Good catch! I'm surprised no-one has run into this before. I'll commit a fix for this in a few minutes.
The BinarySecurityTokenProcessor only uses the crypto instance to construct the certificate(s) from XML, so a simple fix is to just check for null on the signature crypto instance. There's no way of telling whether the BST being processed is used for encryption or signature in advance. It's a reasonable assumption though that the same abstract Crypto implementation (e.g. CryptoBase) is being used for signature and encryption, even if the subclasses are different, etc. I also spotted the ReferenceListProcessor uses the wrong crypto instance when I checked the others. Thanks, Colm. -----Original Message----- From: VijayM [mailto:[email protected]] Sent: 01 July 2009 10:40 To: [email protected] Subject: wss4j1.5.5: Decrypting the soap xml results in NP exception for soap message containing BinarySecurityToken in request. Decrypting the soap xml results in NP exception for soap message containing BinarySecurityToken in request. I am using wss4j 1.5.5 to decrypt the soap message. The client encrypt the soap message by setting action =Encrypt and encryptionKeyIdentifier=DirectReference. At receiving end the receiver handler config is: <requestFlow> <handler name="DoSecurityReceiver" type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="action" value="Encrypt"/> <parameter name="decryptionPropFile" value="server.crypto.properties"/> <parameter name="passwordCallbackClass" value="com.ws.server.PWCallback"/> </handler> </requestFlow> At receiving end when decrypting this message, The null pointer occurs ( exception trace shown below). The exception occurs only when "DirectReference" key identifier is used in message encryption ie the request contains token embedded in "BinarySecurityToken" element. The exception does not occur when "IssuerSerial" identifier is used. Debugging the code further I observed that BinarySecurityTokenProcessor.getCertificatesTokenReference(Element elem, Crypto crypto) uses Signature Crypto instance to parse the security token from request. Since signature crypto is null,it results in null pointer exception. Signature crypto is null because the action is "Encrypt" only. It should be using decryption crypto instance instead. My understanding so far is: if action is Signature -> Signature Crypto will be initialized. If action is Encrypt - > Encryption crypto will be initialized. If action is "Signature Encrypt" -> Both sign /encrypt crypto will be initialized. For encrypted message BinarySecurityTokenProcessor should use encryption crypto instance to parse the binary token instead of signature crypto. Any comments greatly appreciated. Exception trace: Caused by: java.lang.NullPointerException at org.apache.ws.security.message.token.X509Security.getX509Certificate( X509Security.java:94) at org.apache.ws.security.processor.BinarySecurityTokenProcessor.getCert ificatesTokenReference(BinarySecurityTokenProcessor.java:93) at org.apache.ws.security.processor.BinarySecurityTokenProcessor.handleT oken(BinarySecurityTokenProcessor.java:74) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur ityEngine.java:326) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur ityEngine.java:243) at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja va:162) -- View this message in context: http://www.nabble.com/wss4j1.5.5%3A-Decrypting-the-soap-xml-results-in-N P-exception-for-soap-message-containing-BinarySecurityToken-in-request.- tp24286989p24286989.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
