3 Replies Latest reply on Oct 12, 2006 6:09 AM by artursignell

    Ws-Security, Encryption, .Net -> JBoss interoperability (HEL

    kristof.taveirne Oct 6, 2006 6:19 AM

      Hi,

      I have a .Net client that's talking to a web service running on jbossws.
      It's a simple helloword right now for testing purposes.

      What I'm trying to add to this service is the following.
      - Authentication + Signing using a client certificate
      - Encryption using the servers public key

      I've been playing around a bit and here is how far I am right now:
      The jboss-wsse-server.xml file is simple and straightforward:

      <?xml version="1.0" encoding="UTF-8"?>
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.jboss.com/ws-security/config
 http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
 <key-store-file>WEB-INF/MyKeystore</key-store-file>
 <key-store-password>####</key-store-password>
 <trust-store-file>WEB-INF/MyTruststore</trust-store-file>
 <trust-store-password>####</trust-store-password>
 <config>
 <requires>
 <encryption />
 <signature/>
 </requires>
 </config>
</jboss-ws-security>


      The policy in my .Net client like this.
      This is a WSE 3.0 policy file wse3policyCache.config: 
       <policy name="test">
 <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
 <clientToken>
 <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=user1" findType="FindBySubjectDistinguishedName" />
 </clientToken>
 <serviceToken>
 <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=MyServer" findType="FindBySubjectDistinguishedName" />
 </serviceToken>
 <protection>
 <request signatureOptions="IncludeSoapBody" encryptBody="true" />
 <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
 <fault signatureOptions="IncludeSoapBody" encryptBody="false" />
 </protection>
 </mutualCertificate11Security>
 <requireActionHeader />
 </policy>


      For simplicity I left out the addressing and timestamp out of the signature, because I expect that this is what jboss does.

      I have on the serverside a keystore and truststore.
      I've created priv/public keypair using sun's keytool and I exported the certificate for the clients to use. The certificates of the client are generated by a CA on windows 2003 server. I've imported the certificates into the keystore using a basic keytool -import -keystore ... -alias ... - file command.

      The error I get in JBoss is 
      12:10:57,337 ERROR [WSSecurityDispatcher] Internal error occured handling inboun
d message:
org.jboss.ws.wsse.SecurityTokenUnavailableException: Could not locate certificat
e by key identifier
 at org.jboss.ws.wsse.KeyResolver.resolveKeyIdentifier(KeyResolver.java:1
14)
 at org.jboss.ws.wsse.KeyResolver.resolve(KeyResolver.java:87)
 at org.jboss.ws.wsse.KeyResolver.resolveCertificate(KeyResolver.java:129
)
 at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:144)

 at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:164)

 at org.jboss.ws.wsse.element.EncryptedKey.<init>(EncryptedKey.java:90)


      Is there anyone who has some experience with this?

      I would appreciate any help/advice I can get.

      Thanks in advance,

      Kristof Taveirne

      • 2353 Views
      • Tags:
        • 1. Re: Ws-Security, Encryption, .Net -> JBoss interoperability
          kristof.taveirne Oct 6, 2006 6:23 AM (in response to kristof.taveirne)

          ooh
          and this is the xml that's going over the wire from the client to the server:

