You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Martin Fernau <ma...@fernausoft.de> on 2016/10/26 15:22:41 UTC
TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Hi,
I've a wsdl with the following partial content:
--cut
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
--cut
If I call this service the response from the server gets rejected by CXF:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
The signature derived key length does not match the requirement
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:161)
at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
at
de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContractsByCustomerID(TestComm.java:135)
at
de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestComm.java:128)
--cut
If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
accepted.
Is this a problem with the remote service or with CXF?
AFAIK TransportBinding applies to the connection which is SSL encrypted.
If I check the SSL Certificate with "openssl s_client -showcerts
-connect [server]:443" I get:
--cut
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - SHA256 - G2
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3072 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
CD4B00002CD328917F89C4AF9010C5145C745FD134466567345539C6AA1BE676
Session-ID-ctx:
Master-Key:
11B433DDEF0B003A6F261390EA6D50F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1477495032
Timeout : 300 (sec)
Verify return code: 0 (ok)
--cut
Thanks
Martin
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Martin Fernau <ma...@fernausoft.de>.
Thanks a lot for your time and explanation!
For me all this ws-security/ws-policy and such stuff is like a black box
and its hard to get a "deep" understanding of that all because I rarely
get in touch with this.
Thus I'm very glad if one takes the time and try to explain how the
things work.
Martin
Am 27.10.2016 um 11:19 schrieb Colm O hEigeartaigh:
> It's a little bit ambiguous. The designer of the service probably meant the
> AlgorithmSuite in the SymmetricBinding to apply to the message level
> security, and not the AlgorithmSuite of the TransportBinding. However, CXF
> does not interpret the policies in this way, as *all* of the policies must
> be valid (you are not using policy alternatives). In a nutshell, yes
> including two different AlgorithmSuite policies is a contradiction in
> terms, or at least that's how CXF sees it.
>
> Colm.
>
> On Thu, Oct 27, 2016 at 10:12 AM, Martin Fernau <martin.fernau@fernausoft.de
>> wrote:
>> So, how can I interpret this situation? Is it a clear mistake (or
>> misconfiguration) of the remote service?
>>
>> Although it's no problem to change the wsdl to overcome this problem (in
>> this case) - I dislike such an approach because we (my company) _must_ use
>> their service and we need to pay for the acceptance of our client using it.
>> And we've other problems with other methods (you know the topic about the
>> encrypted header) where I currently can't say if its not another problem
>> with their possible misconfiguration.
>>
>> Is the following correct?
>> - The communication use a symmetric key which is generated by my client
>> (CXF)
>> - For the key generated by me the Basic128Rsa15 AlgorithmSuite in
>> SymmetricBinding applies which means a key of 128 bit length
>> - Because the key itself is 128 bit the derived keys can't be higher
>> encrypted and thus are 128 bit (?)
>> - For the replies this means that the keys are still 128 bit
>>
>> If the above conclusion of myself is correct and if I interpret this side
>> [1] correct (where your previous comment is confirmed that Basic256 means
>> that signature needs to be 192 and encryption needs to be 256 bit) then
>> Basic256 as the AlgorithmSuite in TransportBinding and Basic128Rsa15 as the
>> AlgorithmSuite in SymmetricBinding must be a contradiction in terms?
>>
>> Thanks
>> Martin
>>
>> [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws
>> -securitypolicy-1.2-spec-os.html#_Toc161826547
>>
>> Am 26.10.2016 um 21:39 schrieb Colm O hEigeartaigh:
>>
>>> The problem is that all of the policies must be enforced. CXF is rejecting
>>> the Basic256 policy, as the signature derivation key lengths in the
>>> message
>>> do not match it.
>>>
>>> As the TransportBinding policy is only being used here to require that TLS
>>> is used, I would just omit the AlgorithmSuite altogether from the
>>> TransportBinding policy and it should work.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau <
>>> martin.fernau@fernausoft.de>
>>> wrote:
>>>
>>> Sure, but the WSDL is somewhat complex.
>>>> For that reason I truncated the WSDL to the related parts:
>>>>
>>>> --cut
>>>> <?xml version="1.0" encoding="utf-8"?>
>>>> <wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur
>>>> i.org/"
>>>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="
>>>> http://www.w3.org/2001/XMLSchema"
>>>> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004
>>>> 01-wss-wssecurity-utility-1.0.xsd"
>>>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>>>> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="
>>>> http://tempuri.org/"
>>>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>>>> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>>>> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
>>>> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
>>>> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> xmlns:wsa10="http://www.w3.org/2005/08/addressing"
>>>> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
>>>> <wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:ProtectionToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>>>> securitypolicy/IncludeToken/Never">
>>>> <wsp:Policy>
>>>> <sp:RequireDerivedKeys/>
>>>> <sp:RequireThumbprintReference/>
>>>> <sp:WssX509V3Token10/>
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:ProtectionToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic128Rsa15/>
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Strict/>
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:IncludeTimestamp/>
>>>> <sp:OnlySignEntireHeadersAndBody/>
>>>> </wsp:Policy>
>>>> </sp:SymmetricBinding>
>>>> <sp:EndorsingSupportingTokens
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>>>> securitypolicy/IncludeToken/AlwaysToRecipient">
>>>> <wsp:Policy>
>>>> <sp:RequireThumbprintReference/>
>>>> <sp:WssX509V3Token10/>
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:EndorsingSupportingTokens>
>>>> <sp:Wss11 xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:MustSupportRefThumbprint/>
>>>> <sp:MustSupportRefEncryptedKey/>
>>>> <sp:RequireSignatureConfirmation/>
>>>> </wsp:Policy>
>>>> </sp:Wss11>
>>>> <sp:Trust10 xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:MustSupportIssuedTokens/>
>>>> <sp:RequireClientEntropy/>
>>>> <sp:RequireServerEntropy/>
>>>> </wsp:Policy>
>>>> </sp:Trust10>
>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken
>>>> RequireClientCertificate="false"/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic256/>
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Strict/>
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:IncludeTimestamp/>
>>>> </wsp:Policy>
>>>> </sp:TransportBinding>
>>>> <wsaw:UsingAddressing/>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>> <wsp:Policy wsu:Id="CustomBinding_IService
>>>> Customer_GetContractsByCustomerID_Input_policy">
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:SignedParts xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> <sp:Header Name="To" Namespace="http://www.w3.org/2
>>>> 005/08/addressing"/>
>>>> <sp:Header Name="From" Namespace="
>>>> http://www.w3.org/2
>>>> 005/08/addressing"/>
>>>> <sp:Header Name="FaultTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>> <sp:Header Name="ReplyTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>> <sp:Header Name="MessageID" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>> <sp:Header Name="RelatesTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>> <sp:Header Name="Action" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>> </sp:SignedParts>
>>>> <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> </sp:EncryptedParts>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>> [... several Policy-Types more ...]
>>>> <wsdl:types>
>>>> [...]
>>>> </wsdl:types>
>>>> <wsdl:message name="IServiceCustomer_GetCont
>>>> ractsByCustomerID_InputMessage">
>>>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>>>> tomerID"/>
>>>> </wsdl:message>
>>>> <wsdl:message name="IServiceCustomer_GetCont
>>>> ractsByCustomerID_OutputMessage">
>>>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>>>> tomerIDResponse"/>
>>>> </wsdl:message>
>>>> [... several Message-Types more ...]
>>>> <wsdl:portType name="IServiceCustomer">
>>>> <wsdl:operation name="GetContractsByCustomerID">
>>>> <wsdl:input wsaw:Action="http://tempuri.or
>>>> g/IServiceCustomer/GetContractsByCustomerID"
>>>> message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
>>>> <wsdl:output
>>>> wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract
>>>> sByCustomerIDResponse"
>>>> message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
>>>> </wsdl:operation>
>>>> [...]
>>>> </wsdl:portType>
>>>> <wsdl:binding name="CustomBinding_IServiceCustomer"
>>>> type="tns:IServiceCustomer">
>>>> <wsp:PolicyReference URI="#CustomBinding_IServiceCu
>>>> stomer_policy"/>
>>>> <soap:binding transport="http://schemas.xmlsoap.org/soap/http
>>>> "/>
>>>> <wsdl:operation name="GetContractsByCustomerID">
>>>> <soap:operation
>>>> soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID
>>>> "
>>>> style="document"/>
>>>> <wsdl:input>
>>>> <wsp:PolicyReference
>>>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>>>> D_Input_policy"/>
>>>> <soap:body use="literal"/>
>>>> </wsdl:input>
>>>> <wsdl:output>
>>>> <wsp:PolicyReference
>>>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>>>> D_output_policy"/>
>>>> <soap:body use="literal"/>
>>>> </wsdl:output>
>>>> </wsdl:operation>
>>>> [...]
>>>> </wsdl:binding>
>>>> <wsdl:service name="ServiceCustomer">
>>>> <wsdl:port name="CustomBinding_IServiceCustomer"
>>>> binding="tns:CustomBinding_IServiceCustomer">
>>>> <soap:address
>>>> location="[...]"/>
>>>> <wsa10:EndpointReference>
>>>> <wsa10:Address>[...]</wsa10:Address>
>>>> <Identity xmlns="http://schemas.xmlsoap.
>>>> org/ws/2006/02/addressingidentity">
>>>> <Dns>localhost</Dns>
>>>> </Identity>
>>>> </wsa10:EndpointReference>
>>>> </wsdl:port>
>>>> </wsdl:service>
>>>> </wsdl:definitions>
>>>> --cut
>>>>
>>>>
>>>> Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
>>>>
>>>> For Basic256, the signature derived key length must be 192 bits (and 256
>>>>> for encryption). However in the sample message it is just using 128 bits
>>>>> for both. Let's see the full security policy configuration, where is it
>>>>> getting the information from to secure the message? Above it's just the
>>>>> TransportBinding configuration.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <
>>>>> martin.fernau@fernausoft.de>
>>>>> wrote:
>>>>>
>>>>> Yes it does.
>>>>>
>>>>>> For simplicity I paste the whole response after these lines.
>>>>>>
>>>>>> --cut
>>>>>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
>>>>>> xmlns:a="
>>>>>> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
>>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>>>>>> <s:Header>
>>>>>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
>>>>>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
>>>>>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
>>>>>> 51-4720-9911-6f533112b4fa</a:RelatesTo>
>>>>>> <o:Security xmlns:o="http://docs.oasis-ope
>>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>>>> s:mustUnderstand="1">
>>>>>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-
>>>>>> 8576-47af2ed4b522-470">
>>>>>> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
>>>>>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
>>>>>> </u:Timestamp>
>>>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>>>> p.org/ws/2005/02/sc"
>>>>>> u:Id="_0">
>>>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>>>> message-security-1.1#EncryptedKey">
>>>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>>>> </o:SecurityTokenReference>
>>>>>> <c:Offset>0</c:Offset>
>>>>>> <c:Length>16</c:Length>
>>>>>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
>>>>>> </c:DerivedKeyToken>
>>>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>>>> p.org/ws/2005/02/sc"
>>>>>> u:Id="_3">
>>>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>>>> message-security-1.1#EncryptedKey">
>>>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>>>> </o:SecurityTokenReference>
>>>>>> <c:Offset>0</c:Offset>
>>>>>> <c:Length>16</c:Length>
>>>>>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
>>>>>> </c:DerivedKeyToken>
>>>>>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>>>>>> <e:DataReference URI="#_5"/>
>>>>>> </e:ReferenceList>
>>>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
>>>>>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
>>>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
>>>>>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
>>>>>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
>>>>>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
>>>>>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
>>>>>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
>>>>>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
>>>>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>>>> <SignedInfo>
>>>>>> <CanonicalizationMethod Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> <SignatureMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#hmac-sha1"/>
>>>>>> <Reference URI="#_4">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
>>>>>> </Reference>
>>>>>> <Reference URI="#_6">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
>>>>>> </Reference>
>>>>>> <Reference URI="#_7">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
>>>>>> </Reference>
>>>>>> <Reference URI="#uuid-eb38523b-3459-439a-
>>>>>> 8576-47af2ed4b522-470">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
>>>>>> </Reference>
>>>>>> <Reference URI="#_1">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
>>>>>> </Reference>
>>>>>> <Reference URI="#_2">
>>>>>> <Transforms>
>>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>>> 001/10/xml-exc-c14n#"/>
>>>>>> </Transforms>
>>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>>> 000/09/xmldsig#sha1"/>
>>>>>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
>>>>>> </Reference>
>>>>>> </SignedInfo>
>>>>>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
>>>>>> <KeyInfo>
>>>>>> <o:SecurityTokenReference>
>>>>>> <o:Reference ValueType="http://schemas.xmls
>>>>>> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
>>>>>> </o:SecurityTokenReference>
>>>>>> </KeyInfo>
>>>>>> </Signature>
>>>>>> </o:Security>
>>>>>> </s:Header>
>>>>>> <s:Body u:Id="_4">
>>>>>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"
>>>>>> Id="_5"
>>>>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>>>>> <e:EncryptionMethod Algorithm="http://www.w3.org/2
>>>>>> 001/04/xmlenc#aes128-cbc"/>
>>>>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>>>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
>>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>>>>> <o:Reference ValueType="http://schemas.xmls
>>>>>> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
>>>>>> </o:SecurityTokenReference>
>>>>>> </KeyInfo>
>>>>>> <e:CipherData>
>>>>>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
>>>>>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
>>>>>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
>>>>>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
>>>>>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
>>>>>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
>>>>>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
>>>>>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
>>>>>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
>>>>>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
>>>>>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
>>>>>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
>>>>>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
>>>>>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
>>>>>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
>>>>>> </e:CipherData>
>>>>>> </e:EncryptedData>
>>>>>> </s:Body>
>>>>>> </s:Envelope>
>>>>>> --cut
>>>>>>
>>>>>>
>>>>>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>>>>>>
>>>>>> The error message seems to be referring to derivation key length. Does
>>>>>>
>>>>>>> the
>>>>>>> message contain a security header containing a Signature and derived
>>>>>>> keys?
