Hi Oliver, Do you have control over the creation of the SOAP request? If so, one possibility is to create a different security header for both encrypted keys using a specific "actor" attribute for both. On the processing side, WSS4J can be configured to only process a security header with the specified actor name (at least I think it can, I haven't tried it).
If not, then I suspect the only option is to write your own processor or submit an enhancement request. Colm. -----Original Message----- From: Oliver Wulff [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 17:28 To: [email protected] Subject: Decryption with several EncryptedKey elements Hi all I've got a soap request (see below) with two EncryptedKey elements (different public keys). My application is in the possession of only one private key which means that it can only process some of the encrypted elements. If I process the security header the following exception is thrown: Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested exception is: java.lang.Exception: alias is null at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey (EncryptedKeyProcessor.java:287) How can I tell WSS4J to ignore the EncryptedKey elements which are not intended to be decrypted? This is the code to decrypt the soap message: String message = ... ; String cert = .... ; try { InputStream inStream = new ByteArrayInputStream(message.getBytes()); SOAPMessage soapmsg = MessageFactory.newInstance().createMessage()); null, inStream); Document doc = (Document) soapmsg.getSOAPPart(); Crypto crypto = CryptoFactory.getInstance(cert); secEngine.processSecurityHeader(doc, null, new MyCallbackHandler(),; crypto); TransformerFactory tFactory = TransformerFactory.newInstance(); Transformer transformer = tFactory.newTransformer(); DOMSource source = new DOMSource(doc); StringWriter sw = new StringWriter();; StreamResult result = new StreamResult(sw); transformer.transform(source, result); return sw.toString(); } catch (Exception ex) { ex.printStackTrace(); throw new RuntimeException(ex); } Here is the input soap request:; <?xml version="1.0" encoding="UTF-8"?> <>SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:m2="http://ecm.zurich.com/svc/ws/types"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";; xmlns:m1="http://ecm.zurich.com/svc/ws/document_v1_0";> <SOAP-ENV:Header> <m3:Security xmlns:m3= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; SOAP-ENV:mustUnderstand.="1"> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncKeyId-712593"> <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > <wsse:SecurityTokenReference xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > <ds:X509Data xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerSerial xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerName xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> [EMAIL PROTECTED],CN=SDC Internal CA,OU=ING,O=Swiss Data Center,L=Zurich Insurance,ST=Zurich,C=CH </ds:X509IssuerName> <ds:X509SerialNumber xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> 446 </ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> gL4WtugirLpupgr7i9I6VVHyDu2H6sS1phCX8zY9+65dTf8LtsDSjVFNLaBHmIrfMLXgC1gREA +WnUGoObNV5Ek1VePLrCzYp4TGzVR0wxbhF6m1Zzc81wKArtLHflcXKsn5v7rUvArC3bh4o7QqBs6o1W13EmI244r9ZA30gqY= </xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; URI="#EncDataId-31188783" /> </xenc:ReferenceList> </xenc:EncryptedKey> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncKeyId-30675222"> <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > <wsse:SecurityTokenReference xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > <ds:X509Data xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerSerial xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerName xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> [EMAIL PROTECTED],CN=SDC Internal CA,OU=ING,O=Swiss Data Center,L=Zurich Insurance,ST=Zurich,C=CH </ds:X509IssuerName> <ds:X509SerialNumber xmlns:ds= "http://www.w3.org/2000/09/xmldsig#";> 447 </ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> RVKDb7RnEPf1/566a4kSEy0Q8Rq2cglbyEcoxHy7YtFQfQdEs +Dx3iC29r2LhYzQidp51ZuLNptJGvFz5eQrFivgqlTfdgxPBC +LVXN1zMu9N5f0PVRk8BGsoxK9Jwum05TvEnXu+IbwWpM70roh9H6KlQU5azZfYnTUMossrYo= </xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; URI="#EncDataId-28179427" /> <xenc:DataReference xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; URI="#EncDataId-24390742" /> </xenc:ReferenceList> </xenc:EncryptedKey> <m3:UsernameToken xsi:type="m3:UsernameTokenType"> <m3:Username>YSV101676</m3:Username> <m3:Password Type= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"; xsi:type="m3:PasswordString"> r8328hFs </m3:Password> </m3:UsernameToken> </:m3:Security> </:SOAP-ENV:Header> <SOAP-ENV:Body> <m1:updateMetadata> <m1:docIDs> <xenc:EncryptedData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Type= "http://www.w3.org/2001/04/xmlenc#Content"; Id="EncDataId-31188783"> <xenc:EncryptionMethod xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> <xenc:CipherData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> lfVNeqOdi8BjOqdWZ +Vniu3oXf9h8sjP2FG7wLHVlrxd/w3Gaj8tpW3r83HhSQk87Ta1CFGPN1VG IWBZW6VQOg== </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </m1:docIDs> <m1:metadata> <xenc:EncryptedData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Type= "http://www.w3.org/2001/04/xmlenc#Content"; Id="EncDataId-28179427"> <xenc:EncryptionMethod xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> <xenc:CipherData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> YxeTDZRvhDlAAYmTvMoyp2l3u1fywZJ8uMgI3M +hmEEqOoAQwmrWTeG8JEyDFymlycnEoT7siMR9 dOkauixPm7OIb6uW/2WlpK106/3RqRe/Rwj98zne2WiG6otfM5gWICpc7i2bf97opS2MFcM85v13 6bCXXbEybWw +erNexIEUcVg56L50dup4d2PqVNHUSZurdKYwKmR944QjydN25zTO9XjvhoppHCDT nuoUz1UuIHiDXtDgFpSknHoGzMA8tWebb4PNy6fBViqfoT39EGNMF7C2N+aVygR2xl3OY63Lbix + xbxq3g +3BHlDbsDaCtVaC4BIM637xr75xQGUp/sHVEx/mY6KUoxcLHQgQbe0vrXKFdWIQ7zHRjQq o04PRIJTOWW9hruD+2HS3UEo0v8t +G2jHsirqmv17vr1uPcq0NZzRJVSpVAxS1KOIaSBtJeBbxui EvB1ZAb9hxOXQ8NYT0xrzp3SFrvkcLLT0h1Skvg50A4r6yBDWFeHUDCX </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </m1:metadata> <m1:context> <xenc:EncryptedData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Type= "http://www.w3.org/2001/04/xmlenc#Content"; Id="EncDataId-24390742"> <xenc:EncryptionMethod xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#"; Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> <xenc:CipherData xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#";> M960LIC0KgOVcGTbB0CvRaV7ONx2wjjFRhMVrBYW9G61v +esYY2mP6p4k9gJWrDyfqthgYDfLyPp eRjSpgSAlXNGMwrMW8/9QUlDmKloKQvTLGTSJG5ySpSkrY5NLyTDp1LSnjvWvRoaPYuHEBKHdw== </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </m1:context> </:m1:updateMetadata> </:SOAP-ENV:Body> </SOAP-ENV:Envelope> ******************* BITTE BEACHTEN ******************* Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
