WSS4J - No certificates for user were found for signature

brevleq picture brevleq · Jul 9, 2014 · Viewed 9.1k times · Source

I'm trying sign a soap message using CXF, after configure my client using the knowledge I found over the internet, I'm suffering with the following error message:

org.apache.ws.security.WSSecurityException: General security error (No certificates for user user1 were found for signature)

I've configured the client this way:

<jaxws:client id="clienteRecepcaoEvento"
              address="https://hnfe.fazenda.mg.gov.br/nfe2/services/RecepcaoEvento"
              serviceClass="com.lutum.ws.nfe.clientes.RecepcaoEventoSoap">
    <jaxws:binding>
        <soap:soapBinding version="1.2"/>
    </jaxws:binding>
    <jaxws:outInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
            <constructor-arg>
                <map>
                    <entry key="action" value="Signature"/>
                    <entry key="signatureUser" value="user1"/>
                    <entry key="signaturePropFile" value="crypto.properties"/>
                    <entry key="signatureKeyIdentifier" value="DirectReference"/>
                    <entry key="signatureParts" value="{}{http://www.portalfiscal.inf.br/nfe}infEvento;"/>
                    <entry key="passwordCallbackRef">
                        <ref bean="passwordCallbackHandler"/>
                    </entry>
                </map>
            </constructor-arg>
        </bean>
        <!--<bean class="com.lutum.ws.nfe.interceptors.RecepcaoEventoInterceptor"/>-->
        <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
        <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
    </jaxws:outInterceptors>
</jaxws:client>

the crypto.properties file is this:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.file=/home/hudson/certificado/certificadoA1Valid.pfx
org.apache.ws.security.crypto.merlin.truststore.file=cacerts.ks

I've believed that the problem was in callback handler, but it doesn't appear to have any error:

public class PasswordCallbackHandler implements CallbackHandler {

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for(Callback callBack:callbacks){
            if(callBack instanceof WSPasswordCallback){
                definirSenha((WSPasswordCallback)callBack);
            }
        }
    }

    private void definirSenha(WSPasswordCallback callBack) {
        callBack.setPassword("1606");
    }
}

The last suspect was the certificate file:

MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: user1
    Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 10 
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIXyiURTtlT44CAggA
MBQGCCqGSIb3DQMHBAjRPAxny37BtwSCBMj4bKqe56Nx2OxHzKwOBVfPQKPgd9Or
0qWkm3BL8HLd32znuwVgN0oLPiWZ/UHj6nDhdzJGwflvdPMtgb0w94e6cKtB7Ipo
z19+ZWfLUpVKi8U1nNieMlC9GG5ZskqmgmsOZWtpzFD58+DUmuX3fDyfqHin6dN7
HnzKebRbUVNLGGH+g802wwzo3S/LUBVJ+gl1uDbUeQededA6/HLw5CbG+bH7e1DD
2sGVjUywz+GFytbA9IJo6Y1fG5T3CYU9EMHQfJ9U8DATOPvtMulyZiZmftVfLcGU
I9pAQ6YGx0mDfAdhCBdVBz64HPuxAvKHqiPgtco6V/KuARcjxZ8YbXEJ9wKB+biy
+dWHf2pD17GV+MEQq5XzxkWfBgeKEMA1QoLlBF555h+ZLDh8o5G36REnS27YShhZ
OC6F20S5TqLMSYsb52V0d9yyoZ6Jn7hMImGo3GdD5jgytOcP+O1q72j/xNzhctP6
ESLBx82pkh6Xy19HxtfPw9kb6Rw0z2a3+rynCr7kwrjNlCdS5KSmS8DHdql+1p1v
Y/dEJkpxKuTY15kZ10UUzCjCSNNtnF0hRAjmjdJdvrXLPcdQv8gNcNwTrUVJyWa3
MEkEe5IF92MrAjSROyAs50vrDd1Wbt5U32aI7+VMnPFwv3J5ElT7QS8PTRM4zwbY
K4xlT3Az0sMU/egPnxlMpSN68SaAbP4IVcyM4u+4dXxKenGYLyVuMH77mszeMHFB
w6Bl7G+dPO5NfOzNlHKTmI59vT0hSQTgnnP6aoj/gusYv/cb5gYSl93bQaVC9UVM
e89mOxpf3GmCeVSQjWzGcAhAddGWGH4MjImZlzvQObvbvwuR0Ey605Su/8EhiSpS
r2recCNjRocycoqjWxuKJo9WFqJv57n6jV2hcaeT0XmyG1gBqPFnoYZGKDyGyTsa
xBotf0drj06tkdoPC7XvAP9MeOOXm+5Pe9KTQHmMnF6ydxEybME/cTbmldrrdVEn
eJN4cH0P0BXGXsYWbEYJzYeKkLD+QZjbPSMcT7iCrFr+gmOWptuHpBuRSgSywdcj
WDYxR5+Jty1bH/Hlm4e0WzwP713eP44rr5kzBWBOdWnZ0UCAYlowNW2oeFeySGW/
Mze0Ck2RE8VUEzJty00yJnpIjg/2lnDEabZUa/eDi/erEjXIak8s7VqrNIhLMLwy
cq5f3iGqw3xPthonBPiXyajvgmHp+dfxee0hsyGGWNiFX4BmXBkqQDFthJxK1Xkl
OPE69HtTmSZuAs2+lE/nePMnKe10kfar8rxv43wMyuaDnbsgEGteT9ItYMsGuECV
nqgOHd2XS3sRo2VxGzcyT3Dg36QDUNH2zeYtu2mR5esKI/wr6icxo9tljEu0mJH6
g5lQxIcEfjVRSHqT8i5YfxoWMuvqhCdRGjMgYw1IE5ShOP1wD7BgzGRahiSe5yzH
8foMRqZR8+cX4Diw0goTCM/U1QZyT4o9phnQeZgEJ4OSkaJGtd56+Gtfd/lT0cnw
cNmyp+j2YXoc7zB3kVjAEbgFOCF7442/xRvNx1cp1vR5GBvZv45iSnP6gYflUKIP
1R70LOtYdG/fJFr2t333wN+IXZFbItsSSYbucrRmHFF6LRLhiCQUp/uxteYpkhuq
2Zk=
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/C=BR/ST=MG/L=BELO HORIZONTE/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR ONLINE CERTIFICADORA/CN=NO ONE:00000000000000
issuer=/C=BR/O=ICP-Brasil/OU=Secretaria da Receita Federal do Brasil - RFB/CN=AC VALID RFB
-----BEGIN CERTIFICATE-----
MIIIGDCCBgCgAwIBAgIIQ3XTpGx352UwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE
BhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxNjA0BgNVBAsTLVNlY3JldGFyaWEg
ZGEgUmVjZWl0YSBGZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEVMBMGA1UEAxMMQUMg
VkFMSUQgUkZCMB4XDTE0MDEyMjE3NTI0NVoXDTE1MDEyMjE3NTI0NVowgewxCzAJ
BgNVBAYTAkJSMQswCQYDVQQIEwJNRzERMA8GA1UEBxMIUElSQVBPUkExEzARBgNV
BAoTCklDUC1CcmFzaWwxNjA0BgNVBAsTLVNlY3JldGFyaWEgZGEgUmVjZWl0YSBG
ZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEWMBQGA1UECxMNUkZCIGUtQ05QSiBBMTEg
