Error using derived key

Wed, 04 Jun 2008 05:42:31 -0700 

Hello,

 

I'm trying to do signing and encryption using derived keys from username token.

I looked into the test cases of wss4j and used the code in 
TestWSSecurityUTDK.java

 

I removed the asserts and added the processSecurityHeader, the code I'm testing 
is:

 

Document doc = ...

 

WSSecHeader secHeader = new WSSecHeader();

secHeader.insertSecurityHeader(doc);

 

WSSecUsernameToken builder = new WSSecUsernameToken();

builder.setUserInfo("bob", "security");

builder.addDerivedKey(true, null, 1000);

builder.prepare(doc);

 

byte[] derivedKey = builder.getDerivedKey();

 

String tokenIdentifier = builder.getId();

 

//

// Derived key encryption

//

WSSecDKSign sigBuilder = new WSSecDKSign();

sigBuilder.setExternalKey(derivedKey, tokenIdentifier);

sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);

Document signedDoc = sigBuilder.build(doc, secHeader);

 

builder.prependToHeader(secHeader);

 

// validation

WSSConfig config = WSSConfig.getDefaultWSConfig();

config.setHandleCustomPasswordTypes(true);

 

WSSecurityEngine engine = new WSSecurityEngine();

engine.setWssConfig(config);

engine.processSecurityHeader(doc, null, new PasswordCallbackHandler(), null);

 

 

This code creates the  following security header:

 

<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 env:mustUnderstand="1">

    <wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-14158819">

        <wsse:Username>user</wsse:Username>

        <wsse11:Salt 
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>2zz+e8xDhqzB6hCb7bCbAQ==</wsse11:Salt>

        <wsse11:Iteration 
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>1000</wsse11:Iteration>

    </wsse:UsernameToken>

    <wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="derivedKeyId-28910606">

        <wsse:SecurityTokenReference>

            <wsse:Reference URI="#UsernameToken-14158819"/>

        </wsse:SecurityTokenReference>

        <wsc:Offset>0</wsc:Offset>

        <wsc:Length>20</wsc:Length>

        <wsc:Nonce>pDfj84xuTHPCEXzUGPaQRg==</wsc:Nonce>

    </wsc:DerivedKeyToken>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Id="Signature-27940859">

        <ds:SignedInfo>

            <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

            <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>

            <ds:Reference URI="#id-23268025">

                <ds:Transforms>

                    <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                </ds:Transforms>

                <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                <ds:DigestValue>sqAea80cptqohi3v1Gnnir8hrsE=</ds:DigestValue>

            </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>Zm6vGutgm2XFvBFBZjbmeo3KSog=</ds:SignatureValue>

        <ds:KeyInfo Id="KeyId-20590970">

            <wsse:SecurityTokenReference 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="STRId-25589390">

                <wsse:Reference URI="#derivedKeyId-28910606"/>

            </wsse:SecurityTokenReference>

        </ds:KeyInfo>

    </ds:Signature>

</wsse:Security>

 

When I run the code it gives the following error:

org.apache.ws.security.WSSecurityException: The signature or decryption was 
invalid (Unsupported key identification)

      at 
org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156)

      at 
org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)

      at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)

      at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)

      at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181)

 

What is wrong?

I'm using wss4j 1.5.4 ant used the code from the test case 
TestWSSecurityUTDK.java

I have been looking into the wss4j source and my first idea is that the 
extractSecret method fails when tries to get the processor corresponding to the 
element referred in the security token reference.

In the test case the verification is commented maybe because of the error.

 

Can someone help me, thanks.

 

By the way, my objective is to develop some code that allows me to sign and 
encrypt the soap message without using certificates, I want to use a secret 
that both client and server knows. The ideal is to use the usernametoken 
(without sending the password), I know that WSE 3.0 do this but I can't do it 
using wss4j so was trying to use derived keys from usernametoken.

 

Thanks.

_____________________

Sérgio Patrício

[EMAIL PROTECTED]

Link Consulting

Reply via email to