2 Replies Latest reply on Aug 19, 2008 3:56 PM by peterj

    WSSecurity problem: Could not locate certificate by key iden

    kosulin

      We use Ws-Security over https (java 6, jboss 5.0CR1, jbossws core 3.0.2). Client is java 6 (Sun XWSS). Server uses a real production certificate, client -a self-signed one (I was told it was created with openssl, not keytool). Request is successfully validated during SSL handshake using CLIENT-CERT, and authorized with JAAS. This means on the java.security.cert level the server is able to recognize and authenticate the certificate as valid one (compared to the truststore). However, on WS-Security level we get an exception. Below is the trace. What is wrong with key identifier? Thanks.

      2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - org.jboss.wsf.framework.invocation.RecordingServerHandler@17a08d4
      <S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/'>
      <S:Header>
      <wsse:Security S:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
      <wsu:Timestamp wsu:Id='XWSSGID-12191736147481681242501' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
      <wsu:Created>2008-08-19T19:20:14Z</wsu:Created>
      <wsu:Expires>2008-08-19T19:25:14Z</wsu:Expires>
      </wsu:Timestamp>
      <ds:Signature Id='XWSSGID-12191736146031743555814' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

      </ds:CanonicalizationMethod>
      <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      <ds:Reference URI='#XWSSGID-1219173614748711119660' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>D5VC3nxO1mCHdvlx3ZlL+pKVOMo=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference URI='#XWSSGID-12191736147481681242501' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>sl1ERXikaFn0w4iWQtKnNS2dYuE=</ds:DigestValue>
      </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>d4zmVhrNWDjNqSQ8tHXH7iEUAKj0pmnFwkbTWdyQEiCRry4INKT4lZpVnNG6qcsKMM+fh1CPOyd4
      eHCZYOZjdpFhPYEIbfBzjZuiOkrnXmwIVm43bS7bCW+R9xELJ67cgldJL03G9ntcdsOo3I/vxEGn
      BRZm4siJbM2VbUrtLfE=</ds:SignatureValue>
      <ds:KeyInfo>
      <wsse:SecurityTokenReference wsu:Id='XWSSGID-12191736147371393264612' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
      <wsse:KeyIdentifier EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'>VsF5XAhG06l2TVSo6RafX5b9epw=</wsse:KeyIdentifier>
      </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      </ds:Signature>
      </wsse:Security>
      </S:Header>
      <S:Body wsu:Id='XWSSGID-1219173614748711119660' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
      <ns2:GetAllStatementList xmlns:ns2='http://www.wsc.com/'>
      test
      0
      sm0
      2007
      TX10000976
      </ns2:GetAllStatementList>
      </S:Body>
      </S:Envelope>
      2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true
      2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) AFTER handleRequest - org.jboss.wsf.framework.invocation.RecordingServerHandler@17a08d4: unchanged
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - WSSecurity Handler: unchanged
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false
      2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.addressing.context.inbound): null
      2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.core.soap.SOAPMessageDispatcher] (http-0.0.0.0-8443-1:) getDispatchDestination: {http://www.wsc.com/}GetAllStatementList
      2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore
      2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
      2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore
      2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
      2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
      2008-08-19 15:20:14,596 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getFirstChild
      2008-08-19 15:20:14,596 ERROR [org.jboss.ws.extensions.security.WSSecurityDispatcher] (http-0.0.0.0-8443-1:) Internal error occured handling inbound message:
      org.jboss.ws.extensions.security.exception.SecurityTokenUnavailableException: Could not locate certificate by key identifier
      at org.jboss.ws.extensions.security.KeyResolver.resolveKeyIdentifier(KeyResolver.java:116)
      at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:89)
      at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:131)
      at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:141)
      at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161)
      at org.jboss.ws.extensions.security.element.Signature.(Signature.java:60)
      at org.jboss.ws.extensions.security.element.SecurityHeader.(SecurityHeader.java:87)
      at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:192)
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:105)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
      at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:55)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140)
      at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
      at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:183)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:189)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Unknown Source)


      Some service config details:
      --------------------------
      @WebService(name = "Statements", targetNamespace = "http://www.wsc.com/", serviceName = "StatementsService", portName = "StatementsPort")
      @EndpointConfig(configName = "Standard WSSecurity Endpoint")
      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED)
      @MTOM(enabled = true)
      @BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true")
      @WebContext(secureWSDLAccess = true)
      @SecurityDomain("CPPortal2WSCert")
      @DeclareRoles( {"statements-client"})
      @RolesAllowed( {"statements-client"})
      public class StatementService
      ------------------------------------------------
      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
      <display-name>statements</display-name>

      <servlet-name>Statements</servlet-name>
      <servlet-class>com.wsc.cp.web.statements.StatementService</servlet-class>


      <servlet-mapping>
      <servlet-name>Statements</servlet-name>
      <url-pattern>/statements</url-pattern>
      </servlet-mapping>

      <session-config>
      <session-timeout>30</session-timeout>
      </session-config>

      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      </login-config>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Statements</web-resource-name>
      <url-pattern>/statements</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      </web-app>
      ----------------------------------
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.jboss.com/ws-security/config
      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      <key-store-file>WEB-INF/cpportal2.keystore</key-store-file>
      <key-store-password>password</key-store-password>
      <key-store-type>jks</key-store-type>
      <trust-store-file>WEB-INF/cpportal2.truststore</trust-store-file>
      <trust-store-password>password</trust-store-password>
      <trust-store-type>jks</trust-store-type>
      <timestamp-verification createdTolerance="5" warnCreated="true" expiresTolerance="10" warnExpires="true" />



      <!-- -->


      <!-- -->





      </jboss-ws-security>
      ----------------------------------
      CN\=test.client=statements-client
      -------------------------------------------

        • 1. Re: WSSecurity problem: Could not locate certificate by key
          kosulin

          jboss-wsse-server.xml in the original message is incomplete. here is the missing part:

          timestamp ttl="300"/>
          sign type="x509v3" alias="cpportal2" includeTimestamp="true"/>
          requires>
          signature/>

          authenticate>
          signatureCertAuth certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"/>
          /authenticate>
          /config>

          For unknown reason the forum editor rejects posting of correct xml, and I was forced to remove leading angle brackets. Sorry for inconvenience.

          • 2. Re: WSSecurity problem: Could not locate certificate by key
            peterj

             

            kosulin wrote:
            For unknown reason the forum editor rejects posting of correct xml


            You can post XML text by selecting the text and clicking the Code button - this places code BBCode tags around the xml text. Also, you can Preview the post to ensure proper formatting before clicking Submit.