MB4GA1UECxMXQVIgT05MSU5FIENFUlRJRklDQURPUkExNjA0BgNVBAMTLUNPTUVS
Q0lBTCBFTEVUUklDQSBITSBMVERBIEVQUDo2NTIzNDQ4NjAwMDE3ODCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk4rz44IRJLhq+0r8MxEX8+4OLYU13a
ALYSsNoZNojJEDxRmxUQw6qoQZSzpxBdry77+ZLf4SOUPJZv08ICMZp+ADtUy51n
wUifFsH9FRt8bkWVs4V8rtx94HOZrq9wAA/vL6gqyVdi1bgapWUKEj5qn79BzL1y
Cf1Ruz9VEq1jASJcywJR23YNM1Ew9dWul3nrRrkb7qIK1j2Bt7scT8VsQwiOtCfc
f+cfDYye7MRXwOeoeUEmVu3mxvGnkCoxBFZoJElj613ErcZ2irfGvWyrw/pYyTQi
XLWUGVve8p4KrAEECXmis54BrM0V2cawYLTF2bojynPJttLY3fp2IMUCAwEAAaOC
AzYwggMyMIGaBggrBgEFBQcBAQSBjTCBijBVBggrBgEFBQcwAoZJaHR0cDovL2lj
cC1icmFzaWwudmFsaWRjZXJ0aWZpY2Fkb3JhLmNvbS5ici9hYy12YWxpZHJmYi9h
Yy12YWxpZHJmYnYyLnA3YjAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AudmFsaWRj
ZXJ0aWZpY2Fkb3JhLmNvbS5icjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFEe5CFnY
QvaS/Pd8FXwmgEpFkX6fMG4GA1UdIARnMGUwYwYGYEwBAgElMFkwVwYIKwYBBQUH
AgEWS2h0dHA6Ly9pY3AtYnJhc2lsLnZhbGlkY2VydGlmaWNhZG9yYS5jb20uYnIv
YWMtdmFsaWRyZmIvZHBjLWFjLXZhbGlkcmZiLnBkZjCCAQEGA1UdHwSB+TCB9jBT
oFGgT4ZNaHR0cDovL2ljcC1icmFzaWwudmFsaWRjZXJ0aWZpY2Fkb3JhLmNvbS5i
ci9hYy12YWxpZHJmYi9sY3ItYWMtdmFsaWRyZmJ2Mi5jcmwwVKBSoFCGTmh0dHA6
Ly9pY3AtYnJhc2lsMi52YWxpZGNlcnRpZmljYWRvcmEuY29tLmJyL2FjLXZhbGlk
cmZiL2xjci1hYy12YWxpZHJmYnYyLmNybDBJoEegRYZDaHR0cDovL3JlcG9zaXRv
cmlvLmljcGJyYXNpbC5nb3YuYnIvbGNyL1ZBTElEL2xjci1hYy12YWxpZHJmYnYy
LmNybDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMEMIHCBgNVHREEgbowgbeBH2FudG9uaW8uam9zZUBobW1hdGVyaWFpcy5jb20u
YnKgPQYFYEwBAwSgNAQyMTYwMzE5NjAzNzQwMDkwODYzNDAwMDAwMDAwMDAwMDAw
MDAwMG1nNjI1NzE5cGNlTUegIQYFYEwBAwKgGAQWQU5UT05JTyBKT1NFIEFTU1VN
UENBT6AZBgVgTAEDA6AQBA42NTIzNDQ4NjAwMDE3OKAXBgVgTAEDB6AOBAwwMDAw
MDAwMDAwMDAwDQYJKoZIhvcNAQELBQADggIBACpeZvgcYQHJGfQpDh3Ubbvi6LxC
QFhxv74t71cZLCXeh8NsJI0rqSpPNxYkoY50PKFiBl9SWu9cCk+uJLkKNKj5Jq7S
ggva0/anvfh6LM4OMVRh9m/IuZPYtzL45wdqy+Upff3vaJk3+dngIXcRY9L6yBkd
BA5qgPkF1Syn6SrvJzAX/u/n6nJOuz0v7xMDehJf+25+sU626hC+Meu32/rZaiSP
aLa1h2MsCLn+KSdNFjcohkDZYHdZOGS3EEC9IICEtLporno3TvMcCKAucOWhzrlZ
iVIvERV7PkT+HUkmIBfVsstXs+bIHnijrwUe6rZWiRLYuWRBAF0xR0771OWHJr5o
fVkvMBzpUyuCza0ecIcyLYOtqP3d/bwuO4dFv21+KdecmYAJDliCuhCLE8/MkMSk
dzI9E6bjUop7CDLbU+j3P7x4PDymaDoQ2wvw7t3FxJoRh1etORzTw4sZgQ/B4Dxf
GAXiy+ibx95AUxvx9mDEn+4jfocgcW5GNPnYYTyCIZAKnMJulY3gx0Yo5PcL6ixV
jsGhKSIHk4oxf73YXxJInCGUGQYKAcQbdI89tOqRiVQazKN0roV5AAJznQrvG0qv
lGsAoF8wPCcpMLJPVFJyQ66/04AXoCXt0Y0Y8VeT9a8mNOAycHfCRx754H3hD/ua
+ipFuJmbMXIEC3zT
-----END CERTIFICATE-----

but I can't see any problem here too. What I'm doing wrong?

Answer

Colm O hEigeartaigh picture Colm O hEigeartaigh · Jul 9, 2014

Here you have "user1":

<entry key="signatureUser" value="user1"/>

In the certificate you have "use1":

friendlyName: use1

Colm.