This discussion is archived
6 Replies Latest reply: Feb 22, 2011 1:04 AM by Vikas RSS

keytool with SKI

Vikas Newbie
Currently Being Moderated
Hi,

I created a cert in client, exported it and imported in server as follows:

Client (JRE 160_21)
keytool.exe -genkeypair -alias client_alias -keyalg "RSA" -sigalg "SHA1withRSA" -dname "cn=a, ou=b, o=c, c=in" -keypass password -keystore client.jks -storepass password -validity 5000

keytool.exe -export -alias client_alias -file public_key.cer -keystore client.jks

(Server JRE 160_21)
keytool -import -keystore default-keystore.jks -trustcacerts -alias server_alias -file public_key.cer

Froim client, I'm trying to do a SOAP invocation using SOAPUI to above server. In "Key Identifier Type" of Signature and Encryption, I've set "Subject Key Identifier". But the server rejects with error message:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
... 34 more
Caused by: oracle.wsm.security.SecurityException: WSM-00066 : The matching certificate for the given Subject Key Identifier (SKI) cannot be found. at oracle.wsm.security.jps.WsmKeyStore$1CertMatcherImpl.getBySKI(WsmKeyStore.java:704)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ProcessedIncomingSignatures.getSigner(ProcessedIncomingSignatures.java:422)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ProcessedIncomingSignatures.checkUnSignedKeyInfoTokenRef(ProcessedIncomingSignatures.java:353)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Is it due to wrong genkeypair command. Doesn't it generate command above generate cert with SKI by default? If not, what should be done to get around this issue.

Thanks,
Vikas
  • 1. Re: keytool with SKI
    800207 Newbie
    Currently Being Moderated
    keytool does not support the subject key identifier extension, so there is not subject key identifier in your certificate. Using the JDK7 keytool you can manually specify the extension OID and value, or you can use another product.
  • 2. Re: keytool with SKI
    Vikas Newbie
    Currently Being Moderated
    Thanks for the reply..

    I tried genkey, export and import with JRE 1.l7 but with no luck.

    Also, I didn't find any option to manually specify these options and values.

    D:\SOA\cert>"c:\Program Files\java\jre1.7\jre1.7.0\bin\keytool.exe"
    Key and Certificate Management Tool

    Commands:

    -certreq Generates a certificate request
    -changealias Changes an entry's alias
    -delete Deletes an entry
    -exportcert Exports certificate
    -genkeypair Generates a key pair
    -genseckey Generates a secret key
    -gencert Generates certificate from a certificate request
    -importcert Imports a certificate or a certificate chain
    -importkeystore Imports one or all entries from another keystore
    -keypasswd Changes the key password of an entry
    -list Lists entries in a keystore
    -printcert Prints the content of a certificate
    -printcertreq Prints the content of a certificate request
    -printcrl Prints the content of a CRL file
    -storepasswd Changes the store password of a keystore

    Could you please give an example to generate key with SKI.

    Thanks
  • 3. Re: keytool with SKI
    800207 Newbie
    Currently Being Moderated
    the jdk7 keytool automatically creates a Subject Key Identifier extension for genkeypair. I was wrong, you do not need to enter anything by hand.
  • 4. Re: keytool with SKI
    EJP Guru
    Currently Being Moderated
    This doesn't affect your problem but when you import the client certificate into the server's truststore I don't see why you're giving it the alias 'server_alias'. It is still the client's certificate. A specific client's certificate. Surely the alias should reflect that?
  • 5. Re: keytool with SKI
    Vikas Newbie
    Currently Being Moderated
    I bounced the servers after using keystore obtained using JRE 1.7. I no longer get previous error message. I now get:

    --------------------------------------------------------------------------------

    at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
    at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
    at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
    ... 34 more
    Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00034 : Error in Encryption reference mechanism compliance : Expected : direct , Actual : ski. at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.preDecryptionCompliance(ComplianceEngine.java:210)
    at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.checkCompliance(ComplianceEngine.java:385)

    --------------------------------------------------------------------------------

    So it looks using JRE 1.7 resulted in previous error vanishing.

    We are using WLS middleware and WSM for security. Need to see how above issue can be solved.
  • 6. Re: keytool with SKI
    Vikas Newbie
    Currently Being Moderated
    After changing some WSM policy option, above error is gone. Now, the error is:

    at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
    ... 34 more
    Caused by: oracle.wsm.security.SecurityException: WSM-00169 : Error decrypting the request message.
    at oracle.wsm.security.policy.scenario.processor.Wss10MessageSecurityProcessor.decrypt(Wss10MessageSecurityProcessor.java:206)

    ...................

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
    ... 9 more
    Caused by: oracle.security.xmlsec.enc.XECipherException: Data must start with zero
    at oracle.security.xmlsec.enc.XEEncryptedKey.decrypt(XEEncryptedKey.java:676)
    at oracle.security.xmlsec.enc.XEEncryptedKey.getKey(XEEncryptedKey.java:788)
    at oracle.security.xmlsec.wss.WSSecurity.decrypt(WSSecurity.java:2379)
    ... 46 more
    Caused by: javax.crypto.BadPaddingException: Data must start with zero
    at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:393)

    I checked SOAPUI and couldn't see any place where key can be specified.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points