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>>>>>>> martin.fernau@fernausoft.de>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've a wsdl with the following partial content:
>>>>>>>> --cut
>>>>>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>>>>>> ap.org/ws/2005/07/securitypolicy">
>>>>>>>> <wsp:Policy>
>>>>>>>> <sp:TransportToken>
>>>>>>>> <wsp:Policy>
>>>>>>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>>>>>>> </wsp:Policy>
>>>>>>>> </sp:TransportToken>
>>>>>>>> <sp:AlgorithmSuite>
>>>>>>>> <wsp:Policy>
>>>>>>>> <sp:Basic256/>
>>>>>>>> </wsp:Policy>
>>>>>>>> </sp:AlgorithmSuite>
>>>>>>>> <sp:Layout>
>>>>>>>> <wsp:Policy>
>>>>>>>> <sp:Strict/>
>>>>>>>> </wsp:Policy>
>>>>>>>> </sp:Layout>
>>>>>>>> <sp:IncludeTimestamp/>
>>>>>>>> </wsp:Policy>
>>>>>>>> </sp:TransportBinding>
>>>>>>>> --cut
>>>>>>>>
>>>>>>>> If I call this service the response from the server gets rejected by
>>>>>>>> CXF:
>>>>>>>>
>>>>>>>> --cut
>>>>>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:
>>>>>>>> These
>>>>>>>> policy alternatives can not be satisfied:
>>>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite
>>>>>>>> :
>>>>>>>> The
>>>>>>>> signature derived key length does not match the requirement
>>>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>>>>>>> at org.apache.cxf.jaxws.JaxWsClie
>>>>>>>> ntProxy.invoke(JaxWsClientProx
>>>>>>>> y.java:161)
>>>>>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown
>>>>>>>> Source)
>>>>>>>> at de.dmsserver.plugin.ford.test.
>>>>>>>> fhdsales.TestComm.testGetContr
>>>>>>>> actsByCustomerID(TestComm.java:135)
>>>>>>>> at de.dmsserver.plugin.ford.test.
>>>>>>>> fhdsales.TestComm.main(TestCom
>>>>>>>> m.java:128)
>>>>>>>> --cut
>>>>>>>>
>>>>>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>>>>>>> accepted.
>>>>>>>> Is this a problem with the remote service or with CXF?
>>>>>>>>
>>>>>>>> AFAIK TransportBinding applies to the connection which is SSL
>>>>>>>> encrypted.
>>>>>>>> If I check the SSL Certificate with "openssl s_client -showcerts
>>>>>>>> -connect
>>>>>>>> [server]:443" I get:
>>>>>>>>
>>>>>>>> --cut
>>>>>>>> CONNECTED(00000003)
>>>>>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
>>>>>>>> Root
>>>>>>>> CA
>>>>>>>> verify return:1
>>>>>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>>>>>>> Validation CA - SHA256 - G2
>>>>>>>> verify return:1
>>>>>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>>>>>>> verify return:1
>>>>>>>> ---
>>>>>>>> Certificate chain
>>>>>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
>>>>>>>> Validation
>>>>>>>> CA -
>>>>>>>> SHA256 - G2
>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>> [...]
>>>>>>>> -----END CERTIFICATE-----
>>>>>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
>>>>>>>> Validation
>>>>>>>> CA -
>>>>>>>> SHA256 - G2
>>>>>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>> [...]
>>>>>>>> -----END CERTIFICATE-----
>>>>>>>> ---
>>>>>>>> Server certificate
>>>>>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>>>>> CA
>>>>>>>> -
>>>>>>>> SHA256 - G2
>>>>>>>> ---
>>>>>>>> No client certificate CA names sent
>>>>>>>> ---
>>>>>>>> SSL handshake has read 3072 bytes and written 471 bytes
>>>>>>>> ---
>>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>>>>>>> Server public key is 2048 bit
>>>>>>>> Secure Renegotiation IS supported
>>>>>>>> Compression: NONE
>>>>>>>> Expansion: NONE
>>>>>>>> SSL-Session:
>>>>>>>> Protocol : TLSv1.2
>>>>>>>> Cipher : ECDHE-RSA-AES256-SHA384
>>>>>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>>>>>>> 145C745FD134466567345539C6AA1BE676
>>>>>>>> Session-ID-ctx:
>>>>>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>>>>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>>>>>>> Key-Arg : None
>>>>>>>> PSK identity: None
>>>>>>>> PSK identity hint: None
>>>>>>>> SRP username: None
>>>>>>>> Start Time: 1477495032
>>>>>>>> Timeout : 300 (sec)
>>>>>>>> Verify return code: 0 (ok)
>>>>>>>> --cut
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Martin
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>> FERNAUSOFT GmbH
>>>>>> Gartenstra�e 42 - 37269 Eschwege
>>>>>>
>>>>>> Telefon (0 56 51) 95 99-0
>>>>>> Telefax (0 56 51) 95 99-90
>>>>>>
>>>>>> eMail martin.fernau@fernausoft.de
>>>>>> Internet http://www.fernausoft.de
>>>>>>
>>>>>> Handelsregister Eschwege, HRB 1585
>>>>>> Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
>>>>>> Steuernummer 025 233 00041
>>>>>> USt-ID-Nr. DE 178 554 622
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>> --
>> FERNAUSOFT GmbH
>> Gartenstra�e 42 - 37269 Eschwege
>>
>> Telefon (0 56 51) 95 99-0
>> Telefax (0 56 51) 95 99-90
>>
>> eMail martin.fernau@fernausoft.de
>> Internet http://www.fernausoft.de
>>
>> Handelsregister Eschwege, HRB 1585
>> Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
>> Steuernummer 025 233 00041
>> USt-ID-Nr. DE 178 554 622
>>
>>
>>
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's a little bit ambiguous. The designer of the service probably meant the
AlgorithmSuite in the SymmetricBinding to apply to the message level
security, and not the AlgorithmSuite of the TransportBinding. However, CXF
does not interpret the policies in this way, as *all* of the policies must
be valid (you are not using policy alternatives). In a nutshell, yes
including two different AlgorithmSuite policies is a contradiction in
terms, or at least that's how CXF sees it.
Colm.
On Thu, Oct 27, 2016 at 10:12 AM, Martin Fernau <martin.fernau@fernausoft.de
> wrote:
> So, how can I interpret this situation? Is it a clear mistake (or
> misconfiguration) of the remote service?
>
> Although it's no problem to change the wsdl to overcome this problem (in
> this case) - I dislike such an approach because we (my company) _must_ use
> their service and we need to pay for the acceptance of our client using it.
> And we've other problems with other methods (you know the topic about the
> encrypted header) where I currently can't say if its not another problem
> with their possible misconfiguration.
>
> Is the following correct?
> - The communication use a symmetric key which is generated by my client
> (CXF)
> - For the key generated by me the Basic128Rsa15 AlgorithmSuite in
> SymmetricBinding applies which means a key of 128 bit length
> - Because the key itself is 128 bit the derived keys can't be higher
> encrypted and thus are 128 bit (?)
> - For the replies this means that the keys are still 128 bit
>
> If the above conclusion of myself is correct and if I interpret this side
> [1] correct (where your previous comment is confirmed that Basic256 means
> that signature needs to be 192 and encryption needs to be 256 bit) then
> Basic256 as the AlgorithmSuite in TransportBinding and Basic128Rsa15 as the
> AlgorithmSuite in SymmetricBinding must be a contradiction in terms?
