cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Storm Graversen (JIRA)" <>
Subject [jira] [Commented] (CXF-6398) AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
Date Mon, 11 May 2015 12:28:59 GMT


Brian Storm Graversen commented on CXF-6398:

I think that this validation code might have been inspired by the Basic Security Profile 1.1
rule 5412, as it states that the LAST Transform must be one of the Transforms that the code
in checkDataRefs() validates against

I think the problem is that the validation is to strict, as it requires ALL Transforms to
be on this list, and not just the LAST Transform

> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>                 Key: CXF-6398
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.5
>            Reporter: Brian Storm Graversen
> I'm receiving a response from a (.NET) webservice, where the security requirements are
set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the enveloped-signature
transform and the c14n transform, example below
> {code:xml}
> 	<Reference URI="#action">
> 		<Transforms>
> 			<Transform Algorithm=""></Transform>
> 			<Transform Algorithm=""></Transform>
> 		</Transforms>
> 		<DigestMethod Algorithm=""></DigestMethod>
> 		<DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
> 	</Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the enveloped-signature
transform, and the response is rejected, exception shown below
> {code}
> Exception in thread "main" These policy alternatives
can not be satisfied: 
> {}AlgorithmSuite: The transform
algorithms do not match the requirement
> {}Basic256
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
> 	at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
> 	at client.WSClient.hello(
> 	at client.WSClient.main(
> Caused by: These policy alternatives can not
be satisfied: 
> {}AlgorithmSuite: The transform
algorithms do not match the requirement
> {}Basic256
> 	at
> 	at
> 	at
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual validation, and
it scans through all the Transforms, and reject the Reference if ANY of the Transform elements
are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one transform
that is c14n (or similar), and allow the eveloped-signature transform?

This message was sent by Atlassian JIRA

View raw message