1. 技术文章
  2. Signing SOAP header using Wss4j in Spring throwing errors “Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded”

Signing SOAP header using Wss4j in Spring throwing errors “Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded”

荒凉一梦 提交于 2020-07-10 08:00:19

问题


I am implementing a SOAP client using Spring Boot for the below configuration to connect with third party web server. Below is my WS-security outgoing configuration used with SOAPUI Client.

and timestamp and username configuration is as follows

I have written Wss4jSecurityInterceptor for the above configuration which is as follows.

@Configuration
public class Config {

    private static final Logger LOGGER = LoggerFactory.getLogger(Config.class);

    @Bean
    public Jaxb2Marshaller marshaller() {
        Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
        // this is the package name specified in the <generatePackage> specified in
        // pom.xml
        marshaller.setContextPath("co.yabx.bureau.wsdl");
        return marshaller;
    }

    @Bean
    public ExecuteStrategy executeStrategy(Jaxb2Marshaller jaxb2Marshaller) throws Exception {
        ExecuteStrategy soapClient = new ExecuteStrategy();
        soapClient.setDefaultUri("https://demo-abc/dummy/url");
        soapClient.setMarshaller(jaxb2Marshaller);
        soapClient.setUnmarshaller(jaxb2Marshaller);
        ClientInterceptor[] interceptors = new ClientInterceptor[] { wss4jSecurityInterceptor() };
        soapClient.setInterceptors(interceptors);

        return soapClient;
    }

    @Bean
    public CryptoFactoryBean cryptoFactoryBean() throws IOException {
        CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();

        cryptoFactoryBean.setKeyStoreType("PKCS12");
        cryptoFactoryBean.setKeyStorePassword("123456");
        cryptoFactoryBean.setDefaultX509Alias("1");

        ClassPathResource classPathResource = new ClassPathResource("\\jks\\exdemo.p12"); //
        // System.out.println(classPathResource.getURL());
        cryptoFactoryBean.setKeyStoreLocation(classPathResource);

        return cryptoFactoryBean;
    }

    @Bean
    public Wss4jSecurityInterceptor wss4jSecurityInterceptor() throws Exception {

        Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
        wss4jSecurityInterceptor.setSecurementActions("UsernameToken Timestamp Signature");

        // Sign the request

    wss4jSecurityInterceptor.setSecurementSignatureUser("alias"); // alias vale used in above screenshot
        wss4jSecurityInterceptor.setSecurementUsername("pqr");
        wss4jSecurityInterceptor.setSecurementTimeToLive(60);
        wss4jSecurityInterceptor.setSecurementPassword("lmn*");
        wss4jSecurityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT);
        wss4jSecurityInterceptor.setSecurementUsernameTokenNonce(true);
        wss4jSecurityInterceptor.setSecurementUsernameTokenCreated(true);
        wss4jSecurityInterceptor.setSecurementSignatureCrypto(cryptoFactoryBean().getObject());

        // Encrypt the request

        // wss4jSecurityInterceptor.setSecurementEncryptionUser("server-public");
        wss4jSecurityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
        wss4jSecurityInterceptor.setSecurementSignatureAlgorithm(WSConstants.RSA_SHA1);
        wss4jSecurityInterceptor.setSecurementSignatureDigestAlgorithm(WSConstants.SHA1);
        wss4jSecurityInterceptor.setSecurementMustUnderstand(true);
        // wss4jSecurityInterceptor.setSecurementEncryptionUser(securementEncryptionUser);

        wss4jSecurityInterceptor.setRemoveSecurityHeader(true);
        wss4jSecurityInterceptor.setSecurementEncryptionCrypto(cryptoFactoryBean().getObject());

        return wss4jSecurityInterceptor;
    }

}

After setting the whole configuration and running the application it is throwing error, which is as follows.

2020-04-20 15:45:21.826 ERROR 1172 --- [           main] o.a.wss4j.dom.message.WSSecSignature     : No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"

org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:722) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:558) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:166) [wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:238) [wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:574) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:210) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:597) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at co.yabx.bureau.client.ExecuteStrategy.executeStrategy(ExecuteStrategy.java:18) [classes/:na]
    at co.yabx.bureau.BureauSoapServiceApplication.main(BureauSoapServiceApplication.java:34) [classes/:na]
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_171]
    at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_171]
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:710) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    ... 13 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_171]
    at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_171]
    ... 16 common frames omitted

