cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: UsernameToken as SignedEncryptedSupportingTokens
Date Mon, 27 Feb 2012 11:12:27 GMT
Hi Dennis,

> Caused by: org.apache.ws.security.WSSecurityException: An error was
> discovered processing the <wsse:Security> header (WSSecurityEngine:
> DataReference - referenced data not found)

Ok I've merged a fix for this. The ReferenceListProcessor only tries
to decrypt a DataReference if it hasn't already been decrypted.

> though I don't understand why the UsernameToken would work correctly in
> this case (since that should be the EncyptedData in the header).

The EncryptedData Element is successfully decrypted, and the
UsernameTokenProcessor is called on the decrypted Element.

> So what needs to be changed to move the ReferenceList before the
> EncryptedData?

If you look at the AbstractBindingBuilder in the CXF Security runtime,
it contains a number of methods that the concrete builders use to
append/prepend/etc security tokens to the security header.

Colm.

On Fri, Feb 24, 2012 at 6:57 AM, Dennis Sosnoski <dms@sosnoski.com> wrote:
> Hi Colm,
>
> I tried using CXF 2.5.3-SNAPSHOT for the latest changes, including the
> WSS4J 1.6.5 nightly build. This looks much better, getting as far as
> verifying the UsernameToken on the server before dying with a data
> reference error:
>
> Caused by: org.apache.ws.security.WSSecurityException: An error was
> discovered processing the <wsse:Security> header (WSSecurityEngine:
> DataReference - referenced data not found)
>    at
> org.apache.ws.security.processor.ReferenceListProcessor.findEncryptedDataElement(ReferenceListProcessor.java:248)
>    at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:124)
>    at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:97)
>    at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
>    at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397)
>    at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:258)
>
> I guess this is due to the order of items in the header:
>
>    <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1">
>      <wsu:Timestamp wsu:Id="TS-1">
>        ...
>      </wsu:Timestamp>
>      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-038897D5CBACC128F513300662077711">
>        ...
>      </xenc:EncryptedKey>
>      <wsc:DerivedKeyToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-3">
>        ...
>      </wsc:DerivedKeyToken>
>      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element">
>        ...
>      </xenc:EncryptedData>
>      <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>        <xenc:DataReference URI="#ED-4"/>
>        <xenc:DataReference URI="#ED-5"/>
>      </xenc:ReferenceList>
>    </wsse:Security>
>
> though I don't understand why the UsernameToken would work correctly in
> this case (since that should be the EncyptedData in the header).
>
> So what needs to be changed to move the ReferenceList before the
> EncryptedData?
>
> Thanks,
>
>  - Dennis
>
>
> On 02/15/2012 04:34 AM, Colm O hEigeartaigh wrote:
>> Hi Dennis,
>>
>> There seems to be two problems here.
>>
>> The first problem is that the ReferenceList is appended to the
>> security header, i.e. *after* the EncryptedData part to which it
>> refers:
>>
>> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>>        <xenc:DataReference URI="#ED-4"/>
>>        <xenc:DataReference URI="#ED-5"/>
>>      </xenc:ReferenceList>
>>
>> If it were before the EncryptedData Element in the header, the
>> ReferenceListProcessor would be able to handle decrypting the Element
>> without a problem.
>>
>> The second is that the EncryptedDataProcessor can't handle a
>> SecurityTokenReference, as you pointed out. I have just committed a
>> fix for this here:
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1243996
>>
>> Could you try with WSS4J 1.6.5-SNAPSHOT and let me know how you get
>> on? You will also need Santuario 1.5.0 if you are not using maven in
>> your test setup.
>>
>> Colm.
>>
>> On Tue, Feb 14, 2012 at 7:16 AM, Dennis Sosnoski <dms@sosnoski.com> wrote:
>>> I'm trying to use a UsernameToken to validate the client when
>>> establishing a WS-SecureConversation. The policy I'm using is accepted
