4j folks: why is this method not calling XMLCipher.getInstance like
every other cipher related thing? Should it be? Would that alone fix it?


Dan
Post by bharath thippireddy
Jun 10, 2009 5:11:04 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
org.apache.ws.security.WSSecurityException: An unsupported signature or
encryption algorithm was used (unsupported key t
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
at
org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil
.java:690)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:145)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
ncryptedKeyProcessor.java:107)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
dKeyProcessor.java:87)
thanks and regards,
Bharath
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Daniel Kulp
2009-06-11 17:06:56 UTC
Permalink
Post by bharath thippireddy
Is there a way to specify the modes/padding using some
configuration(serverKeyStore.properties)?
Nope. An updated wss4j jar is the only option. The cipher ID is burned into
the java code. :-(
Post by bharath thippireddy
What I don't understand is that
the encryption works fine and the issue below is when the UT is being
decrypted back on the server side.
Basically, on the encryption side, xmlsec handles that and it is mapping it to
the Sun provider built into the JDK. Thus, encryption works. However, on
the decryption side, wss4j has the bouncycastle ID burned into the Java code.
I just changed wss4j to use the xmlsec JCEMapper object to allow it to use the
same mapping that xmlsec uses. Thus, it SHOULD now work. I just deployed a
new 1.5.8-SNAPSHOT to:

http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/

If you could grab that and give that a try, the would be great.

Dan
Post by bharath thippireddy
Thanks,
Bharath
-----Original Message-----
Sent: Wednesday, June 10, 2009 10:22 PM
Cc: bharath thippireddy
Subject: Re: WS-Security RSA Excrytion exception..
Post by bharath thippireddy
I could get the User Token encryption working using BountyCastle.But as
we cannot use bounty castle
Any particular reason why? I'm pretty sure a lot of things WS-Security
related won't work with BouncyCastle. The JDK just doesn't have the
algorithms that are needed. (although java 6 does have a lot more)
Post by bharath thippireddy
can you please let me know if the exception below
can be fixed with a setting in jdk/jce.When I try a different algorithm
like DES instead of RSA I get a nullpointer exception on the CXF Client.
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
I did a little digging and I THINK this particular exception could be fixed
cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
I THINK it would work. Bouncycastle uses "NONE" for the mode whereas the
Sun provider uses ECB. Not sure what the Sun setting for
"RSA/NONE/OAEPPADDING" is. That would need to be investigated more. It
would be one of: OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.
In any case, that would require you to patch WSS4J. If that's an option
for you, you could give that a try.
To the WSS4j folks: why is this method not calling XMLCipher.getInstance
like every other cipher related thing? Should it be? Would that alone
fix it?
Dan
Post by bharath thippireddy
Jun 10, 2009 5:11:04 PM
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
org.apache.ws.security.WSSecurityException: An unsupported signature or
encryption algorithm was used (unsupported key t
java.security.NoSuchAlgorithmException: Cannot find any provider
supporting RSA/NONE/PKCS1PADDING
at
org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUt
il .java:690)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
(E ncryptedKeyProcessor.java:145)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
(E ncryptedKeyProcessor.java:107)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encryp
te dKeyProcessor.java:87)
thanks and regards,
Bharath
--
Daniel Kulp
http://www.dankulp.com/blog
--
Daniel Kulp
dkulp-1oDqGaOF3Lkdnm+***@public.gmane.org
http://www.dankulp.com/blog
Loading...