Hi Sergio,
The reason you're seeing that error is that our support for derived keys on the processing side is patchy at best :-( I suggest you add a JIRA for this with a test-case. Colm. ________________________________ From: Sergio Patricio [mailto:[EMAIL PROTECTED] Sent: 04 June 2008 13:42 To: [email protected] Subject: Error using derived key Hello, I'm trying to do signing and encryption using derived keys from username token. I looked into the test cases of wss4j and used the code in TestWSSecurityUTDK.java I removed the asserts and added the processSecurityHeader, the code I'm testing is: Document doc = ... WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); WSSecUsernameToken builder = new WSSecUsernameToken(); builder.setUserInfo("bob", "security"); builder.addDerivedKey(true, null, 1000); builder.prepare(doc); byte[] derivedKey = builder.getDerivedKey(); String tokenIdentifier = builder.getId(); // // Derived key encryption // WSSecDKSign sigBuilder = new WSSecDKSign(); sigBuilder.setExternalKey(derivedKey, tokenIdentifier); sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1); Document signedDoc = sigBuilder.build(doc, secHeader); builder.prependToHeader(secHeader); // validation WSSConfig config = WSSConfig.getDefaultWSConfig(); config.setHandleCustomPasswordTypes(true); WSSecurityEngine engine = new WSSecurityEngine(); engine.setWssConfig(config); engine.processSecurityHeader(doc, null, new PasswordCallbackHandler(), null); This code creates the following security header: <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; env:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-14158819"> <wsse:Username>user</wsse:Username> <wsse11:Salt xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>2zz+e8xDhqzB6hCb7bCbAQ==</wsse11:Salt> <wsse11:Iteration xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>1000</wsse11:Iteration> </wsse:UsernameToken> <wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="derivedKeyId-28910606"> <wsse:SecurityTokenReference> <wsse:Reference URI="#UsernameToken-14158819"/> </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>20</wsc:Length> <wsc:Nonce>pDfj84xuTHPCEXzUGPaQRg==</wsc:Nonce> </wsc:DerivedKeyToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-27940859"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#id-23268025"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>sqAea80cptqohi3v1Gnnir8hrsE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Zm6vGutgm2XFvBFBZjbmeo3KSog=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-20590970"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-25589390"> <wsse:Reference URI="#derivedKeyId-28910606"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> When I run the code it gives the following error: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181) What is wrong? I'm using wss4j 1.5.4 ant used the code from the test case TestWSSecurityUTDK.java I have been looking into the wss4j source and my first idea is that the extractSecret method fails when tries to get the processor corresponding to the element referred in the security token reference. In the test case the verification is commented maybe because of the error. Can someone help me, thanks. By the way, my objective is to develop some code that allows me to sign and encrypt the soap message without using certificates, I want to use a secret that both client and server knows. The ideal is to use the usernametoken (without sending the password), I know that WSE 3.0 do this but I can't do it using wss4j so was trying to use derived keys from usernametoken. Thanks. _____________________ Sérgio Patrício [EMAIL PROTECTED] Link Consulting ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