>
> Thanks
> Martin
>
> [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws
> -securitypolicy-1.2-spec-os.html#_Toc161826547
>
> Am 26.10.2016 um 21:39 schrieb Colm O hEigeartaigh:
>
>> The problem is that all of the policies must be enforced. CXF is rejecting
>> the Basic256 policy, as the signature derivation key lengths in the
>> message
>> do not match it.
>>
>> As the TransportBinding policy is only being used here to require that TLS
>> is used, I would just omit the AlgorithmSuite altogether from the
>> TransportBinding policy and it should work.
>>
>> Colm.
>>
>> On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau <
>> martin.fernau@fernausoft.de>
>> wrote:
>>
>> Sure, but the WSDL is somewhat complex.
>>> For that reason I truncated the WSDL to the related parts:
>>>
>>> --cut
>>> <?xml version="1.0" encoding="utf-8"?>
>>> <wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur
>>> i.org/"
>>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="
>>> http://www.w3.org/2001/XMLSchema"
>>> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004
>>> 01-wss-wssecurity-utility-1.0.xsd"
>>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>>> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="
>>> http://tempuri.org/"
>>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>>> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>>> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
>>> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
>>> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:wsa10="http://www.w3.org/2005/08/addressing"
>>> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
>>> <wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:ProtectionToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>>> securitypolicy/IncludeToken/Never">
>>> <wsp:Policy>
>>> <sp:RequireDerivedKeys/>
>>> <sp:RequireThumbprintReference/>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:ProtectionToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic128Rsa15/>
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict/>
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp/>
>>> <sp:OnlySignEntireHeadersAndBody/>
>>> </wsp:Policy>
>>> </sp:SymmetricBinding>
>>> <sp:EndorsingSupportingTokens
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>>> securitypolicy/IncludeToken/AlwaysToRecipient">
>>> <wsp:Policy>
>>> <sp:RequireThumbprintReference/>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:EndorsingSupportingTokens>
>>> <sp:Wss11 xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:MustSupportRefThumbprint/>
>>> <sp:MustSupportRefEncryptedKey/>
>>> <sp:RequireSignatureConfirmation/>
>>> </wsp:Policy>
>>> </sp:Wss11>
>>> <sp:Trust10 xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:MustSupportIssuedTokens/>
>>> <sp:RequireClientEntropy/>
>>> <sp:RequireServerEntropy/>
>>> </wsp:Policy>
>>> </sp:Trust10>
>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken
>>> RequireClientCertificate="false"/>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256/>
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict/>
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp/>
>>> </wsp:Policy>
>>> </sp:TransportBinding>
>>> <wsaw:UsingAddressing/>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>> <wsp:Policy wsu:Id="CustomBinding_IService
>>> Customer_GetContractsByCustomerID_Input_policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:SignedParts xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> <sp:Header Name="To" Namespace="http://www.w3.org/2
>>> 005/08/addressing"/>
>>> <sp:Header Name="From" Namespace="
>>> http://www.w3.org/2
>>> 005/08/addressing"/>
>>> <sp:Header Name="FaultTo" Namespace="
>>> http://www.w3.org/2005/08/addressing"/>
>>> <sp:Header Name="ReplyTo" Namespace="
>>> http://www.w3.org/2005/08/addressing"/>
>>> <sp:Header Name="MessageID" Namespace="
>>> http://www.w3.org/2005/08/addressing"/>
>>> <sp:Header Name="RelatesTo" Namespace="
>>> http://www.w3.org/2005/08/addressing"/>
>>> <sp:Header Name="Action" Namespace="
>>> http://www.w3.org/2005/08/addressing"/>
>>> </sp:SignedParts>
>>> <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> </sp:EncryptedParts>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>> [... several Policy-Types more ...]
>>> <wsdl:types>
>>> [...]
>>> </wsdl:types>
>>> <wsdl:message name="IServiceCustomer_GetCont
>>> ractsByCustomerID_InputMessage">
>>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>>> tomerID"/>
>>> </wsdl:message>
>>> <wsdl:message name="IServiceCustomer_GetCont
>>> ractsByCustomerID_OutputMessage">
>>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>>> tomerIDResponse"/>
>>> </wsdl:message>
>>> [... several Message-Types more ...]
>>> <wsdl:portType name="IServiceCustomer">
>>> <wsdl:operation name="GetContractsByCustomerID">
>>> <wsdl:input wsaw:Action="http://tempuri.or
>>> g/IServiceCustomer/GetContractsByCustomerID"
>>> message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
>>> <wsdl:output
>>> wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract
>>> sByCustomerIDResponse"
>>> message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
>>> </wsdl:operation>
>>> [...]
>>> </wsdl:portType>
>>> <wsdl:binding name="CustomBinding_IServiceCustomer"
>>> type="tns:IServiceCustomer">
>>> <wsp:PolicyReference URI="#CustomBinding_IServiceCu
>>> stomer_policy"/>
>>> <soap:binding transport="http://schemas.xmlsoap.org/soap/http
>>> "/>
>>> <wsdl:operation name="GetContractsByCustomerID">
>>> <soap:operation
>>> soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID
>>> "
>>> style="document"/>
>>> <wsdl:input>
>>> <wsp:PolicyReference
>>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>>> D_Input_policy"/>
>>> <soap:body use="literal"/>
>>> </wsdl:input>
>>> <wsdl:output>
>>> <wsp:PolicyReference
>>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>>> D_output_policy"/>
>>> <soap:body use="literal"/>
>>> </wsdl:output>
>>> </wsdl:operation>
>>> [...]
>>> </wsdl:binding>
>>> <wsdl:service name="ServiceCustomer">
>>> <wsdl:port name="CustomBinding_IServiceCustomer"
>>> binding="tns:CustomBinding_IServiceCustomer">
>>> <soap:address
>>> location="[...]"/>
>>> <wsa10:EndpointReference>
>>> <wsa10:Address>[...]</wsa10:Address>
>>> <Identity xmlns="http://schemas.xmlsoap.
>>> org/ws/2006/02/addressingidentity">
>>> <Dns>localhost</Dns>
>>> </Identity>
>>> </wsa10:EndpointReference>
>>> </wsdl:port>
>>> </wsdl:service>
>>> </wsdl:definitions>
>>> --cut
>>>
>>>
>>> Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
>>>
>>> For Basic256, the signature derived key length must be 192 bits (and 256
>>>> for encryption). However in the sample message it is just using 128 bits
>>>> for both. Let's see the full security policy configuration, where is it
>>>> getting the information from to secure the message? Above it's just the
>>>> TransportBinding configuration.
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <
>>>> martin.fernau@fernausoft.de>
>>>> wrote:
>>>>
>>>> Yes it does.
>>>>
>>>>> For simplicity I paste the whole response after these lines.
>>>>>
>>>>> --cut
>>>>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
>>>>> xmlns:a="
>>>>> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>>>>> <s:Header>
>>>>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
>>>>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
>>>>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
>>>>> 51-4720-9911-6f533112b4fa</a:RelatesTo>
>>>>> <o:Security xmlns:o="http://docs.oasis-ope
>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>>> s:mustUnderstand="1">
>>>>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-
>>>>> 8576-47af2ed4b522-470">
>>>>> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
>>>>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
>>>>> </u:Timestamp>
>>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>>> p.org/ws/2005/02/sc"
>>>>> u:Id="_0">
>>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>>> message-security-1.1#EncryptedKey">
>>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>>> </o:SecurityTokenReference>
>>>>> <c:Offset>0</c:Offset>
>>>>> <c:Length>16</c:Length>
>>>>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
>>>>> </c:DerivedKeyToken>
>>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>>> p.org/ws/2005/02/sc"
>>>>> u:Id="_3">
>>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>>> message-security-1.1#EncryptedKey">
>>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>>> </o:SecurityTokenReference>
>>>>> <c:Offset>0</c:Offset>
>>>>> <c:Length>16</c:Length>
>>>>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
>>>>> </c:DerivedKeyToken>
>>>>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>>>>> <e:DataReference URI="#_5"/>
>>>>> </e:ReferenceList>
>>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
>>>>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
>>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
>>>>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
>>>>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
>>>>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
>>>>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
>>>>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
>>>>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
>>>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>>> <SignedInfo>
>>>>> <CanonicalizationMethod Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> <SignatureMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#hmac-sha1"/>
>>>>> <Reference URI="#_4">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="#_6">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="#_7">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="#uuid-eb38523b-3459-439a-
>>>>> 8576-47af2ed4b522-470">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="#_1">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
>>>>> </Reference>
>>>>> <Reference URI="#_2">
>>>>> <Transforms>
>>>>> <Transform Algorithm="http://www.w3.org/2
>>>>> 001/10/xml-exc-c14n#"/>
>>>>> </Transforms>
>>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>>> 000/09/xmldsig#sha1"/>
>>>>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
>>>>> </Reference>
>>>>> </SignedInfo>
>>>>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
>>>>> <KeyInfo>
>>>>> <o:SecurityTokenReference>
>>>>> <o:Reference ValueType="http://schemas.xmls
>>>>> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
>>>>> </o:SecurityTokenReference>
>>>>> </KeyInfo>
>>>>> </Signature>
>>>>> </o:Security>
>>>>> </s:Header>
>>>>> <s:Body u:Id="_4">
>>>>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"
>>>>> Id="_5"
>>>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>>>> <e:EncryptionMethod Algorithm="http://www.w3.org/2
>>>>> 001/04/xmlenc#aes128-cbc"/>
>>>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
>>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>>>> <o:Reference ValueType="http://schemas.xmls
>>>>> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
>>>>> </o:SecurityTokenReference>
>>>>> </KeyInfo>
>>>>> <e:CipherData>
>>>>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
>>>>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
>>>>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
>>>>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
>>>>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
>>>>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
>>>>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
>>>>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
>>>>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
>>>>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
>>>>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
>>>>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
>>>>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
>>>>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
>>>>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
>>>>> </e:CipherData>
>>>>> </e:EncryptedData>
>>>>> </s:Body>
>>>>> </s:Envelope>
>>>>> --cut
>>>>>
>>>>>
>>>>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>>>>>
>>>>> The error message seems to be referring to derivation key length. Does
>>>>>
>>>>>> the
>>>>>> message contain a security header containing a Signature and derived
>>>>>> keys?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>>>>>> martin.fernau@fernausoft.de>
>>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I've a wsdl with the following partial content:
>>>>>>>
>>>>>>> --cut
>>>>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>>>>> ap.org/ws/2005/07/securitypolicy">
>>>>>>> <wsp:Policy>
>>>>>>> <sp:TransportToken>
>>>>>>> <wsp:Policy>
>>>>>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>>>>>> </wsp:Policy>
>>>>>>> </sp:TransportToken>
>>>>>>> <sp:AlgorithmSuite>
>>>>>>> <wsp:Policy>
>>>>>>> <sp:Basic256/>
>>>>>>> </wsp:Policy>
>>>>>>> </sp:AlgorithmSuite>
>>>>>>> <sp:Layout>
>>>>>>> <wsp:Policy>
>>>>>>> <sp:Strict/>
>>>>>>> </wsp:Policy>
>>>>>>> </sp:Layout>
>>>>>>> <sp:IncludeTimestamp/>
>>>>>>> </wsp:Policy>
>>>>>>> </sp:TransportBinding>
>>>>>>> --cut
>>>>>>>
>>>>>>> If I call this service the response from the server gets rejected by
>>>>>>> CXF:
>>>>>>>
>>>>>>> --cut
>>>>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:
>>>>>>> These
>>>>>>> policy alternatives can not be satisfied:
>>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite
>>>>>>> :
>>>>>>> The
>>>>>>> signature derived key length does not match the requirement
>>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>>>>>> at org.apache.cxf.jaxws.JaxWsClie
>>>>>>> ntProxy.invoke(JaxWsClientProx
>>>>>>> y.java:161)
>>>>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown
>>>>>>> Source)
>>>>>>> at de.dmsserver.plugin.ford.test.
>>>>>>> fhdsales.TestComm.testGetContr
>>>>>>> actsByCustomerID(TestComm.java:135)
>>>>>>> at de.dmsserver.plugin.ford.test.
>>>>>>> fhdsales.TestComm.main(TestCom
>>>>>>> m.java:128)
>>>>>>> --cut
>>>>>>>
>>>>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>>>>>> accepted.
>>>>>>> Is this a problem with the remote service or with CXF?
>>>>>>>
>>>>>>> AFAIK TransportBinding applies to the connection which is SSL
>>>>>>> encrypted.
>>>>>>> If I check the SSL Certificate with "openssl s_client -showcerts
>>>>>>> -connect
>>>>>>> [server]:443" I get:
>>>>>>>
>>>>>>> --cut
>>>>>>> CONNECTED(00000003)
>>>>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
>>>>>>> Root
>>>>>>> CA
>>>>>>> verify return:1
>>>>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>>>>>> Validation CA - SHA256 - G2
>>>>>>> verify return:1
>>>>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>>>>>> verify return:1
>>>>>>> ---
>>>>>>> Certificate chain
>>>>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
>>>>>>> Validation
>>>>>>> CA -
>>>>>>> SHA256 - G2
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> [...]
>>>>>>> -----END CERTIFICATE-----
>>>>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
>>>>>>> Validation
>>>>>>> CA -
>>>>>>> SHA256 - G2
>>>>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> [...]
