Search code examples
springspring-bootspring-securityspring-ws

com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias ''

I am trying to encrypt SOAP request. Issue is that the reuest is sign right but when it comes to encryption i get the error bellow:

This is in spring-ws docs (https://docs.spring.io/spring-ws/site/reference/html/security.html):

7.2.4.2. Encryption To encrypt outgoing SOAP messages, the security policy file should contain a Encrypt element. This element can further carry a EncryptionTarget element which indicates which part of the message should be encrypted, and a SymmetricKey to indicate that a shared secret instead of the regular public key should be used to encrypt the message. You can read a description of the other elements here .

The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.

my error:

2019-10-16 19:56:52.482 ERROR 5264 --- [nio-8080-exec-1] j.e.resource.xml.webservices.security    : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 19:56:52.494 ERROR 5264 --- [nio-8080-exec-1] com.sun.xml.wss.logging.impl.filter      : WSS1413: Error extracting certificate 

com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias ''
    at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:365) ~[xws-security-3.0.jar:3.0-FCS]

My code:

 @Bean
    public XwsSecurityInterceptor securityInterceptor() {
        XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
        securityInterceptor.setPolicyConfiguration(new ClassPathResource("securityPolicy.xml"));

        try{
            securityInterceptor.setCallbackHandler(callback());
            securityInterceptor.afterPropertiesSet();


        }
            catch (Exception e)  {
                    System.out.println("display Expensionm: " + e);
        }

        return securityInterceptor;
    }

    @Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("sopasswordo");
        callbackHandler.setDefaultAlias("test");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }



    @Bean
    public KeyStore keyStoreFactoryBean(){
        KeyStoreFactoryBean keyStoreFactoryBean = new KeyStoreFactoryBean();
        keyStoreFactoryBean.setPassword("sotore_passwordo");
        //keyStoreFactoryBean.setType("JKS");
        System.out.println("1");
        keyStoreFactoryBean.setLocation(new FileSystemResource("C:\\Users\\miha_\\OneDrive\\Dokumenti\\Job\\Lj\\Spring\\Porting\\target\\classes\\softnet.jks"));
        try{
            keyStoreFactoryBean.afterPropertiesSet();
        }catch (Exception e){
            System.out.println("e: "+e );
        }

        return  keyStoreFactoryBean.getObject();
    }

    @Bean
    public KeyStore TrustFactoryBean(){
        KeyStoreFactoryBean trustFactory = new KeyStoreFactoryBean();
        trustFactory.setPassword("sostore_passwordo");
        //keyStoreFactoryBean.setType("JKS");
        System.out.println("1");
        trustFactory.setLocation(new FileSystemResource("C:\\Users\\miha_\\OneDrive\\Dokumenti\\Job\\Lj\\Spring\\Porting\\target\\classes\\trust.jks"));
        try{
            trustFactory.afterPropertiesSet();
        }catch (Exception e){
            System.out.println("e: "+e );
        }

        return  trustFactory.getObject();
    }

@Override
    public void addInterceptors(List interceptors) {
        interceptors.add(securityInterceptor());
    }

I do not know what the alias for enrypt cert is not set and cert is not retrieved. I set default alias but I guess I am missing also something else.

My policy:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:Sign includeTimestamp="false" />
    <xwss:Encrypt />
</xwss:SecurityConfiguration>
Solution

  • The xwss:Encrypt element is used by a client along with a public key (certificate) of a server to initialize the exchange of a shared secret (symetric key).

    You need to provide the alias-name of the server certificate (public key of the server) within your client keystore.

    Example:

    <xwss:Encrypt>
    <xwss:X509Token certificateAlias="myServerPubCert"/>
</xwss:Encrypt>

    You also have to provide the alias-name of your client's private key to the xwss:sign element.

    Example:

    <xwss:Sign includeTimestamp="false">
    <xwss:X509Token certificateAlias="myClientPrivKey"/>
</xwss:Sign>