Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-663

Missing ECC key support

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0, 2.2.5
    • None
    • None

    Description

      Multiple classes in the WSS4J library cannot handle Elliptic Curve Keys.

      When you use EC keys when calling SignatureAction.execute() and you don't provide a signature algorithm, it will throw an "unknownSignatureAlgorithm" exception because it only checks for "RSA" or "DSA" keys.

      You can set the Signature Algorithm property to work around that.

      The much bigger problem is that the AlgorithmSuiteValidator.checkAssymetricKeyLength() method doesn't accept signatures generated with EC keys.

      Here is the stack trace, ignore the "No message with ID" message, that's because WSSec.init()  was not called in time:

      A security error was encountered when verifying the message
                      at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:236)
                      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:376)
                      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:212)
                      at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:85)
                      at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:1)
                      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
                      at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
                      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
                      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
                      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
                      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
                      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
                      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
                      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
                      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at brave.servlet.TracingFilter.doFilter(TracingFilter.java:65)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at de.aok.epa.accessgateway.authentication.configuration.WebServiceConfiguration.lambda$0(WebServiceConfiguration.java:192)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
                      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
                      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.springframework.cloud.sleuth.instrument.web.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.java:50)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at brave.servlet.TracingFilter.doFilter(TracingFilter.java:82)
                      at org.springframework.cloud.sleuth.instrument.web.LazyTracingFilter.doFilter(TraceWebServletAutoConfiguration.java:138)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
                      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
                      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
                      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
                      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
                      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
                      at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
                      at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                      at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
                      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
                      at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                      at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                      at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                      at java.base/java.lang.Thread.run(Thread.java:834)
      Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "INVALID_SECURITY" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
                      at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:212)
                      at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:164)
                      at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:222)
                      at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
                      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:320)
                      ... 64 common frames omitted
      

      There is already some kind of fork with some EC key fixes, but I can't say if it's complete and correct: https://github.com/damianskolasa/wss4j-ecc

      Attachments

        Issue Links

          Activity

            People

              coheigea Colm O hEigeartaigh
              bergerst Stefan Berger
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m