org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s ize or default parameters Original Exception was java.security.InvalidKeyException

test-resources/keys/interop2.jks contents:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

alice, Jun 4, 2005, PrivateKeyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
bob, Jun 4, 2005, PrivateKeyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC

test-resources/policy/rampart-asymm-binding-1.xml:
<wsp:Policy wsu:Id="6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>

<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>

</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

org.apache.rampart.RampartMessageBuilderTest (which loads rampart-asymm-binding-1.xml policy file)

public void testAsymmBinding() {
try

org.apache.rampart.builder.AsymmetricBindingBuilder.java:

//build method passes on the RampartMessageData

public void build(RampartMessageData rmd) throws RampartException {
log.debug("AsymmetricBindingBuilder build invoked");

RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp())

if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder()))

else

log.debug("AsymmetricBindingBuilder build invoked : DONE");
}

..........
private void doEncryptBeforeSig(RampartMessageData rmd)
throws RampartException {

long t0 = 0, t1 = 0, t2 = 0;
if(dotDebug)

RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
RampartConfig config = rpd.getRampartConfig();

/*

• We need to hold on to these two element to use them as refence in the
• case of encypting the signature
  */
  Element encrDKTokenElem = null;
  WSSecEncrypt encr = null;
  Element refList = null;
  WSSecDKEncrypt dkEncr = null;

/*

• We MUST use keys derived from the same token
  */
  Token encryptionToken = null;
  if(rmd.isInitiator()) { encryptionToken = rpd.getRecipientToken(); }

  else

  { encryptionToken = rpd.getInitiatorToken(); }

  Vector encrParts = RampartUtil.getEncryptedParts(rmd);

//Signed parts are determined before encryption because encrypted signed headers
//will not be included otherwise
this.sigParts = RampartUtil.getSignedParts(rmd);

if(encryptionToken == null && encrParts.size() > 0)

if (encryptionToken != null && encrParts.size() > 0) {

//Check for RampartConfig assertion
if(rpd.getRampartConfig() == null)

if (encryptionToken.isDerivedKeys()) {
try {
this.setupEncryptedKey(rmd, encryptionToken);
// Create the DK encryption builder
dkEncr = new WSSecDKEncrypt();
dkEncr.setParts(encrParts);
dkEncr.setExternalKey(this.encryptedKeyValue,
this.encryptedKeyId);

/*********this rpd.getAlgorithmSuite() returns null causes grief ******/
/*****this is the AlgorithmSuite provided by policy file
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- safe to assume the key length is 256 -->
*******/
/****** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()
if (SPConstants.ALGO_SUITE_BASIC256.equals(algoSuite))

********/
/***** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8 256/8 produces 32 ******/

/*** lets take the root key 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 *******/
/****this is 16 bytes */
/***16 != 32 so the Assymetric TestCase will always fail*/
dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
dkEncr.prepare(doc);

// Get and add the DKT element
this.encrDKTElement = dkEncr.getdktElement();
encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);

refList = dkEncr.encryptForExternalRef(null, encrParts);

} catch (WSSecurityException e)

catch (ConversationException e)

} else {
try {
encr = new WSSecEncrypt();
encr.setParts(encrParts);
encr.setWsConfig(rmd.getConfig());
encr.setDocument(doc);
RampartUtil.setEncryptionUser(rmd, encr);
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));

Element bstElem = encr.getBinarySecurityTokenElement();
if (bstElem != null)

this.encrTokenElement = encr.getEncryptedKeyElement();
this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
encrTokenElement);

refList = encr.encryptForExternalRef(null, encrParts);

} catch (WSSecurityException e)

}

SOLUTION:
repackage a 32 byte long keystore (test-resources/keys/interop2.jks contents file

i would propose a change in AlgorithmSuite to 128 in
test-resources/policy/rampart-asymm-binding-1.xml should use a 128 AlgorithmSuite
but the schema defined at
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
does not support 128 Byte Encryption..minimum size for AlgorithmSuite is 256 byte