“未找到用于解密的证书”（Apache CXF，WS-Security）

Question

I am building a web service and would like message level encryption. 我正在构建Web服务，并希望消息级别加密。 The encryption must use Asymmetric binding. 加密必须使用非对称绑定。 I am new to Apache CXF so I used one of their samples and worked on converting it to fit my requirements. 我是Apache CXF的新手，因此我使用了他们的示例之一，并进行了转换以满足我的要求。 However when I changed the symmetric binding to asymmetric binding, I started getting the following error after the client sends an encrypted message to the server: 但是，当我将对称绑定更改为非对称绑定时，在客户端向服务器发送加密消息后，我开始出现以下错误：

"No certificates were found for decryption (KeyId)." “找不到用于解密的证书（KeyId）。”

I understand that this is probably a cert error but it may also be configuration related. 我了解这可能是证书错误，但也可能与配置有关。
I am positive that I have public and private keys for both the client and the server. 我很肯定我对客户端和服务器都有公钥和私钥。 Messages are encrypted by the client with the public key of the server and signed with the client's private key. 客户端使用服务器的公钥对消息进行加密，并使用客户端的私钥对其进行签名。 The server is configured to verify the signature with the client's public key and then decrypt with the server's private key. 服务器配置为使用客户端的公钥验证签名，然后使用服务器的私钥解密。 However I didn't know what code needed to be changed as I switched from symmetric to asymmetric binding. 但是，当我从对称绑定切换为非对称绑定时，我不知道需要更改哪些代码。 Any input would be greatly appreciated. 任何投入将不胜感激。 Here are my configurations for the encryption and the ws-security policy. 这是我的加密配置和ws-security策略。

ServiceConfig.xml: ServiceConfig.xml：

<entry key="ws-security.encryption.properties" value="etc/Server_Decrypt.properties"/>
<entry key="ws-security.signature.properties" value="etc/Server_SignVerf.properties"/>
<entry key="ws-security.callback-handler" value="demo.hw.server.UTPasswordCallback"/>

Server_Decrypt.properties: Server_Decrypt.properties：

org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=******
org.apache.ws.security.crypto.merlin.keystore.alias=serverx509v1
org.apache.ws.security.crypto.merlin.keystore.file=keystore/server-keystore.jks

add_numbers.wsdl add_numbers.wsdl

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>    
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:OnlySignEntireHeadersAndBody/>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic128Sha256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefKeyIdentifier/>
                    <sp:MustSupportRefIssuerSerial/>
                    <sp:MustSupportRefThumbprint/>
                    <sp:MustSupportRefEncryptedKey/>
                </wsp:Policy>
            </sp:Wss11>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPartsPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <sp:Body/>
            </sp:EncryptedParts>
            <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <sp:Body/>
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Answer 1

It's hard to know the exact cause without seeing the stacktrace...However note that for the Asymmetric Binding, the keys used for decryption actually come from the "ws-security.signature.properties" property ("ws-security.encryption.properties" is used to secure the response to the client). 在不查看堆栈跟踪信息的情况下很难知道确切的原因。但是，请注意，对于非对称绑定，用于解密的密钥实际上来自“ ws-security.signature.properties”属性（“ ws-security.encryption.properties” ”用于保护对客户端的响应）。 So make sure that the private key required to decrypt the request is in the signature properties keystore. 因此，请确保解密请求所需的私钥在签名属性密钥库中。

Colm. 科尔姆

“未找到用于解密的证书”（Apache CXF，WS-Security）

问题描述

1 个解决方案

解决方案1
0 已采纳 2014-07-22 09:45:06

“未找到用于解密的证书”（Apache CXF，WS-Security）

问题描述

1 个解决方案

解决方案1 0 已采纳 2014-07-22 09:45:06

解决方案1
0 已采纳 2014-07-22 09:45:06