'[jira] [Commented] (WSS-663) Missing ECC key support'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webservices-general
Subject:    [jira] [Commented] (WSS-663) Missing ECC key support
From:       "Thomas Papke (Jira)" <jira () apache ! org>
Date:       2020-02-05 14:10:00
Message-ID: JIRA.13283403.1580891436000.10232.1580911800704 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17030683#comment-17030683 \
] 

Thomas Papke commented on WSS-663:
----------------------------------

The following Pull Request address the limitation: \
https://github.com/apache/ws-wss4j/pull/4  @[~coheigea]: Can you please have a look \
at this?

> Missing ECC key support
> -----------------------
> 
> Key: WSS-663
> URL: https://issues.apache.org/jira/browse/WSS-663
> Project: WSS4J
> Issue Type: Bug
> Reporter: Stefan Berger
> Assignee: Colm O hEigeartaigh
> Priority: Major
> 
> Multiple classes in the WSS4J library cannot handle Elliptic Curve Keys.
> When you use EC keys when calling SignatureAction.execute() and you don't provide a \
> signature algorithm, it will throw an "unknownSignatureAlgorithm" exception because \
> it only checks for "RSA" or "DSA" keys. You can set the Signature Algorithm \
> property to work around that. The much bigger problem is that the \
> AlgorithmSuiteValidator.checkAssymetricKeyLength() method doesn't accept signatures \
> generated with EC keys. Here is the stack trace, ignore the "No message with ID" \
> message, that's because WSSec.init()   was not called in time: {code:java}
> A security error was encountered when verifying the message
> at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:236)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:376)
>  at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:212)
>  at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:85)
>  at de.aok.epa.accessgateway.authentication.interceptor.CustomWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:1)
>  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>  at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
>  at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
>  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
>  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
>  at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
>  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
>  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
>  at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at brave.servlet.TracingFilter.doFilter(TracingFilter.java:65)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at de.aok.epa.accessgateway.authentication.configuration.WebServiceConfiguration.lambda$0(WebServiceConfiguration.java:192)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
>  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
>  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.springframework.cloud.sleuth.instrument.web.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.java:50)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at brave.servlet.TracingFilter.doFilter(TracingFilter.java:82)
> at org.springframework.cloud.sleuth.instrument.web.LazyTracingFilter.doFilter(TraceWebServletAutoConfiguration.java:138)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
>  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
>  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
>  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
>  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
>  at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
>  at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>  at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID \
> "INVALID_SECURITY" found in resource bundle \
> "org/apache/xml/security/resource/xmlsecurity" at \
> org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:212)
>  at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkAsymmetricKeyLength(AlgorithmSuiteValidator.java:164)
>  at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:222)
>  at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
>  at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:320)
>                 
> ... 64 common frames omitted
> {code}
> There is already some kind of fork with some EC key fixes, but I can't say if it's \
> complete and correct:  [https://github.com/damianskolasa/wss4j-ecc]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic