[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Created] (WSS-663) Missing ECC key support
From: "Stefan Berger (Jira)" <jira () apache ! org>
Date: 2020-02-05 8:31:00
Message-ID: JIRA.13283403.1580891436000.8373.1580891460287 () Atlassian ! JIRA
[Download RAW message or body]
Stefan Berger created WSS-663:
---------------------------------
Summary: Missing ECC key support
Key: WSS-663
URL: https://issues.apache.org/jira/browse/WSS-663
Project: WSS4J
Issue Type: Bug
Reporter: Stefan Berger
Assignee: Colm O hEigeartaigh
Multiple classes in the WSS4J library cannot handle Elliptic Curve Keys.
When you use EC keys when calling SignatureAction.execute() and you don't p=
rovide a signature algorithm, it will throw an "unknownSignatureAlgorithm" =
exception because it only checks for "RSA" or "DSA" keys.
You can set the Signature Algorithm property to work around that.
The much bigger problem is that the AlgorithmSuiteValidator.checkAssymetric=
KeyLength() method doesn't accept signatures generated with EC keys.
Here is the stack trace, ignore the "No message with ID" message, that's be=
cause WSSec.init()=C2=A0 was not called in time:
{code:java}
A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFa=
ult(WSS4JUtils.java:236)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.hand=
leMessageInternal(WSS4JInInterceptor.java:376)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.hand=
leMessage(WSS4JInInterceptor.java:212)
at de.aok.epa.accessgateway.authentication.interceptor.Cust=
omWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:85)
at de.aok.epa.accessgateway.authentication.interceptor.Cust=
omWss4jInInterceptor.handleMessage(CustomWss4jInInterceptor.java:1)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(P=
haseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessa=
ge(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.in=
voke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.servlet.ServletController.invok=
eDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invok=
e(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invok=
e(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.inv=
oke(CXFNonSpringServlet.java:216)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.han=
dleRequest(AbstractHTTPServlet.java:301)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doP=
ost(AbstractHTTPServlet.java:220)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:=
660)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.ser=
vice(AbstractHTTPServlet.java:276)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsF=
ilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at brave.servlet.TracingFilter.doFilter(TracingFilter.java:=
65)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at de.aok.epa.accessgateway.authentication.configuration.We=
bServiceConfiguration.lambda$0(WebServiceConfiguration.java:192)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFi=
lterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFi=
lter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilte=
rInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFi=
lter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.springframework.cloud.sleuth.instrument.web.Exceptio=
nLoggingFilter.doFilter(ExceptionLoggingFilter.java:50)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at brave.servlet.TracingFilter.doFilter(TracingFilter.java:=
82)
at org.springframework.cloud.sleuth.instrument.web.LazyTrac=
ingFilter.doFilter(TraceWebServletAutoConfiguration.java:138)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.Web=
MvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
at org.springframework.web.filter.OncePerRequestFilter.doFi=
lter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.d=
oFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFi=
lter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internal=
DoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter=
(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(Sta=
ndardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(Sta=
ndardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invo=
ke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(Standa=
rdHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(Error=
ReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(Stan=
dardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(Coyo=
teAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11P=
rocessor.java:367)
at org.apache.coyote.AbstractProcessorLight.process(Abstrac=
tProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.pro=
cess(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.d=
oRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(Socke=
tProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWor=
ker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker=
.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnab=
le.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with=
ID "INVALID_SECURITY" found in resource bundle "org/apache/xml/security/re=
source/xmlsecurity"
at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.c=
heckAsymmetricKeyLength(AlgorithmSuiteValidator.java:212)
at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.c=
heckAsymmetricKeyLength(AlgorithmSuiteValidator.java:164)
at org.apache.wss4j.dom.processor.SignatureProcessor.handle=
Token(SignatureProcessor.java:222)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecu=
rityHeader(WSSecurityEngine.java:340)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.hand=
leMessageInternal(WSS4JInInterceptor.java:320)
... 64 common frames omitted
{code}
There is already some kind of fork with some EC key fixes, but I can't say =
if it's complete and correct:=C2=A0[https://github.com/damianskolasa/wss4j-=
ecc]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic