cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <...@sosnoski.com>
Subject UsernameToken as SignedEncryptedSupportingTokens
Date Tue, 14 Feb 2012 07:16:47 GMT
I'm trying to use a UsernameToken to validate the client when
establishing a WS-SecureConversation. The policy I'm using is accepted
by CXF, and the client generates the RST message without problem. The
CXF server code returns the error "An unsupported signature or
encryption algorithm was used (WSSecurityEngine: EncryptedData does not
contain xenc:EncryptedKey)". This is coming from
org.apache.ws.security.processor.EncryptedDataProcessor.handleToken in
wss4j, which expects to always find an EncryptedKey within the
EncryptedData/KeyInfo. The generated request is using a
SecurityTokenReference rather than an EncryptedKey, which I'd think is
correct in this situation.

Is there some problem with encrypting a supporting token?

Here's the policy I'm using:

<wsp:Policy wsu:Id="SecureConv"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
  <wsap:UsingAddressing
xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"/>
  <sp:SymmetricBinding>
    <wsp:Policy>
      <sp:ProtectionToken>
        <wsp:Policy>
          <sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
            <wsp:Policy>
              <sp:RequireDerivedKeys/>
              <sp:BootstrapPolicy>
                <wsp:Policy>
                  <sp:AsymmetricBinding>
                    <wsp:Policy>
                      <sp:RecipientToken>
                        <wsp:Policy>
                          <sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                            <wsp:Policy>
                              <sp:RequireDerivedKeys/>
                              <sp:WssX509V3Token11/>
                              <sp:RequireIssuerSerialReference/>
                            </wsp:Policy>
                          </sp:X509Token>
                        </wsp:Policy>
                      </sp:RecipientToken>
                      <sp:AlgorithmSuite>
                        <wsp:Policy>
                          <sp:Basic256Sha256/>
                        </wsp:Policy>
                      </sp:AlgorithmSuite>
                      <sp:IncludeTimestamp/>
                      <sp:OnlySignEntireHeadersAndBody/>
                    </wsp:Policy>
                  </sp:AsymmetricBinding>
                  <sp:SignedEncryptedSupportingTokens>
                    <wsp:Policy>
                      <sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
                    </wsp:Policy>
                  </sp:SignedEncryptedSupportingTokens>
                  <sp:SignedParts>
                    <sp:Body/>
                  </sp:SignedParts>
                  <sp:EncryptedParts>
                    <sp:Body/>
                  </sp:EncryptedParts>
                  <sp:Trust13>
                    <wsp:Policy>
                      <sp:MustSupportIssuedTokens/>
                      <sp:RequireClientEntropy/>
                      <sp:RequireServerEntropy/>
                    </wsp:Policy>
                  </sp:Trust13>
                </wsp:Policy>
              </sp:BootstrapPolicy>
            </wsp:Policy>
          </sp:SecureConversationToken>
        </wsp:Policy>
      </sp:ProtectionToken>
      <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic128/>
        </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:IncludeTimestamp/>
      <sp:EncryptSignature/>
      <sp:OnlySignEntireHeadersAndBody/>
    </wsp:Policy>
  </sp:SymmetricBinding>
  <sp:SignedParts>
    <sp:Body/>
  </sp:SignedParts>
  <sp:EncryptedParts>
    <sp:Body/>
  </sp:EncryptedParts>
</wsp:Policy>

Here's a sample of the request sent by the client:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <Action
xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</Action>
    <MessageID
xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:80d059b4-87ef-4edb-a69d-2e26b46ad493</MessageID>
    <To
xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8800/wsstest</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2012-02-10T11:53:52.568Z</wsu:Created>
        <wsu:Expires>2012-02-10T11:58:52.568Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-3325E85711A0FD3C1013288748329521">
        <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Dennis
Sosnoski,OU=Unknown,O=Sosnoski Software Associates Ltd.,L=Paraparaumu
Beach,ST=Wellington,C=NZ</ds:X509IssuerName>
                <ds:X509SerialNumber>1239532339</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
         
<xenc:CipherValue>UyGnAx6pl+ZERphViFz9Slw5hEajY0fFY8EgrrX0ceKRjkmk4+rgubc7A4hWGF4rw81i5CeLgh3RichfpbZiQJXqGpbs1CUnkNelUuxvJDG4BFfkJXVUy3D9sY8bjlEhRStTUQ5fE8k4vhyrmh9yCLExwxmjNd7D/nAm7osXTOE=</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedKey>
      <wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-3">
        <wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
wsu:Id="STR-3325E85711A0FD3C1013288748329712">
          <wsse:Reference URI="#EK-3325E85711A0FD3C1013288748329521"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
        </wsse:SecurityTokenReference>
        <wsc:Offset>0</wsc:Offset>
        <wsc:Length>32</wsc:Length>
        <wsc:Nonce>FYC8xkAu0dS4jNXunaIeYA==</wsc:Nonce>
      </wsc:DerivedKeyToken>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:Reference URI="#DK-3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
         
<xenc:CipherValue>C04EfqTdgX8UVRXqfPgYzdvrd3k8JeYzA0lW7xk5j9TZBcpuRiKBOuFyhbdpMoyiFLflZg99s9e6X0wMsdd/Clmtn+PUiZEH0s/DC/SzW13SnRfmbFAJIjV1DyRG6K/KW9P1UxLYd47HlsCFPZSGVeBt8DrZj+sTu5izDZMkxsVA55hY4RWleQq4w/MIZ9c51bj1Jf7lYC8gBDEXbb1qCvjrcRlmjjIo2ipyAuYT/wYW6WMSViqrTqieW8yR/+RM2txgwqTMyMkA4MD0cIacwKgr+DoUmQ9so5l/WCgbjuxaQf2sAhmCN6ZPS2fiK2JkTCXeuaZuHSJ4zi6/7vxyJpYpAjVgjjUeUlWb8jwuSts=</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:DataReference URI="#ED-4"/>
        <xenc:DataReference URI="#ED-5"/>
      </xenc:ReferenceList>
    </wsse:Security>
  </soap:Header>
  <soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-14712427">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference URI="#DK-3"/>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>hSU+Y3...2jbCTmg==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>

Thanks,

  - Dennis

-- 

Dennis M. Sosnoski
Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message