Search code examples
cxfsamlws-securityencryption-symmetricws-trust

CXF Service throws WSSecurityException: No certificates were found for decryption (KeyId)

I am working with a CXF-STS application following the example from http://web-gmazza.rhcloud.com/blog/entry/cxf-sts-tutorial. I am able to generate SAML assertion but it fails when it hits the Service Provider.

I have the PasswordCallback at Service as,

@Override
    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
        for (int index = 0; index < callbacks.length; index++) {
            WSPasswordCallback pc = (WSPasswordCallback)callbacks[index];
            int usage = pc.getUsage();
            if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) {
                String pass = (String) passwords.get(pc.getIdentifier());
                if (pass != null) {
                    pc.setPassword(pass);
                    return;
                }
            }
        }

The WSPasswordCallback type is found as SECRETKEY or something but not WSPasswordCallback.DECRYPT or WSPasswordCallback.SIGNATURE

The identifier when debugged in above code shows as _0bfaf221-9588-4033-b3fa-db9ecbd478fe or some random text. On service provider I have Symmetric binding with Keytype - SymmetricKey as

<sp:SymmetricBinding>
               <wsp:Policy>
                  <sp:ProtectionToken>
                     <wsp:Policy>
                        <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                           <sp:RequestSecurityTokenTemplate>
                              <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
                              <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
                              <t:KeySize>256</t:KeySize>
                           </sp:RequestSecurityTokenTemplate>
                           <wsp:Policy>
                              <sp:RequireInternalReference/>
                           </wsp:Policy>
                           <sp:Issuer>
                              <wsaw:Address>http://localhost:8080/StsService/services/STS</wsaw:Address>
                              <wsaw:Metadata>
                                 <wsx:Metadata>
                                    <wsx:MetadataSection>
                                       <wsx:MetadataReference>
                                          <wsaw:Address>http://localhost:8080/StsService/services/STS/mex</wsaw:Address>
                                       </wsx:MetadataReference>
                                    </wsx:MetadataSection>

On STS end I am providing public key of Service provider for encryption as 

<bean id="utSTSProperties"
         class="org.apache.cxf.sts.StaticSTSProperties">
        <property name="signaturePropertiesFile" value="springconfig/keystore.properties"/>
        <property name="signatureUsername" value="${stskeyalias}"/>
        <property name="callbackHandlerClass" value="com.security.sts.security.StsPasswordCallbackHandler"/>
        <property name="encryptionUsername" value="${serverkeyalias}" />
        <property name="encryptionPropertiesFile" value="springconfig/keystore.properties" />
        <property name="issuer" value="cieron"/>
    </bean>

Following suggestions at http://mail-archives.apache.org/mod_mbox/cxf-users/201112.mbox/%3CCAB8XdGABkphcJXTbtVpDfBZ3KcymtZYX-Rmv0H8QiuwYNHP5OQ@mail.gmail.com%3E and http://coheigea.blogspot.in/2011/05/ws-trust-sample-in-talend-service.html

I am not sure how the symmetric key is available for Service Provider as it is enrypted.

I have checked all related files and everything seems intact. I have my example at https://github.com/sampleref/CXFSecurity for reference. I am facing error when running the client, with service provider logs showing 

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No certificates were found for decryption (KeyId)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:372)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:137)
    at org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor.processSAMLKeyInfo(WSSSAMLKeyInfoProcessor.java:80)
    at org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromKeyInfo(SAMLUtil.java:225)
    at org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromSubject(SAMLUtil.java:152)
    at org.apache.wss4j.common.saml.SamlAssertionWrapper.parseSubject(SamlAssertionWrapper.java:672)
    at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:193)
    at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:79)
    at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:257)

No Certificates found. Please provide some suggestions

Thanks

Solution

  • Your STS + Service Keystores appear to contain different keys...

    STS:

    serverkeyalias, 13-Jul-2014, trustedCertEntry, Certificate fingerprint (SHA1): 45:4E:EB:4C:35:89:17:E6:A4:0E:94:FB:61:9B:81:83:FB:A0:82:B1

    Server:

    serverkeyalias, 12-Jul-2014, PrivateKeyEntry, Certificate fingerprint (SHA1): B8:E6:BA:A5:07:24:69:B3:5E:08:2F:A3:CE:97:D8:2E:E2:E1:31:F8

    Colm.