cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: UsernameToken as SignedEncryptedSupportingTokens
Date Tue, 14 Feb 2012 15:34:15 GMT
Hi Dennis,

There seems to be two problems here.

The first problem is that the ReferenceList is appended to the
security header, i.e. *after* the EncryptedData part to which it
refers:

<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:DataReference URI="#ED-4"/>
       <xenc:DataReference URI="#ED-5"/>
     </xenc:ReferenceList>

If it were before the EncryptedData Element in the header, the
ReferenceListProcessor would be able to handle decrypting the Element
without a problem.

The second is that the EncryptedDataProcessor can't handle a
SecurityTokenReference, as you pointed out. I have just committed a
fix for this here:

http://svn.apache.org/viewvc?view=revision&revision=1243996

Could you try with WSS4J 1.6.5-SNAPSHOT and let me know how you get
on? You will also need Santuario 1.5.0 if you are not using maven in
your test setup.

Colm.

On Tue, Feb 14, 2012 at 7:16 AM, Dennis Sosnoski <dms@sosnoski.com> wrote:
> I'm trying to use a UsernameToken to validate the client when
> establishing a WS-SecureConversation. The policy I'm using is accepted
> by CXF, and the client generates the RST message without problem. The
> CXF server code returns the error "An unsupported signature or
> encryption algorithm was used (WSSecurityEngine: EncryptedData does not
> contain xenc:EncryptedKey)". This is coming from
> org.apache.ws.security.processor.EncryptedDataProcessor.handleToken in
> wss4j, which expects to always find an EncryptedKey within the
> EncryptedData/KeyInfo. The generated request is using a
> SecurityTokenReference rather than an EncryptedKey, which I'd think is
> correct in this situation.
>
> Is there some problem with encrypting a supporting token?
>
> Here's the policy I'm using:
>
> <wsp:Policy wsu:Id="SecureConv"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>  <wsap:UsingAddressing
> xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"/>
>  <sp:SymmetricBinding>
>    <wsp:Policy>
>      <sp:ProtectionToken>
>        <wsp:Policy>
>          <sp:SecureConversationToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>            <wsp:Policy>
>              <sp:RequireDerivedKeys/>
>              <sp:BootstrapPolicy>
>                <wsp:Policy>
>                  <sp:AsymmetricBinding>
>                    <wsp:Policy>
>                      <sp:RecipientToken>
>                        <wsp:Policy>
>                          <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                            <wsp:Policy>
>                              <sp:RequireDerivedKeys/>
>                              <sp:WssX509V3Token11/>
>                              <sp:RequireIssuerSerialReference/>
>                            </wsp:Policy>
>                          </sp:X509Token>
>                        </wsp:Policy>
>                      </sp:RecipientToken>
>                      <sp:AlgorithmSuite>
>                        <wsp:Policy>
>                          <sp:Basic256Sha256/>
>                        </wsp:Policy>
>                      </sp:AlgorithmSuite>
>                      <sp:IncludeTimestamp/>
>                      <sp:OnlySignEntireHeadersAndBody/>
>                    </wsp:Policy>
>                  </sp:AsymmetricBinding>
>                  <sp:SignedEncryptedSupportingTokens>
>                    <wsp:Policy>
>                      <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
>                    </wsp:Policy>
>                  </sp:SignedEncryptedSupportingTokens>
>                  <sp:SignedParts>
>                    <sp:Body/>
>                  </sp:SignedParts>
>                  <sp:EncryptedParts>
>                    <sp:Body/>
>                  </sp:EncryptedParts>
>                  <sp:Trust13>
>                    <wsp:Policy>
>                      <sp:MustSupportIssuedTokens/>
>                      <sp:RequireClientEntropy/>
>                      <sp:RequireServerEntropy/>
>                    </wsp:Policy>
>                  </sp:Trust13>
>                </wsp:Policy>
>              </sp:BootstrapPolicy>
>            </wsp:Policy>
>          </sp:SecureConversationToken>
>        </wsp:Policy>
>      </sp:ProtectionToken>
>      <sp:AlgorithmSuite>
>        <wsp:Policy>
