ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [WSS4J] empty <xenc:ReferenceList/> when sending no attachments
Date Tue, 04 Aug 2015 11:02:56 GMT
Hi,

Ok this is now fixed in WSS4J: https://issues.apache.org/jira/browse/WSS-549

I also merged some related fixes to CXF.

Colm.

On Mon, Aug 3, 2015 at 10:18 AM, <Christian.Koch@it.nrw.de> wrote:

> Hello,
>
> in our application we do send messages with and without SwA attachments.
> Both messages use the same WSS-Policy file:
>
> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
>             xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>             xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>             xmlns:sp13="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
>             wsu:Id="testpolicy">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding>
>                 <wsp:Policy>
>                     <sp:InitiatorToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>
> sp:IncludeToken=".../AlwaysToRecipient">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorToken>
>                     <sp:RecipientToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>                                     sp:IncludeToken=".../Never">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientToken>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Strict/>
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:OnlySignEntireHeadersAndBody/>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="
> http://example.com/custom/security-policy"/>
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <wsp:ExactlyOne>
>                 <wsp:All>
>                     <sp:SignedParts>
>                         <sp:Body/>
>                         <sp:Header Namespace="..."
>                                    Name="Messaging"/>
>                         <sp:Attachments>
>                             <sp13:ContentSignatureTransform/>
>                         </sp:Attachments>
>                     </sp:SignedParts>
>                     <sp:EncryptedParts>
>                         <sp:Attachments/>
>                     </sp:EncryptedParts>
>                 </wsp:All>
>             </wsp:ExactlyOne>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>
> When sending a message without attachment it looks as follows:
>
>         <soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>                 xmlns:eb3="
> http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>                 xmlns:ebbp="
> http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"
>                 xmlns:ebint="
> http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"
>                 xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
>                 xmlns:wsa="http://www.w3.org/2005/08/addressing"
>                 xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>                 xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>                 <S12:Header xmlns:S12="
> http://www.w3.org/2003/05/soap-envelope">
>                         <eb3:Messaging S12:mustUnderstand="true"
> id="_ebmessaging_N65624"
>
> wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c">
>                                 ....
>                         </eb3:Messaging>
>                         <wsse:Security
>                                 xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>                                 soap:mustUnderstand="true">
>                                 <xenc:EncryptedKey xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#"
>
> Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492">
>                                         <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>                                         <ds:KeyInfo xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <wsse:SecurityTokenReference>
>                                                         <wsse:KeyIdentifier
>
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
>                                                                 ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>
> >wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier>
>
> </wsse:SecurityTokenReference>
>                                         </ds:KeyInfo>
>                                         <xenc:CipherData>
>
> <xenc:CipherValue>...</xenc:CipherValue>
>                                         </xenc:CipherData>
>
> --->                            <xenc:ReferenceList/>
>
>                                 </xenc:EncryptedKey>
>                                 <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"
>
> Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed">
>                                         <ds:SignedInfo>
>                                                 <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
> PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/>
>
> </ds:CanonicalizationMethod>
>                                                 <ds:SignatureMethod
>                                                         Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>                                                 <ds:Reference
> URI="#N65670">
>                                                         <ds:Transforms>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
>       xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
>       PrefixList="ds eb3 ebbp ebint wsa wsse"/>
>
> </ds:Transform>
>                                                         </ds:Transforms>
>                                                         <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue>
>                                                 </ds:Reference>
>                                                 <ds:Reference
> URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c">
>                                                         <ds:Transforms>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
>       xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
>       PrefixList="ds ebbp ebint soap wsa wsse"/>
>
> </ds:Transform>
>                                                         </ds:Transforms>
>                                                         <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue>
>                                                 </ds:Reference>
>                                         </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
>                                         <ds:KeyInfo
> Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858">
>
> <wsse:SecurityTokenReference
>                                                         xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>                                                         xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8">
>                                                         <wsse:KeyIdentifier
>
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
>                                                                 ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>
> >WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier>
>
> </wsse:SecurityTokenReference>
>                                         </ds:KeyInfo>
>                                 </ds:Signature>
>                         </wsse:Security>
>                 </S12:Header>
>                 <soap:Body wsu:Id="N65670"/>
>         </soap:Envelope>
>
>
> An empty xenc:ReferenceList node is written which is not allowed according
> to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList. This causes
> issues with products from other vendors who reject such a message. Any help
> is greatly appreciated.
>
> Cheers
> Christian
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message