>>>>>>> -----END CERTIFICATE-----
>>>>>>> ---
>>>>>>> Server certificate
>>>>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>>>> CA
>>>>>>> -
>>>>>>> SHA256 - G2
>>>>>>> ---
>>>>>>> No client certificate CA names sent
>>>>>>> ---
>>>>>>> SSL handshake has read 3072 bytes and written 471 bytes
>>>>>>> ---
>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>>>>>> Server public key is 2048 bit
>>>>>>> Secure Renegotiation IS supported
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>> Protocol : TLSv1.2
>>>>>>> Cipher : ECDHE-RSA-AES256-SHA384
>>>>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>>>>>> 145C745FD134466567345539C6AA1BE676
>>>>>>> Session-ID-ctx:
>>>>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>>>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>>>>>> Key-Arg : None
>>>>>>> PSK identity: None
>>>>>>> PSK identity hint: None
>>>>>>> SRP username: None
>>>>>>> Start Time: 1477495032
>>>>>>> Timeout : 300 (sec)
>>>>>>> Verify return code: 0 (ok)
>>>>>>> --cut
>>>>>>>
>>>>>>> Thanks
>>>>>>> Martin
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>
>>>>> FERNAUSOFT GmbH
>>>>> Gartenstraße 42 - 37269 Eschwege
>>>>>
>>>>> Telefon (0 56 51) 95 99-0
>>>>> Telefax (0 56 51) 95 99-90
>>>>>
>>>>> eMail martin.fernau@fernausoft.de
>>>>> Internet http://www.fernausoft.de
>>>>>
>>>>> Handelsregister Eschwege, HRB 1585
>>>>> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
>>>>> Steuernummer 025 233 00041
>>>>> USt-ID-Nr. DE 178 554 622
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>
> --
> FERNAUSOFT GmbH
> Gartenstraße 42 - 37269 Eschwege
>
> Telefon (0 56 51) 95 99-0
> Telefax (0 56 51) 95 99-90
>
> eMail martin.fernau@fernausoft.de
> Internet http://www.fernausoft.de
>
> Handelsregister Eschwege, HRB 1585
> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
> Steuernummer 025 233 00041
> USt-ID-Nr. DE 178 554 622
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Martin Fernau <ma...@fernausoft.de>.
So, how can I interpret this situation? Is it a clear mistake (or
misconfiguration) of the remote service?
Although it's no problem to change the wsdl to overcome this problem (in
this case) - I dislike such an approach because we (my company) _must_
use their service and we need to pay for the acceptance of our client
using it. And we've other problems with other methods (you know the
topic about the encrypted header) where I currently can't say if its not
another problem with their possible misconfiguration.
Is the following correct?
- The communication use a symmetric key which is generated by my client
(CXF)
- For the key generated by me the Basic128Rsa15 AlgorithmSuite in
SymmetricBinding applies which means a key of 128 bit length
- Because the key itself is 128 bit the derived keys can't be higher
encrypted and thus are 128 bit (?)
- For the replies this means that the keys are still 128 bit
If the above conclusion of myself is correct and if I interpret this
side [1] correct (where your previous comment is confirmed that Basic256
means that signature needs to be 192 and encryption needs to be 256 bit)
then Basic256 as the AlgorithmSuite in TransportBinding and
Basic128Rsa15 as the AlgorithmSuite in SymmetricBinding must be a
contradiction in terms?
Thanks
Martin
[1]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826547
Am 26.10.2016 um 21:39 schrieb Colm O hEigeartaigh:
> The problem is that all of the policies must be enforced. CXF is rejecting
> the Basic256 policy, as the signature derivation key lengths in the message
> do not match it.
>
> As the TransportBinding policy is only being used here to require that TLS
> is used, I would just omit the AlgorithmSuite altogether from the
> TransportBinding policy and it should work.
>
> Colm.
>
> On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau <ma...@fernausoft.de>
> wrote:
>
>> Sure, but the WSDL is somewhat complex.
>> For that reason I truncated the WSDL to the related parts:
>>
>> --cut
>> <?xml version="1.0" encoding="utf-8"?>
>> <wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur
>> i.org/"
>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="
>> http://www.w3.org/2001/XMLSchema"
>> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004
>> 01-wss-wssecurity-utility-1.0.xsd"
>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="
>> http://tempuri.org/"
>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
>> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
>> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:wsa10="http://www.w3.org/2005/08/addressing"
>> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
>> <wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:ProtectionToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>> securitypolicy/IncludeToken/Never">
>> <wsp:Policy>
>> <sp:RequireDerivedKeys/>
>> <sp:RequireThumbprintReference/>
>> <sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:ProtectionToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128Rsa15/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp/>
>> <sp:OnlySignEntireHeadersAndBody/>
>> </wsp:Policy>
>> </sp:SymmetricBinding>
>> <sp:EndorsingSupportingTokens
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
>> securitypolicy/IncludeToken/AlwaysToRecipient">
>> <wsp:Policy>
>> <sp:RequireThumbprintReference/>
>> <sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:EndorsingSupportingTokens>
>> <sp:Wss11 xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:MustSupportRefThumbprint/>
>> <sp:MustSupportRefEncryptedKey/>
>> <sp:RequireSignatureConfirmation/>
>> </wsp:Policy>
>> </sp:Wss11>
>> <sp:Trust10 xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:MustSupportIssuedTokens/>
>> <sp:RequireClientEntropy/>
>> <sp:RequireServerEntropy/>
>> </wsp:Policy>
>> </sp:Trust10>
>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken
>> RequireClientCertificate="false"/>
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp/>
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <wsaw:UsingAddressing/>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> <wsp:Policy wsu:Id="CustomBinding_IService
>> Customer_GetContractsByCustomerID_Input_policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:SignedParts xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> <sp:Header Name="To" Namespace="http://www.w3.org/2
>> 005/08/addressing"/>
>> <sp:Header Name="From" Namespace="http://www.w3.org/2
>> 005/08/addressing"/>
>> <sp:Header Name="FaultTo" Namespace="
>> http://www.w3.org/2005/08/addressing"/>
>> <sp:Header Name="ReplyTo" Namespace="
>> http://www.w3.org/2005/08/addressing"/>
>> <sp:Header Name="MessageID" Namespace="
>> http://www.w3.org/2005/08/addressing"/>
>> <sp:Header Name="RelatesTo" Namespace="
>> http://www.w3.org/2005/08/addressing"/>
>> <sp:Header Name="Action" Namespace="
>> http://www.w3.org/2005/08/addressing"/>
>> </sp:SignedParts>
>> <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> </sp:EncryptedParts>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> [... several Policy-Types more ...]
>> <wsdl:types>
>> [...]
>> </wsdl:types>
>> <wsdl:message name="IServiceCustomer_GetCont
>> ractsByCustomerID_InputMessage">
>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>> tomerID"/>
>> </wsdl:message>
>> <wsdl:message name="IServiceCustomer_GetCont
>> ractsByCustomerID_OutputMessage">
>> <wsdl:part name="parameters" element="tns:GetContractsByCus
>> tomerIDResponse"/>
>> </wsdl:message>
>> [... several Message-Types more ...]
>> <wsdl:portType name="IServiceCustomer">
>> <wsdl:operation name="GetContractsByCustomerID">
>> <wsdl:input wsaw:Action="http://tempuri.or
>> g/IServiceCustomer/GetContractsByCustomerID"
>> message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
>> <wsdl:output
>> wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract
>> sByCustomerIDResponse"
>> message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
>> </wsdl:operation>
>> [...]
>> </wsdl:portType>
>> <wsdl:binding name="CustomBinding_IServiceCustomer"
>> type="tns:IServiceCustomer">
>> <wsp:PolicyReference URI="#CustomBinding_IServiceCu
>> stomer_policy"/>
>> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
>> <wsdl:operation name="GetContractsByCustomerID">
>> <soap:operation
>> soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID"
>> style="document"/>
>> <wsdl:input>
>> <wsp:PolicyReference
>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>> D_Input_policy"/>
>> <soap:body use="literal"/>
>> </wsdl:input>
>> <wsdl:output>
>> <wsp:PolicyReference
>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
>> D_output_policy"/>
>> <soap:body use="literal"/>
>> </wsdl:output>
>> </wsdl:operation>
>> [...]
