ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alessio Soldano (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WSS-475) Issue with multiple processing of ReferenceList in EncryptedKey element
Date Tue, 13 Aug 2013 16:37:48 GMT

     [ https://issues.apache.org/jira/browse/WSS-475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alessio Soldano updated WSS-475:
--------------------------------

    Description: 
I have an incoming request message looking as follows:
{noformat}
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
      ...
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
wsu:Id="BST-23456">...</wsse:BinarySecurityToken>
      <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="XSIG-7896">
        ...
        <dsig:KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
          </wsse:SecurityTokenReference>
        </dsig:KeyInfo>
      </dsig:Signature>
      <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        ...
      </dsig:Signature>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-ABCDE">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
          <dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        </xenc:EncryptionMethod>
        <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-8901">
            <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </dsig:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#_REF123"/>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
    </wsse:Security>
  </soap:Header>
  <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-5678">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"
Id="_REF123">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
        </wsse:SecurityTokenReference>
      </dsig:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soapenv:Body>
</soapenv:Envelope>
{noformat}

WSS4J fails on processing this as the ReferenceList within the EncryptedKey is processed twice
(the first time when dealing with XSIG-7896 Signature element and the second time when actually
dealing with the EncryptedKey element). The second time the ReferenceList is processed, the
reference to Id="_REF123" can't be resolved, as the EncryptedData has likely been decrypted
in the previous pass.

  was:
I have an incoming request message looking as follows:
{code:xml}
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
      ...
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
wsu:Id="BST-23456">...</wsse:BinarySecurityToken>
      <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="XSIG-7896">
        ...
        <dsig:KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
          </wsse:SecurityTokenReference>
        </dsig:KeyInfo>
      </dsig:Signature>
      <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        ...
      </dsig:Signature>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-ABCDE">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
          <dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        </xenc:EncryptionMethod>
        <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-8901">
            <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </dsig:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#_REF123"/>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
    </wsse:Security>
  </soap:Header>
  <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-5678">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"
Id="_REF123">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
        </wsse:SecurityTokenReference>
      </dsig:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soapenv:Body>
</soapenv:Envelope>
{code}

WSS4J fails on processing this as the ReferenceList within the EncryptedKey is processed twice
(the first time when dealing with XSIG-7896 Signature element and the second time when actually
dealing with the EncryptedKey element). The second time the ReferenceList is processed, the
reference to Id="_REF123" can't be resolved, as the EncryptedData has likely been decrypted
in the previous pass.

    
> Issue with multiple processing of ReferenceList in EncryptedKey element
> -----------------------------------------------------------------------
>
>                 Key: WSS-475
>                 URL: https://issues.apache.org/jira/browse/WSS-475
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.6.9
>            Reporter: Alessio Soldano
>            Assignee: Colm O hEigeartaigh
>
> I have an incoming request message looking as follows:
> {noformat}
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>   <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
>       ...
>       <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
wsu:Id="BST-23456">...</wsse:BinarySecurityToken>
>       <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="XSIG-7896">
>         ...
>         <dsig:KeyInfo>
>           <wsse:SecurityTokenReference>
>             <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
>           </wsse:SecurityTokenReference>
>         </dsig:KeyInfo>
>       </dsig:Signature>
>       <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>         ...
>       </dsig:Signature>
>       <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-ABCDE">
>         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>           <dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>         </xenc:EncryptionMethod>
>         <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>           <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-8901">
>             <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier>
>           </wsse:SecurityTokenReference>
>         </dsig:KeyInfo>
>         <xenc:CipherData>
>           <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
>         </xenc:CipherData>
>         <xenc:ReferenceList>
>           <xenc:DataReference URI="#_REF123"/>
>         </xenc:ReferenceList>
>       </xenc:EncryptedKey>
>     </wsse:Security>
>   </soap:Header>
>   <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-5678">
>     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"
Id="_REF123">
>       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>       <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>         <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>           <wsse:Reference URI="#EK-ABCDE" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
>         </wsse:SecurityTokenReference>
>       </dsig:KeyInfo>
>       <xenc:CipherData>
>         <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" xmime:contentType="application/octet-stream">...</xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedData>
>   </soapenv:Body>
> </soapenv:Envelope>
> {noformat}
> WSS4J fails on processing this as the ReferenceList within the EncryptedKey is processed
twice (the first time when dealing with XSIG-7896 Signature element and the second time when
actually dealing with the EncryptedKey element). The second time the ReferenceList is processed,
the reference to Id="_REF123" can't be resolved, as the EncryptedData has likely been decrypted
in the previous pass.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message