>>> by CXF, and the client generates the RST message without problem. The
>>> CXF server code returns the error "An unsupported signature or
>>> encryption algorithm was used (WSSecurityEngine: EncryptedData does not
>>> contain xenc:EncryptedKey)". This is coming from
>>> org.apache.ws.security.processor.EncryptedDataProcessor.handleToken in
>>> wss4j, which expects to always find an EncryptedKey within the
>>> EncryptedData/KeyInfo. The generated request is using a
>>> SecurityTokenReference rather than an EncryptedKey, which I'd think is
>>> correct in this situation.
>>>
>>> Is there some problem with encrypting a supporting token?
>>>
>>> Here's the policy I'm using:
>>>
>>> <wsp:Policy wsu:Id="SecureConv"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> xmlns:wsp="http://www.w3.org/ns/ws-policy"
>>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>>  <wsap:UsingAddressing
>>> xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"/>
>>>  <sp:SymmetricBinding>
>>>    <wsp:Policy>
>>>      <sp:ProtectionToken>
>>>        <wsp:Policy>
>>>          <sp:SecureConversationToken
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>>>            <wsp:Policy>
>>>              <sp:RequireDerivedKeys/>
>>>              <sp:BootstrapPolicy>
>>>                <wsp:Policy>
>>>                  <sp:AsymmetricBinding>
>>>                    <wsp:Policy>
>>>                      <sp:RecipientToken>
>>>                        <wsp:Policy>
>>>                          <sp:X509Token
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>>>                            <wsp:Policy>
>>>                              <sp:RequireDerivedKeys/>
>>>                              <sp:WssX509V3Token11/>
>>>                              <sp:RequireIssuerSerialReference/>
>>>                            </wsp:Policy>
>>>                          </sp:X509Token>
>>>                        </wsp:Policy>
>>>                      </sp:RecipientToken>
>>>                      <sp:AlgorithmSuite>
>>>                        <wsp:Policy>
>>>                          <sp:Basic256Sha256/>
>>>                        </wsp:Policy>
>>>                      </sp:AlgorithmSuite>
>>>                      <sp:IncludeTimestamp/>
>>>                      <sp:OnlySignEntireHeadersAndBody/>
>>>                    </wsp:Policy>
>>>                  </sp:AsymmetricBinding>
>>>                  <sp:SignedEncryptedSupportingTokens>
>>>                    <wsp:Policy>
>>>                      <sp:UsernameToken
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
>>>                    </wsp:Policy>
>>>                  </sp:SignedEncryptedSupportingTokens>
>>>                  <sp:SignedParts>
>>>                    <sp:Body/>
>>>                  </sp:SignedParts>
>>>                  <sp:EncryptedParts>
>>>                    <sp:Body/>
>>>                  </sp:EncryptedParts>
>>>                  <sp:Trust13>
>>>                    <wsp:Policy>
>>>                      <sp:MustSupportIssuedTokens/>
>>>                      <sp:RequireClientEntropy/>
>>>                      <sp:RequireServerEntropy/>
>>>                    </wsp:Policy>
>>>                  </sp:Trust13>
>>>                </wsp:Policy>
>>>              </sp:BootstrapPolicy>
>>>            </wsp:Policy>
>>>          </sp:SecureConversationToken>
>>>        </wsp:Policy>
>>>      </sp:ProtectionToken>
>>>      <sp:AlgorithmSuite>
>>>        <wsp:Policy>
>>>          <sp:Basic128/>
>>>        </wsp:Policy>
>>>      </sp:AlgorithmSuite>
>>>      <sp:IncludeTimestamp/>
>>>      <sp:EncryptSignature/>
>>>      <sp:OnlySignEntireHeadersAndBody/>
>>>    </wsp:Policy>
>>>  </sp:SymmetricBinding>
>>>  <sp:SignedParts>
>>>    <sp:Body/>
>>>  </sp:SignedParts>
>>>  <sp:EncryptedParts>
>>>    <sp:Body/>
>>>  </sp:EncryptedParts>
>>> </wsp:Policy>
>>>
>>> Here's a sample of the request sent by the client:
>>>
>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>>>  <soap:Header>
>>>    <Action
>>> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</Action>
>>>    <MessageID
>>> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:80d059b4-87ef-4edb-a69d-2e26b46ad493</MessageID>
>>>    <To
>>> xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8800/wsstest</To>