2020-04-20 15:45:21.827 ERROR 1172 --- [           main] o.s.w.s.s.w.Wss4jSecurityInterceptor     : Could not secure response: Error during Signature: ; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

org.springframework.ws.soap.security.wss4j2.Wss4jSecuritySecurementException: Error during Signature: ; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:577) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:210) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:597) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at co.yabx.bureau.client.ExecuteStrategy.executeStrategy(ExecuteStrategy.java:18) [classes/:na]
    at co.yabx.bureau.BureauSoapServiceApplication.main(BureauSoapServiceApplication.java:34) [classes/:na]
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:174) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:238) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:574) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    ... 8 common frames omitted
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:615) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:166) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    ... 11 common frames omitted
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:722) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:558) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    ... 12 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_171]
    at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_171]
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:710) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    ... 13 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_171]
    at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_171]
    ... 16 common frames omitted

I also tried creating CrytpoFactoryBean using properties but still getting the same issue. Below is the property configuration I tried

        Properties properties = new Properties();
        properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
        properties.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "alias");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", "PKCS12");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "123456");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.file",
                "\\jks\\exdemo.p12");
        cryptoFactoryBean.setConfiguration(properties);

        try {
            cryptoFactoryBean.afterPropertiesSet();
        } catch (Exception e) { // TODO Auto-generated catch block
            e.printStackTrace();
        }

I don't understand what mistakes am I doing. Anyhelp will be appreciated.


回答1:


In the above code, I was adding security configurations for Username, password, and Signature together, instead, I have to keep them in separate arrays as follows.

@Bean
public ExecuteStrategy executeStrategy(Jaxb2Marshaller jaxb2Marshaller) throws Exception {
    ExecuteStrategy soapClient = new ExecuteStrategy();
    soapClient.setDefaultUri("https://demo-servicesesb.datacredito.com.co/wss/DecisorWS/services/dummyService/MotorService");
    soapClient.setMarshaller(jaxb2Marshaller);
    soapClient.setUnmarshaller(jaxb2Marshaller);

    ClientInterceptor[] interceptors = wss4jSecurityInterceptor();
    soapClient.setInterceptors(interceptors);

    return soapClient;
}

and

@Bean
public Wss4jSecurityInterceptor[] wss4jSecurityInterceptor() throws Exception {
    // org.apache.xml.security.Init.init();

    Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
    wss4jSecurityInterceptor.setSecurementActions("UsernameToken");

    // Sign in the request

    wss4jSecurityInterceptor.setSecurementUsername("dummyUser");
    wss4jSecurityInterceptor.setSecurementPassword("dummyPassword");
    // wss4jSecurityInterceptor.setSecurementPassword("123456");
    wss4jSecurityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT);
    wss4jSecurityInterceptor.setSecurementUsernameTokenNonce(true);
    wss4jSecurityInterceptor.setSecurementUsernameTokenCreated(true);
    wss4jSecurityInterceptor.afterPropertiesSet();

    Wss4jSecurityInterceptor wss4jSecurityInterceptor1 = new Wss4jSecurityInterceptor();
    wss4jSecurityInterceptor1.setSecurementActions("Signature");

    wss4jSecurityInterceptor1.setSecurementSignatureUser("1");
    wss4jSecurityInterceptor1.setSecurementPassword("123456");
    wss4jSecurityInterceptor1.setSecurementSignatureKeyIdentifier("DirectReference");
    wss4jSecurityInterceptor1.setSecurementSignatureAlgorithm(WSConstants.RSA_SHA1);
    wss4jSecurityInterceptor1.setSecurementSignatureDigestAlgorithm(WSConstants.SHA1);
    wss4jSecurityInterceptor1.setSecurementTimeToLive(60);
    wss4jSecurityInterceptor1.setTimestampPrecisionInMilliseconds(true);
    
    wss4jSecurityInterceptor1.setSecurementSignatureCrypto(cryptoFactoryBean().getObject());
    

    wss4jSecurityInterceptor1.afterPropertiesSet();

    Wss4jSecurityInterceptor[] wss4jSecurityInterceptorArray = new Wss4jSecurityInterceptor[2];
    wss4jSecurityInterceptorArray[0] = wss4jSecurityInterceptor;
    wss4jSecurityInterceptorArray[1] = wss4jSecurityInterceptor1;

    return wss4jSecurityInterceptorArray;
}

and

@Bean
public CryptoFactoryBean cryptoFactoryBean() throws IOException {
    
    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
    Properties properties = new Properties();
    properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
    properties.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "1");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", "PKCS12");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "123456");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.file",
            "C:\\abc.p12");
    cryptoFactoryBean.setConfiguration(properties);

    try {
        cryptoFactoryBean.afterPropertiesSet();
    } catch (Exception e) {
        e.printStackTrace();
    }
    return cryptoFactoryBean;
}

Keeping the wss4jSecurityInterceptor as an array for username/password as separate and Signature as separate array, worked for me.



来源:https://stackoverflow.com/questions/61320311/signing-soap-header-using-wss4j-in-spring-throwing-errors-caused-by-java-secur

标签
java
Spring
spring-boot
spring-security
wss4j
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!