“找不到用于解密的证书".(Apache CXF，WS-Security) [英] "No certificates were found for decryption" (Apache CXF, WS-Security)

问题描述

我正在构建Web服务，并且想要消息级加密.加密必须使用非对称绑定.我是Apache CXF的新手，所以我使用了他们的示例之一，并进行了转换以满足我的要求.但是，当我将对称绑定更改为非对称绑定时，在客户端向服务器发送加密消息后，我开始出现以下错误:

I am building a web service and would like message level encryption. The encryption must use Asymmetric binding. I am new to Apache CXF so I used one of their samples and worked on converting it to fit my requirements. However when I changed the symmetric binding to asymmetric binding, I started getting the following error after the client sends an encrypted message to the server:

未找到用于解密的证书(KeyId)."

"No certificates were found for decryption (KeyId)."

我了解这可能是证书错误，但也可能与配置有关.
我很肯定我对客户端和服务器都有公钥和私钥.客户端使用服务器的公钥对消息进行加密，并使用客户端的私钥对其进行签名.服务器配置为使用客户端的公钥验证签名，然后使用服务器的私钥解密.但是，当我从对称绑定切换为非对称绑定时，我不知道需要更改哪些代码.任何投入将不胜感激.这是我的加密和ws-security策略的配置.

I understand that this is probably a cert error but it may also be configuration related.
I am positive that I have public and private keys for both the client and the server. Messages are encrypted by the client with the public key of the server and signed with the client's private key. The server is configured to verify the signature with the client's public key and then decrypt with the server's private key. However I didn't know what code needed to be changed as I switched from symmetric to asymmetric binding. Any input would be greatly appreciated. Here are my configurations for the encryption and the ws-security policy.

ServiceConfig.xml:

ServiceConfig.xml:

<entry key="ws-security.encryption.properties" value="etc/Server_Decrypt.properties"/>
<entry key="ws-security.signature.properties" value="etc/Server_SignVerf.properties"/>
<entry key="ws-security.callback-handler" value="demo.hw.server.UTPasswordCallback"/>

Server_Decrypt.properties:

Server_Decrypt.properties:

org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=******
org.apache.ws.security.crypto.merlin.keystore.alias=serverx509v1
org.apache.ws.security.crypto.merlin.keystore.file=keystore/server-keystore.jks

add_numbers.wsdl

add_numbers.wsdl

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>    
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:OnlySignEntireHeadersAndBody/>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic128Sha256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefKeyIdentifier/>
                    <sp:MustSupportRefIssuerSerial/>
                    <sp:MustSupportRefThumbprint/>
                    <sp:MustSupportRefEncryptedKey/>
                </wsp:Policy>
            </sp:Wss11>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPartsPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <sp:Body/>
            </sp:EncryptedParts>
            <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <sp:Body/>
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

推荐答案

在不查看stacktrace的情况下很难知道确切的原因.但是请注意，对于非对称绑定，用于解密的密钥实际上来自"ws".-security.signature.properties"属性("ws-security.encryption.properties"用于保护对客户端的响应).因此，请确保解密请求所需的私钥在签名属性密钥库中.

It's hard to know the exact cause without seeing the stacktrace...However note that for the Asymmetric Binding, the keys used for decryption actually come from the "ws-security.signature.properties" property ("ws-security.encryption.properties" is used to secure the response to the client). So make sure that the private key required to decrypt the request is in the signature properties keystore.

Colm.

这篇关于“找不到用于解密的证书".(Apache CXF，WS-Security)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！