Monday, February 3, 2014

Solving "org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used"

While trying out the scenario which I have explained in my previous post Accessing a non secured backend from a secured client with the help of WSO2 ESB, with security scenario 3 onward, you might have come across an issue as below on client side.

org.apache.axis2.AxisFault: Error in encryption
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
    at SecurityClient.runSecurityClient(SecurityClient.java:99)
    at SecurityClient.main(SecurityClient.java:34)
Caused by: org.apache.rampart.RampartException: Error in encryption
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:612)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
    at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
    ... 11 more
Caused by: org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p); nested exception is:
    java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
    at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:785)
    at org.apache.ws.security.message.WSSecEncryptedKey.prepareInternal(WSSecEncryptedKey.java:205)
    at org.apache.ws.security.message.WSSecEncrypt.prepare(WSSecEncrypt.java:259)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:578)
    ... 14 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
    at javax.crypto.Cipher.getInstance(Cipher.java:524)
    at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:777)
    ... 17 more
Exception in thread "main" java.lang.NullPointerException
    at SecurityClient.main(SecurityClient.java:38)

The reason for this is that the Bouncycastle jar required to run this scenario, is not found in the class path at the client side.

To overcome this issue, you need to place the relevant bouncycastle jar downloaded from the www.bouncycastle.org.

E.g.:- If you are running your client on JDK1.7, then the jar you need to download is bcprov-jdk15on-150.jar.
A point to note : I tried this scenario pointing the $ESB_HOME/repository/plugins folder to the Eclipse project and pointed to a bouncycastle jar which was at a different location. For some reason, it did not load the jar until I dropped it inside the $ESB_HOME/repository/plugins folder.

NOTE: Sometimes, you will have to clear the Eclipse/IntelliJ Idea cache in order for the classes to pick up the jars properly.

2 comments:

Sandapa said...

Useful post. Saved my time. :)

Sandapa said...

Useful post. Saved my time. :)