>> </wsdl:binding>
>> <wsdl:service name="ServiceCustomer">
>> <wsdl:port name="CustomBinding_IServiceCustomer"
>> binding="tns:CustomBinding_IServiceCustomer">
>> <soap:address
>> location="[...]"/>
>> <wsa10:EndpointReference>
>> <wsa10:Address>[...]</wsa10:Address>
>> <Identity xmlns="http://schemas.xmlsoap.
>> org/ws/2006/02/addressingidentity">
>> <Dns>localhost</Dns>
>> </Identity>
>> </wsa10:EndpointReference>
>> </wsdl:port>
>> </wsdl:service>
>> </wsdl:definitions>
>> --cut
>>
>>
>> Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
>>
>>> For Basic256, the signature derived key length must be 192 bits (and 256
>>> for encryption). However in the sample message it is just using 128 bits
>>> for both. Let's see the full security policy configuration, where is it
>>> getting the information from to secure the message? Above it's just the
>>> TransportBinding configuration.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <
>>> martin.fernau@fernausoft.de>
>>> wrote:
>>>
>>> Yes it does.
>>>> For simplicity I paste the whole response after these lines.
>>>>
>>>> --cut
>>>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
>>>> xmlns:a="
>>>> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>>>> <s:Header>
>>>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
>>>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
>>>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
>>>> 51-4720-9911-6f533112b4fa</a:RelatesTo>
>>>> <o:Security xmlns:o="http://docs.oasis-ope
>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>> s:mustUnderstand="1">
>>>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-
>>>> 8576-47af2ed4b522-470">
>>>> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
>>>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
>>>> </u:Timestamp>
>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>> p.org/ws/2005/02/sc"
>>>> u:Id="_0">
>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>> message-security-1.1#EncryptedKey">
>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>> </o:SecurityTokenReference>
>>>> <c:Offset>0</c:Offset>
>>>> <c:Length>16</c:Length>
>>>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
>>>> </c:DerivedKeyToken>
>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>>> p.org/ws/2005/02/sc"
>>>> u:Id="_3">
>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>>> message-security-1.1#EncryptedKey">
>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>>> </o:SecurityTokenReference>
>>>> <c:Offset>0</c:Offset>
>>>> <c:Length>16</c:Length>
>>>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
>>>> </c:DerivedKeyToken>
>>>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>>>> <e:DataReference URI="#_5"/>
>>>> </e:ReferenceList>
>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
>>>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
>>>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
>>>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
>>>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
>>>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
>>>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
>>>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
>>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>> <SignedInfo>
>>>> <CanonicalizationMethod Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> <SignatureMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#hmac-sha1"/>
>>>> <Reference URI="#_4">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="#_6">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="#_7">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="#uuid-eb38523b-3459-439a-
>>>> 8576-47af2ed4b522-470">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="#_1">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
>>>> </Reference>
>>>> <Reference URI="#_2">
>>>> <Transforms>
>>>> <Transform Algorithm="http://www.w3.org/2
>>>> 001/10/xml-exc-c14n#"/>
>>>> </Transforms>
>>>> <DigestMethod Algorithm="http://www.w3.org/2
>>>> 000/09/xmldsig#sha1"/>
>>>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
>>>> </Reference>
>>>> </SignedInfo>
>>>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
>>>> <KeyInfo>
>>>> <o:SecurityTokenReference>
>>>> <o:Reference ValueType="http://schemas.xmls
>>>> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
>>>> </o:SecurityTokenReference>
>>>> </KeyInfo>
>>>> </Signature>
>>>> </o:Security>
>>>> </s:Header>
>>>> <s:Body u:Id="_4">
>>>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"
>>>> Id="_5"
>>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>>> <e:EncryptionMethod Algorithm="http://www.w3.org/2
>>>> 001/04/xmlenc#aes128-cbc"/>
>>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>>> <o:Reference ValueType="http://schemas.xmls
>>>> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
>>>> </o:SecurityTokenReference>
>>>> </KeyInfo>
>>>> <e:CipherData>
>>>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
>>>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
>>>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
>>>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
>>>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
>>>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
>>>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
>>>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
>>>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
>>>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
>>>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
>>>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
>>>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
>>>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
>>>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
>>>> </e:CipherData>
>>>> </e:EncryptedData>
>>>> </s:Body>
>>>> </s:Envelope>
>>>> --cut
>>>>
>>>>
>>>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>>>>
>>>> The error message seems to be referring to derivation key length. Does
>>>>> the
>>>>> message contain a security header containing a Signature and derived
>>>>> keys?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>>>>> martin.fernau@fernausoft.de>
>>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>> I've a wsdl with the following partial content:
>>>>>>
>>>>>> --cut
>>>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>>>> ap.org/ws/2005/07/securitypolicy">
>>>>>> <wsp:Policy>
>>>>>> <sp:TransportToken>
>>>>>> <wsp:Policy>
>>>>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>>>>> </wsp:Policy>
>>>>>> </sp:TransportToken>
>>>>>> <sp:AlgorithmSuite>
>>>>>> <wsp:Policy>
>>>>>> <sp:Basic256/>
>>>>>> </wsp:Policy>
>>>>>> </sp:AlgorithmSuite>
>>>>>> <sp:Layout>
>>>>>> <wsp:Policy>
>>>>>> <sp:Strict/>
>>>>>> </wsp:Policy>
>>>>>> </sp:Layout>
>>>>>> <sp:IncludeTimestamp/>
>>>>>> </wsp:Policy>
>>>>>> </sp:TransportBinding>
>>>>>> --cut
>>>>>>
>>>>>> If I call this service the response from the server gets rejected by
>>>>>> CXF:
>>>>>>
>>>>>> --cut
>>>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
>>>>>> policy alternatives can not be satisfied:
>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
>>>>>> The
>>>>>> signature derived key length does not match the requirement
>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>>>>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>>>>> y.java:161)
>>>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown
>>>>>> Source)
>>>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
>>>>>> actsByCustomerID(TestComm.java:135)
>>>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
>>>>>> m.java:128)
>>>>>> --cut
>>>>>>
>>>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>>>>> accepted.
>>>>>> Is this a problem with the remote service or with CXF?
>>>>>>
>>>>>> AFAIK TransportBinding applies to the connection which is SSL
>>>>>> encrypted.
>>>>>> If I check the SSL Certificate with "openssl s_client -showcerts
>>>>>> -connect
>>>>>> [server]:443" I get:
>>>>>>
>>>>>> --cut
>>>>>> CONNECTED(00000003)
>>>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
>>>>>> Root
>>>>>> CA
>>>>>> verify return:1
>>>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>>>>> Validation CA - SHA256 - G2
>>>>>> verify return:1
>>>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>>>>> verify return:1
>>>>>> ---
>>>>>> Certificate chain
>>>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>>> CA -
>>>>>> SHA256 - G2
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> [...]
>>>>>> -----END CERTIFICATE-----
>>>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>>> CA -
>>>>>> SHA256 - G2
>>>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> [...]