>          <sp:Basic128/>
>        </wsp:Policy>
>      </sp:AlgorithmSuite>
>      <sp:IncludeTimestamp/>
>      <sp:EncryptSignature/>
>      <sp:OnlySignEntireHeadersAndBody/>
>    </wsp:Policy>
>  </sp:SymmetricBinding>
>  <sp:SignedParts>
>    <sp:Body/>
>  </sp:SignedParts>
>  <sp:EncryptedParts>
>    <sp:Body/>
>  </sp:EncryptedParts>
> </wsp:Policy>
>
> Here's a sample of the request sent by the client:
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>  <soap:Header>
>    <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</Action>
>    <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:80d059b4-87ef-4edb-a69d-2e26b46ad493</MessageID>
>    <To
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8800/wsstest</To>
>    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
>      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>    </ReplyTo>
>    <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1">
>      <wsu:Timestamp wsu:Id="TS-1">
>        <wsu:Created>2012-02-10T11:53:52.568Z</wsu:Created>
>        <wsu:Expires>2012-02-10T11:58:52.568Z</wsu:Expires>
>      </wsu:Timestamp>
>      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-3325E85711A0FD3C1013288748329521">
>        <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>          <wsse:SecurityTokenReference>
>            <ds:X509Data>
>              <ds:X509IssuerSerial>
>                <ds:X509IssuerName>CN=Dennis
> Sosnoski,OU=Unknown,O=Sosnoski Software Associates Ltd.,L=Paraparaumu
> Beach,ST=Wellington,C=NZ</ds:X509IssuerName>
>                <ds:X509SerialNumber>1239532339</ds:X509SerialNumber>
>              </ds:X509IssuerSerial>
>            </ds:X509Data>
>          </wsse:SecurityTokenReference>
>        </ds:KeyInfo>
>        <xenc:CipherData>
>
> <xenc:CipherValue>UyGnAx6pl+ZERphViFz9Slw5hEajY0fFY8EgrrX0ceKRjkmk4+rgubc7A4hWGF4rw81i5CeLgh3RichfpbZiQJXqGpbs1CUnkNelUuxvJDG4BFfkJXVUy3D9sY8bjlEhRStTUQ5fE8k4vhyrmh9yCLExwxmjNd7D/nAm7osXTOE=</xenc:CipherValue>
>        </xenc:CipherData>
>      </xenc:EncryptedKey>
>      <wsc:DerivedKeyToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-3">
>        <wsse:SecurityTokenReference
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
> wsu:Id="STR-3325E85711A0FD3C1013288748329712">
>          <wsse:Reference URI="#EK-3325E85711A0FD3C1013288748329521"
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
>        </wsse:SecurityTokenReference>
>        <wsc:Offset>0</wsc:Offset>
>        <wsc:Length>32</wsc:Length>
>        <wsc:Nonce>FYC8xkAu0dS4jNXunaIeYA==</wsc:Nonce>
>      </wsc:DerivedKeyToken>
>      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element">
>        <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>          <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>            <wsse:Reference URI="#DK-3"/>
>          </wsse:SecurityTokenReference>
>        </ds:KeyInfo>
>        <xenc:CipherData>
>
> <xenc:CipherValue>C04EfqTdgX8UVRXqfPgYzdvrd3k8JeYzA0lW7xk5j9TZBcpuRiKBOuFyhbdpMoyiFLflZg99s9e6X0wMsdd/Clmtn+PUiZEH0s/DC/SzW13SnRfmbFAJIjV1DyRG6K/KW9P1UxLYd47HlsCFPZSGVeBt8DrZj+sTu5izDZMkxsVA55hY4RWleQq4w/MIZ9c51bj1Jf7lYC8gBDEXbb1qCvjrcRlmjjIo2ipyAuYT/wYW6WMSViqrTqieW8yR/+RM2txgwqTMyMkA4MD0cIacwKgr+DoUmQ9so5l/WCgbjuxaQf2sAhmCN6ZPS2fiK2JkTCXeuaZuHSJ4zi6/7vxyJpYpAjVgjjUeUlWb8jwuSts=</xenc:CipherValue>
>        </xenc:CipherData>
>      </xenc:EncryptedData>
>      <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>        <xenc:DataReference URI="#ED-4"/>
>        <xenc:DataReference URI="#ED-5"/>
>      </xenc:ReferenceList>
>    </wsse:Security>
>  </soap:Header>
>  <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-14712427">
>    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">
>      <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>        <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>          <wsse:Reference URI="#DK-3"/>
>        </wsse:SecurityTokenReference>
>      </ds:KeyInfo>
>      <xenc:CipherData>
>        <xenc:CipherValue>hSU+Y3...2jbCTmg==</xenc:CipherValue>
>      </xenc:CipherData>
>    </xenc:EncryptedData>
>  </soap:Body>
> </soap:Envelope>
>
> Thanks,
>
>  - Dennis
>
> --
>
> Dennis M. Sosnoski
> Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
> CXF and Web Services Security Training
> <http://www.sosnoski.com/training.html>
> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message