I am trying to sign and encrypt the SOAP message, but I am getting this error -
The signature or decryption was invalid; nested exception is: javax.crypto.BadPaddingException: unknown block type
Since there is no explicitly mentioned padding in the signature method, I am assuming it is an error in the encryption method.
This is my key encryption method:
private String encryptKey(PublicKey pubKey, SecretKey symKey) {
try {
final Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
final byte[] encryptedKey = cipher.doFinal(symKey.getEncoded());
BASE64Encoder b64 = new BASE64Encoder();
return b64.encode(encryptedKey);
} ...
and the encryption of the body works similar (String s is soap body converted to string)
private String createEncryptedData(Key key, String s) {
try {
final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
final byte[] encryptedData = cipher.doFinal(s.getBytes(StandardCharsets.UTF_8));
BASE64Encoder b64 = new BASE64Encoder();
return b64.encode(encryptedData);
}
catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) {
e.printStackTrace();
throw new IllegalStateException(
"Java runtime does not support AES/CBC/PKCS5Padding (128)", e);
}
}
I found this post - javax.crypto.BadPaddingException: unknown block type where conversion to string is mentioned as an issue, but I am not sure how to send byte[] in message instead...I have tried with
byte[] encodedData = Base64.getEncoder().encode(encryptedData);
and then I passed that byte[] in my soap message (looks like this [B@6bf256fa) and it gives me another error decoding.divisible.four. So I guess that is not appropriate way to do it.
PFB my full request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:cdb="http://cdb.services.np.aek.seavus.com/"
xmlns:sch="http://www.devoteam.com/a1/mk/np/schema">
<soapenv:Header xmlns="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509Token">MIIBwDCCASmgAwIBAgIENDDwzTANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAh2aXBfdGVzdDAeFw0yMDA0MjEwODU1NTZaFw0zMDA0MTkwODU1NTZaMBMxETAPBgNVBAMMCHZpcF90ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCe4AdGqUfUtsWfuwedrV8e0+rMC+nPM/kfeDcdvqXYEijIf5+BEKL/MU/WEq5LhQKPrOk1LIJPCwTT1lUwmBLQ9Q1aOd1ZrFVDTkk+RbUmeu6lst+FskJZm8G6rqAvERQEDR2TUCmNpeCHQ8nX80/ZpnUKAtIafSlw2BDoszrS4wIDAQABoyEwHzAdBgNVHQ4EFgQUrSuQYeUEdhMQrdbLHAfb/uBwhxMwDQYJKoZIhvcNAQEFBQADgYEANWPBnmmfbVgYlKr5TS53NT4CJZjry9bVivEcBCkopYdDZo2vg9N/HgSGPULGRYgcQM61+3l2cv1s+5XyNpceXaDHBcT7CQQa8kOR5WSd3vybQybgECwm1MWQZBxZqzD/piI1wDdbn1oUNlCL4bK61vjcoxah5VhRZwvsAum5jBQ=</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1beccd19-ec76-4011-b72c-4c204c6439b5">
<wsu:Created>2021-05-05T15:08:37</wsu:Created>
<wsu:Expires>2021-05-05T15:09:07</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-1beccd19-ec76-4011-b72c-4c204c6439b5">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CDB</ds:X509IssuerName>
<ds:X509SerialNumber>1376307457</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>FaGhWE+rwBMqUnpMe5qh2n9X3bQYy8CDYCWjRFbfFsYBHso5jYSmwlX/Se4q3nFGABxkKcQlVY1ziiqxDoW2igw5W3M4mu2mk/togAPblhj+ZiAOXVBBYCc+HIbcWdipi96tSRCR0qLSd81obNA39hm6dZ4dvFOeBFzEjWFC9r8=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-1beccd19-ec76-4011-b72c-4c204c6439b5"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1beccd19-ec76-4011-b72c-4c204c6439b5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>dLT1OJDkyihjpBWglsiV3ScW/l0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Body-1beccd19-ec76-4011-b72c-4c204c6439b5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>736yosC1DeVBYsHfDiiSlfQOBGg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kiPjx+N9WUJgXWtxPeFFM0GsK8AaQttpxC0hrZPFjGUYLj8S5fM0Eqp5DZPbRigRgbBw5GOmvZkV5wnrdu1IicRajxSYFbo3QVk8A/p5gb6u8E8F/igE0Vrsmg+krdHISWwplmSBzC2yFawh8A4YdLV2g0Ig3z0E7RBHjl2nay0=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsa:Action xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">http://cdb.services.np.aek.seavus.com/AssignedSubscriberNumber_WS/GetAllAssignedSeries</wsa:Action>
<wsa:MessageID xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">uuid:048add69-81ff-4112-9798-7dbca65b39bb</wsa:MessageID>
<wsa:To xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-1beccd19-ec76-4011-b72c-4c204c6439b5">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-1beccd19-ec76-4011-b72c-4c204c6439b5" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-1beccd19-ec76-4011-b72c-4c204c6439b5"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Vk8ZqEmybLVqf4nd/gbw0KKss60BgbgNZHCg8/NSijU=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
Thank you in advance!
So, for all people out there, with the same issue, this was the root cause of my problem - order of the operations!
I was convinced that, first, we need to encrypt the whole message and then do "the final touch" with signing it. Also, one of my senior colleagues confirmed that it has to be done just like that. Honestly, I haven't found that information anywhere! People were either signing the message or encrypting it, nobody was doing both (and I searched a looooot!)
Order should be: