0

im looking for some advice with the following problem. There are two systems that communicates by wsdl services, lets say SystemA and SystemB (Java 8, server wildfly-booteable, lib: org.apache.cxf, org.apache.wss4j). Both systems have public and private key for comunication (SystemA has SystemB's public key to invoke SystemB's services and vice versa).

When SystemA invoke a SystemB service everything works great, but when SystemB invoke SystemA services it gives the following error in SystemA:

    |Causedby:org.apache.wss4j.common.ext.WSSecurityException:The private key for the supplied alias does not exist in the keystore
|OriginalExceptionwasorg.apache.wss4j.common.ext.WSSecurityException:Theprivatekeyforthesuppliedaliasdoesnotexistinthekeystore
|OriginalExceptionwasjava.security.UnrecoverableKeyException:Cannotrecoverkey
|atorg.apache.wss4j.dom.processor.EncryptedKeyProcessor.getPrivateKey(EncryptedKeyProcessor.java:270)
|atorg.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:226)
|atorg.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
|atorg.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
|atorg.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:319)
|...41more
|Causedby:org.apache.wss4j.common.ext.WSSecurityException:The private key for the supplied alias does not exist in the keystore
|OriginalExceptionwasjava.security.UnrecoverableKeyException:Cannot recover key

Here is the thing, I have total access to SystemA's code, keys, etc. But I have no information at all about SystemB, just the hope that they installed correctly SystemA's public key.

I need to find a way to know if they are using the right public key, is there a way to print in the log the public key alias that SystemB is using to invoke SystemA or something like that? because in case that is SystemsB fault I need evidence.

Also it could be something wrong in SystemA, here is the definition in SystemA:

Private key of SystemA:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=testkey
org.apache.ws.security.crypto.merlin.keystore.alias=testkey
org.apache.ws.security.crypto.merlin.keystore.file=/opt/archivos/clave_priv/testkey.jks

Public key of SystemB:

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=pass
org.apache.ws.security.crypto.merlin.keystore.alias=epagos
org.apache.ws.security.crypto.merlin.keystore.file=/opt/archivos/clave_pub/keystore.jks

What do you think is the best way to resolve this? (again, there is no way to communicate with SystemB provider, only if I have evidence that they have something wrong)

Thanks!

EDIT: The password of the private key is correct, I proved it following one of the answers of this Caused by: java.security.UnrecoverableKeyException: Cannot recover key

rolo
  • 473
  • 1
  • 5
  • 16
  • Most likely cause for this is using the wrong password for the private key entry in SystemA. If you'd like to re-open this question, please explain how you eliminated that possibility as the cause of the problem. – erickson Jul 29 '21 at 15:35
  • I proved that the password was ok, please reopen the answer – rolo Jul 29 '21 at 22:21
  • **"please explain how you eliminated that possibility"** – erickson Jul 29 '21 at 22:23
  • Well, first, I was the one that created the key pair with keytool, second I run this command with the data of my key and it was correct : keytool -keypasswd -new changeit -keystore cacerts -storepass changeit -alias someapp -keypass password. One question, the command suggested me to use pkcs12 instead of jks, is this something that I should put my attention on? – rolo Jul 29 '21 at 22:27
  • Do you mean to say that the keystore password and the private key entry password are different? – erickson Jul 29 '21 at 22:34
  • Im new to this so maybe Im missing something. In keystore explorer I generatede a Keypar, alias=testkey, password=testkey, then I save it as .jks, finally I exported a public key as .cer and send it to SystemB. Did I do something wrong? – rolo Jul 29 '21 at 22:47
  • I assumed that the propouse of that command was to check if the password was ok, so I made a copy of my jks and run that command over it, if my password was wrong then the comand was going to give me an error, but it didnt, so I assumed that my password was correct. Wasnt that the test I should do? – rolo Jul 29 '21 at 23:41
  • 1
    No, the command in my comment is just an example, when I run it in pc I set the variables correctly and both passwords were the same, this is the one I run keytool -keypasswd -new changeit -keystore sgrectest.jks -storepass sgrectest -alias sgrectest -keypass sgrectest – rolo Jul 29 '21 at 23:49

0 Answers0