          <?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<wsa:Action/>
<wsa:MessageID>urn:uuid:11a12e77-4931-4cda-a410-370b93c2cbd9</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://localhost:6543/EncryptionTesting/testing</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-c5ef9cc4-f35d-4045-ab8e-a7adb67b3c70">
<wsu:Created>2006-10-06T10:21:37Z</wsu:Created>
<wsu:Expires>2006-10-06T10:26:37Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-0c176d35-e384-4493-a6bd-104b391bcd8f">MIIDuzCCAqOgAwIBAgIKEY3RnQAAAAAAAzANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZJTlRFQzIwHhcNMDYxMDA1MTYxMTE1WhcNMDcxMDA1MTYyMTE1WjATMREwDwYDVQQDEwhwYXRpZW50MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6AIuMw/Vm8PzMU6IfIht60jRH5UTAI+xT8CTjVbVxtDlee/ExIKiTsEIgVrPWZ/A+yOzwDASljLTCqHbDQZr8WTC2NfUJmUTSV9P2K0JmMWPV++wH5nB+f0davTgtT1vOI/yAQSo7HZDoT/WTnLWEIc5WQHdi3DAMAmhzNO/I10CAwEAAaOCAZUwggGRMA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFBcNb0n5x9CBm6QmmnSNowNSN+PLMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFFt5T2MqcUhU/eRrfMAmh/0Nf7OVMF0GA1UdHwRWMFQwUqBQoE6GJGh0dHA6Ly9lcmF0bzU5L0NlcnRFbnJvbGwvSU5URUMyLmNybIYmZmlsZTovL1xcZXJhdG81OVxDZXJ0RW5yb2xsXElOVEVDMi5jcmwwgYQGCCsGAQUFBwEBBHgwdjA4BggrBgEFBQcwAoYsaHR0cDovL2VyYXRvNTkvQ2VydEVucm9sbC9lcmF0bzU5X0lOVEVDMi5jcnQwOgYIKwYBBQUHMAKGLmZpbGU6Ly9cXGVyYXRvNTlcQ2VydEVucm9sbFxlcmF0bzU5X0lOVEVDMi5jcnQwDQYJKoZIhvcNAQEFBQADggEBAE1hhJsm/CJPxrYx9fcYO4frBQeCEEmIPmJ+5drOsilT+/lfnxgkg05/hYaVlTZlZfXn8MPDgsXsGjkaMu3UXh88C5VJ8/Gle6ePqxHxREFOGENq+B0GA+M2V20RJaNveVbLKFKlJpW1Y1Ppa6WcctcW52J46wcZqZEo9r022MNYS7ETO5sC5dXh734HFvjnwY7RES3gkoPvJPucVAysV3U5i/FE0fHSjfpt86qBs/b8ZkSkx7+qQu8Ztpfj/RbNOIkbBQuxLUGh5eMFfZ5BfxhemlBeEnEuaGleh1tojA161e31PRIXmnnYZ2qhKk3lCNr6QL8A60TtuiQU+OLYSIo=</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="SecurityToken-e7e5b317-8b00-4157-8c6f-c42414d5c835">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</xenc:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">S9JxKnwJ35Y=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>CfhLRmZ+fIDVDBRjS6eWBbpiIX8Qr2gfrKS9DA/9ruHcuzApJARXFW6412J5OdnlVScxgtD7Xt0Hg4taRDRxKHfMNcwQhqJLkKk2H5b/QT64C8fPzXtskW8dSAuAYDqGWgEf0rvgJ6+aJGW6zf4P85OjxvRcUDPY0I3jOkPVR4Y=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-8ac4cdfd-96d9-47be-bab9-4aeac044c851"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Sig-71c80168-3f98-4ec0-a884-89b3a1df4e9d">
<SignedInfo>
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#Id-88009e8b-1439-4255-b176-08a8a396cce5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>8+M6YPkeVnoDrUjC3eFqyCJBjzU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Sp5k8zTea40kdYmieLMeYVeDnvM=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e7e5b317-8b00-4157-8c6f-c42414d5c835" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Sig-71c80168-3f98-4ec0-a884-89b3a1df4e9d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>ZfvRWWQdjf7yFOSkWLDWmXLuU24=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>JuF2PvIAw9oFP/w8SVrVxi5MJ5B1P0oYMVG/C4vyju2DZ9S3tAHn2dHThXJuC+CsA1MDjyYdj4vy5lHwIGiSl5ZyutFRXXZrqJ9tqca6+eodqwHV9b9bU6MMPEX2eMCA5ws0MIdVXv1CVflTSxu1TPyIsWRD8ye5jltV+iN8N5E=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-0c176d35-e384-4493-a6bd-104b391bcd8f" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-88009e8b-1439-4255-b176-08a8a396cce5">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Enc-8ac4cdfd-96d9-47be-bab9-4aeac044c851" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>gsM8HsQWkfyPgaY+iPhX6xQanq6Ekigv3a060vpt123D5Ho2Vy9n0S+DhV1O5TyRTQCuk8gHGKN9mMcrQAw/v9PVnrcoy+fYZhjZPYeLq4LcDzsSep8CMp78+RWlMthSU0dpJxBaPp+Ouzg1mK5UnjvRUmkvTAVwZbVy4gqifbjzgrS9SmsLMRzeHxcCQy1xJ6nrNmb8RucEjB5FUtf25IwGJlCxnfr1aRUPRyKxCWA=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>


            • Actions
          • 2. Re: Ws-Security, Encryption, .Net -> JBoss interoperability
            kristof.taveirne Oct 9, 2006 5:47 AM (in response to kristof.taveirne)

            Basicly I'm looking for a way to do
            Authentication and Encryption from a .Net client application to the JBoss AS through web services.

            If anyone has any idea, how I can do this... Or maybe just give a hint in the right direction... this would be very much appreciated!

            I've been trying stuff out for over a week without any result :-/

            Thanks in advance,

            Kristof.

              • Actions
            • 3. Re: Ws-Security, Encryption, .Net -> JBoss interoperability
              artursignell
              artursignell Oct 12, 2006 6:09 AM (in response to kristof.taveirne)

              The problem is probably that you are using keytool to generate the certificates. Keytool only generates V1 certificates that lack the SubjectKeyIdentifier extension. You need something that can generate V3 certificates eg. openssl to generate the server key.

                • Actions