>>>    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
>>>      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>>>    </ReplyTo>
>>>    <wsse:Security
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> soap:mustUnderstand="1">
>>>      <wsu:Timestamp wsu:Id="TS-1">
>>>        <wsu:Created>2012-02-10T11:53:52.568Z</wsu:Created>
>>>        <wsu:Expires>2012-02-10T11:58:52.568Z</wsu:Expires>
>>>      </wsu:Timestamp>
>>>      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> Id="EK-3325E85711A0FD3C1013288748329521">
>>>        <xenc:EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>>>        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>          <wsse:SecurityTokenReference>
>>>            <ds:X509Data>
>>>              <ds:X509IssuerSerial>
>>>                <ds:X509IssuerName>CN=Dennis
>>> Sosnoski,OU=Unknown,O=Sosnoski Software Associates Ltd.,L=Paraparaumu
>>> Beach,ST=Wellington,C=NZ</ds:X509IssuerName>
>>>                <ds:X509SerialNumber>1239532339</ds:X509SerialNumber>
>>>              </ds:X509IssuerSerial>
>>>            </ds:X509Data>
>>>          </wsse:SecurityTokenReference>
>>>        </ds:KeyInfo>
>>>        <xenc:CipherData>
>>>
>>> <xenc:CipherValue>UyGnAx6pl+ZERphViFz9Slw5hEajY0fFY8EgrrX0ceKRjkmk4+rgubc7A4hWGF4rw81i5CeLgh3RichfpbZiQJXqGpbs1CUnkNelUuxvJDG4BFfkJXVUy3D9sY8bjlEhRStTUQ5fE8k4vhyrmh9yCLExwxmjNd7D/nAm7osXTOE=</xenc:CipherValue>
>>>        </xenc:CipherData>
>>>      </xenc:EncryptedKey>
>>>      <wsc:DerivedKeyToken
>>> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-3">
>>>        <wsse:SecurityTokenReference
>>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
>>> wsu:Id="STR-3325E85711A0FD3C1013288748329712">
>>>          <wsse:Reference URI="#EK-3325E85711A0FD3C1013288748329521"
>>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
>>>        </wsse:SecurityTokenReference>
>>>        <wsc:Offset>0</wsc:Offset>
>>>        <wsc:Length>32</wsc:Length>
>>>        <wsc:Nonce>FYC8xkAu0dS4jNXunaIeYA==</wsc:Nonce>
>>>      </wsc:DerivedKeyToken>
>>>      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element">
>>>        <xenc:EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>>>        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>          <wsse:SecurityTokenReference
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>>            <wsse:Reference URI="#DK-3"/>
>>>          </wsse:SecurityTokenReference>
>>>        </ds:KeyInfo>
>>>        <xenc:CipherData>
>>>
>>> <xenc:CipherValue>C04EfqTdgX8UVRXqfPgYzdvrd3k8JeYzA0lW7xk5j9TZBcpuRiKBOuFyhbdpMoyiFLflZg99s9e6X0wMsdd/Clmtn+PUiZEH0s/DC/SzW13SnRfmbFAJIjV1DyRG6K/KW9P1UxLYd47HlsCFPZSGVeBt8DrZj+sTu5izDZMkxsVA55hY4RWleQq4w/MIZ9c51bj1Jf7lYC8gBDEXbb1qCvjrcRlmjjIo2ipyAuYT/wYW6WMSViqrTqieW8yR/+RM2txgwqTMyMkA4MD0cIacwKgr+DoUmQ9so5l/WCgbjuxaQf2sAhmCN6ZPS2fiK2JkTCXeuaZuHSJ4zi6/7vxyJpYpAjVgjjUeUlWb8jwuSts=</xenc:CipherValue>
>>>        </xenc:CipherData>
>>>      </xenc:EncryptedData>
>>>      <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>>>        <xenc:DataReference URI="#ED-4"/>
>>>        <xenc:DataReference URI="#ED-5"/>
>>>      </xenc:ReferenceList>
>>>    </wsse:Security>
>>>  </soap:Header>
>>>  <soap:Body
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> wsu:Id="Id-14712427">
>>>    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">
>>>      <xenc:EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>>>      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>        <wsse:SecurityTokenReference
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>>          <wsse:Reference URI="#DK-3"/>
>>>        </wsse:SecurityTokenReference>
>>>      </ds:KeyInfo>
>>>      <xenc:CipherData>
>>>        <xenc:CipherValue>hSU+Y3...2jbCTmg==</xenc:CipherValue>
>>>      </xenc:CipherData>
>>>    </xenc:EncryptedData>
>>>  </soap:Body>
>>> </soap:Envelope>
>>>
>>> Thanks,
>>>
>>>  - Dennis
>>>
>>> --
>>>
>>> Dennis M. Sosnoski
>>> Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
>>> CXF and Web Services Security Training
>>> <http://www.sosnoski.com/training.html>
>>> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
>>>
>>
>>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message