1

I'm developing a client SOAP service using Spring-Boot and Spring WS which sends a SOAP messages to a target service using trusted certificate to encrypt the request message. The target service is using a public key from a public-private key pair I generated to encrypt the response. Both trusted certificate (for encrypting request) and a private key (for decrypting response) are in a .jkt file. The request is encrypted and processed correctly by a target service, but I'm getting an issue with decrypting and validating the response. Here is the error message that I'm getting.

DEBUG o.s.w.s.s.w.Wss4jSecurityInterceptor - Validating message [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [NoSecurity]
ERROR o.apache.wss4j.common.crypto.Merlin - Cannot find key for alias: [null] in keystore of type [jks] from provider [SUN version 1.8] with size [2] and aliases: {clientalias, serveralias}
WARN  o.s.w.s.s.w.Wss4jSecurityInterceptor - Could not validate request: Cannot find key for alias: [null]; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Cannot find key for alias: [null]

I'm using Wss4jSecurityInterceptor,

@Bean
public Wss4jSecurityInterceptor securityInterceptor(Config c, CryptoFactoryBean cryptoFactoryBean) throws Exception {
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
    Securement securement = c.getSecurement();
    // set security actions
    securityInterceptor.setSecurementActions(securement.getActions());

    // sign the request
    securityInterceptor.setSecurementUsername(securement.getUsername());
    securityInterceptor.setSecurementPassword(securement.getPassword());
    securityInterceptor.setSecurementSignatureCrypto(cryptoFactoryBean.getObject());

    // encrypt the request
    securityInterceptor.setSecurementEncryptionUser(securement.getEncryptionUser());
    securityInterceptor.setSecurementEncryptionCrypto(cryptoFactoryBean.getObject());
    securityInterceptor.setSecurementEncryptionParts(securement.getEncryptionParts());
    securityInterceptor.setSecurementSignatureKeyIdentifier(securement.getSignatureKeyIdentifier());

    // decrypt the response
    KeyStoreCallbackHandler keyStoreCallbackHandler = new KeyStoreCallbackHandler();
    keyStoreCallbackHandler.setPrivateKeyPassword("xxxxx");
    securityInterceptor.setValidationCallbackHandler(keyStoreCallbackHandler);

    securityInterceptor.setValidationActions("NoSecurity");
    securityInterceptor.setValidationDecryptionCrypto(cryptoFactoryBean.getObject());

    return securityInterceptor;
}

Any ideas how to correctly use aliased private key from the .jkt to decrypt the response?

EDIT: I had to set the actor on the interceptor to correctly pick up the key from the keystore:

securityInterceptor.setValidationActor("clientalias");
Avantgarde
  • 11
  • 2
  • can you show us `keytool -keystore keystore.jks -v -list` ? – Michal Korecki Oct 31 '16 at 09:23
  • Sure @michal-korecki, that's the output: `Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries clientalias, Oct 27, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 44:60:DB:CF:FD:D1:02:EB:B6:80:B6:50:88:7D:FD:30:BB:A8:DF:78 serveralias, Oct 27, 2016, trustedCertEntry, Certificate fingerprint (SHA1): F8:D1:4C:92:94:20:7A:6A:03:BF:98:CE:83:80:E9:23:8B:AD:FA:CF` – Avantgarde Oct 31 '16 at 09:46

0 Answers0