Help required - Unable to decrypt incoming messages

[mmuzamil]

Hi All,

I am using wsse:Usernametoken to authenticate my incoming requests but my password is in plain text format which is obviously not secured. So i thought of encrypting UsernameToken to make it secure because I can't use password digest for some reason.

My user authentication works fine but when i try to encrypt/decrypt my requests i get following error. I also tried to use WSS4j security interceptor but got similar kind of error. So i am not sure what i am missing in here. Earlier I was using Soap UI to test my service but later on I wrote my own wss4j and axis based client to test it but still getting same error.

If you guyz need further information then please let me know. Please help me i am stuck here for last 2 days.

Error
----------------------

Code:

[XwsSecurityInterceptor] Could not validate request: com.sun.xml.wss.impl.WssSoapFaultException: Error while getting SecretKey from EncryptedKey; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Error while getting SecretKey from EncryptedKey

Security Configurations
----------------------

Code:

<bean id="wsSecurityInterceptor"
		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
		<property name="policyConfiguration" value="/WEB-INF/securityPolicy.xml" />
		<property name="callbackHandlers">
			<list>
				<ref bean="keyStoreHandler" />
				<ref bean="springSecurityHandler" />
			</list>
		</property>
	</bean>
	<bean id="keyStoreHandler"
		class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
		<property name="keyStore" ref="keyStore" />
		<property name="trustStore" ref="keyStore"/>
		<property name="privateKeyPassword" value="changeit" />
	</bean>
	<bean id="keyStore"
		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="password" value="storepass" />
		<property name="location" value="/WEB-INF/classes/keystore.jks" />
	</bean>
...

Security Configurations
----------------------

Code:

<xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:RequireEncryption>
		<xwss:EncryptionTarget value="{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken"></xwss:EncryptionTarget>
	</xwss:RequireEncryption>
    <xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
</xwss:SecurityConfiguration>

Script Used to Generate Keystore (changed dname and keystore path down there)
-------------------------------------------------------------------

Code:

keytool -genkeypair -alias CGA -keyalg RSA -dname "cn=a, ou=b, o=c, l=d, s=e, c=f" -keypass changeit -storetype jks -keystore .....\resources\keystore.jks -storepass storepass

Thanks,
Muein

p.s. bear this in mind that i am a newbie in this encryption stuff so i may be missing a very trivial thing.

[mmuzamil]

Hi All,

Finally I have solved this issue, i had to do couple of things to solve it. First i changed RequireEncryption tag in my securityPolicy.xml like this.

Code:

 	<xwss:RequireEncryption>
		<xwss:X509Token keyReferenceType="IssuerSerialNumber"/>
		<xwss:EncryptionTarget value="{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken"></xwss:EncryptionTarget>
	</xwss:RequireEncryption>

It still didn't solved my issue and i was getting same error. At the end issue turned out to be a library issue. Earlier I was using "xws-security-2.0-FCS.jar" which came with the spring ws 1.5.6. As soon as I switched to its latest version i.e. "xws-security-3.0.jar", my code started working fine. I downloaded the jar from following link http://download.java.net/maven/1/com.sun.xml.wss/jars/. I am not sure for what reason the spring team has kept the old version of xws security in the latest build. i would request spring team to look into this issue and update this library in coming releases.

Regards
Muein