ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Christian.K...@it.nrw.de>
Subject [WSS4J] empty <xenc:ReferenceList/> when sending no attachments
Date Mon, 03 Aug 2015 09:18:59 GMT
Hello,

in our application we do send messages with and without SwA attachments. Both messages use
the same WSS-Policy file:

<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
            wsu:Id="testpolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding>
                <wsp:Policy>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token
                                    sp:IncludeToken=".../AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token
                                    sp:IncludeToken=".../Never">
                                <wsp:Policy>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:OnlySignEntireHeadersAndBody/>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="http://example.com/custom/security-policy"/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <wsp:ExactlyOne>
                <wsp:All>
                    <sp:SignedParts>
                        <sp:Body/>
                        <sp:Header Namespace="..."
                                   Name="Messaging"/>
                        <sp:Attachments>
                            <sp13:ContentSignatureTransform/>
                        </sp:Attachments>
                    </sp:SignedParts>
                    <sp:EncryptedParts>
                        <sp:Attachments/>
                    </sp:EncryptedParts>
                </wsp:All>
            </wsp:ExactlyOne>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

When sending a message without attachment it looks as follows:

	<soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
		xmlns:eb3="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
		xmlns:ebbp="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"
		xmlns:ebint="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"
		xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
		xmlns:wsa="http://www.w3.org/2005/08/addressing"
		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
		<S12:Header xmlns:S12="http://www.w3.org/2003/05/soap-envelope">
			<eb3:Messaging S12:mustUnderstand="true" id="_ebmessaging_N65624"
				wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c">
				....
			</eb3:Messaging>
			<wsse:Security
				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
				soap:mustUnderstand="true">
				<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
					Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492">
					<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
					<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
						<wsse:SecurityTokenReference>
							<wsse:KeyIdentifier
								EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
								ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
								>wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier>
						</wsse:SecurityTokenReference>
					</ds:KeyInfo>
					<xenc:CipherData>
						<xenc:CipherValue>...</xenc:CipherValue>
					</xenc:CipherData>
					
--->				<xenc:ReferenceList/>

				</xenc:EncryptedKey>
				<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
					Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed">
					<ds:SignedInfo>
						<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
							<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
								PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/>
						</ds:CanonicalizationMethod>
						<ds:SignatureMethod
							Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
						<ds:Reference URI="#N65670">
							<ds:Transforms>
								<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
									<ec:InclusiveNamespaces
										xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
										PrefixList="ds eb3 ebbp ebint wsa wsse"/>
								</ds:Transform>
							</ds:Transforms>
							<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
							<ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue>
						</ds:Reference>
						<ds:Reference URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c">
							<ds:Transforms>
								<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
									<ec:InclusiveNamespaces
										xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
										PrefixList="ds ebbp ebint soap wsa wsse"/>
								</ds:Transform>
							</ds:Transforms>
							<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
							<ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue>
						</ds:Reference>
					</ds:SignedInfo>
					<ds:SignatureValue>...</ds:SignatureValue>
					<ds:KeyInfo Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858">
						<wsse:SecurityTokenReference
							xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
							xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
							wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8">
							<wsse:KeyIdentifier
								EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
								ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
								>WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier>
						</wsse:SecurityTokenReference>
					</ds:KeyInfo>
				</ds:Signature>
			</wsse:Security>
		</S12:Header>
		<soap:Body wsu:Id="N65670"/>
	</soap:Envelope>


An empty xenc:ReferenceList node is written which is not allowed according to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList.
This causes issues with products from other vendors who reject such a message. Any help is
greatly appreciated.

Cheers
Christian

Mime
View raw message