>>>>>> -----END CERTIFICATE-----
>>>>>> ---
>>>>>> Server certificate
>>>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>>> CA
>>>>>> -
>>>>>> SHA256 - G2
>>>>>> ---
>>>>>> No client certificate CA names sent
>>>>>> ---
>>>>>> SSL handshake has read 3072 bytes and written 471 bytes
>>>>>> ---
>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>>>>> Server public key is 2048 bit
>>>>>> Secure Renegotiation IS supported
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>> Protocol : TLSv1.2
>>>>>> Cipher : ECDHE-RSA-AES256-SHA384
>>>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>>>>> 145C745FD134466567345539C6AA1BE676
>>>>>> Session-ID-ctx:
>>>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>>>>> Key-Arg : None
>>>>>> PSK identity: None
>>>>>> PSK identity hint: None
>>>>>> SRP username: None
>>>>>> Start Time: 1477495032
>>>>>> Timeout : 300 (sec)
>>>>>> Verify return code: 0 (ok)
>>>>>> --cut
>>>>>>
>>>>>> Thanks
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>> FERNAUSOFT GmbH
>>>> Gartenstra�e 42 - 37269 Eschwege
>>>>
>>>> Telefon (0 56 51) 95 99-0
>>>> Telefax (0 56 51) 95 99-90
>>>>
>>>> eMail martin.fernau@fernausoft.de
>>>> Internet http://www.fernausoft.de
>>>>
>>>> Handelsregister Eschwege, HRB 1585
>>>> Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
>>>> Steuernummer 025 233 00041
>>>> USt-ID-Nr. DE 178 554 622
>>>>
>>>>
>>>>
>>>>
>
--
FERNAUSOFT GmbH
Gartenstra�e 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail martin.fernau@fernausoft.de
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Colm O hEigeartaigh <co...@apache.org>.
The problem is that all of the policies must be enforced. CXF is rejecting
the Basic256 policy, as the signature derivation key lengths in the message
do not match it.
As the TransportBinding policy is only being used here to require that TLS
is used, I would just omit the AlgorithmSuite altogether from the
TransportBinding policy and it should work.
Colm.
On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau <ma...@fernausoft.de>
wrote:
> Sure, but the WSDL is somewhat complex.
> For that reason I truncated the WSDL to the related parts:
>
> --cut
> <?xml version="1.0" encoding="utf-8"?>
> <wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur
> i.org/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="
> http://www.w3.org/2001/XMLSchema"
> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004
> 01-wss-wssecurity-utility-1.0.xsd"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="
> http://tempuri.org/"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsa10="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
> <wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11 xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> <sp:RequireSignatureConfirmation/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10 xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false"/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="CustomBinding_IService
> Customer_GetContractsByCustomerID_Input_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2
> 005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2
> 005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> [... several Policy-Types more ...]
> <wsdl:types>
> [...]
> </wsdl:types>
> <wsdl:message name="IServiceCustomer_GetCont
> ractsByCustomerID_InputMessage">
> <wsdl:part name="parameters" element="tns:GetContractsByCus
> tomerID"/>
> </wsdl:message>
> <wsdl:message name="IServiceCustomer_GetCont
> ractsByCustomerID_OutputMessage">
> <wsdl:part name="parameters" element="tns:GetContractsByCus
> tomerIDResponse"/>
> </wsdl:message>
> [... several Message-Types more ...]
> <wsdl:portType name="IServiceCustomer">
> <wsdl:operation name="GetContractsByCustomerID">
> <wsdl:input wsaw:Action="http://tempuri.or
> g/IServiceCustomer/GetContractsByCustomerID"
> message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
> <wsdl:output
> wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract
> sByCustomerIDResponse"
> message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
> </wsdl:operation>
> [...]
> </wsdl:portType>
> <wsdl:binding name="CustomBinding_IServiceCustomer"
> type="tns:IServiceCustomer">
> <wsp:PolicyReference URI="#CustomBinding_IServiceCu
> stomer_policy"/>
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="GetContractsByCustomerID">
> <soap:operation
> soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID"
> style="document"/>
> <wsdl:input>
> <wsp:PolicyReference
> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
> D_Input_policy"/>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <wsp:PolicyReference
> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
> D_output_policy"/>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> [...]
> </wsdl:binding>
> <wsdl:service name="ServiceCustomer">
> <wsdl:port name="CustomBinding_IServiceCustomer"
> binding="tns:CustomBinding_IServiceCustomer">
> <soap:address
> location="[...]"/>
> <wsa10:EndpointReference>
> <wsa10:Address>[...]</wsa10:Address>
> <Identity xmlns="http://schemas.xmlsoap.
> org/ws/2006/02/addressingidentity">
> <Dns>localhost</Dns>
> </Identity>
> </wsa10:EndpointReference>
> </wsdl:port>
> </wsdl:service>
> </wsdl:definitions>
> --cut
>
>
> Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
>
>> For Basic256, the signature derived key length must be 192 bits (and 256
>> for encryption). However in the sample message it is just using 128 bits
>> for both. Let's see the full security policy configuration, where is it
>> getting the information from to secure the message? Above it's just the
>> TransportBinding configuration.
>>
>> Colm.
>>
>> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <
>> martin.fernau@fernausoft.de>
>> wrote:
>>
>> Yes it does.
>>>
>>> For simplicity I paste the whole response after these lines.
>>>
>>> --cut
>>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
>>> xmlns:a="
>>> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>>> <s:Header>
>>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
>>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
>>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
>>> 51-4720-9911-6f533112b4fa</a:RelatesTo>
>>> <o:Security xmlns:o="http://docs.oasis-ope
>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>> s:mustUnderstand="1">
>>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-
>>> 8576-47af2ed4b522-470">
>>> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
>>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
>>> </u:Timestamp>
>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>> p.org/ws/2005/02/sc"
>>> u:Id="_0">
>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>> message-security-1.1#EncryptedKey">
>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>> </o:SecurityTokenReference>
>>> <c:Offset>0</c:Offset>
>>> <c:Length>16</c:Length>
>>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
>>> </c:DerivedKeyToken>
>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
>>> p.org/ws/2005/02/sc"
>>> u:Id="_3">
>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>>> message-security-1.1#EncryptedKey">
>>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>>> </o:SecurityTokenReference>
>>> <c:Offset>0</c:Offset>
>>> <c:Length>16</c:Length>
>>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
>>> </c:DerivedKeyToken>
>>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>>> <e:DataReference URI="#_5"/>
>>> </e:ReferenceList>
>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
>>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
>>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
>>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
>>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
>>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
>>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
>>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <SignedInfo>
>>> <CanonicalizationMethod Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> <SignatureMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#hmac-sha1"/>
>>> <Reference URI="#_4">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
>>> </Reference>
>>> <Reference URI="#_6">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
>>> </Reference>
>>> <Reference URI="#_7">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
>>> </Reference>
>>> <Reference URI="#uuid-eb38523b-3459-439a-
>>> 8576-47af2ed4b522-470">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
>>> </Reference>
>>> <Reference URI="#_1">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
>>> </Reference>
>>> <Reference URI="#_2">
>>> <Transforms>
>>> <Transform Algorithm="http://www.w3.org/2
>>> 001/10/xml-exc-c14n#"/>
>>> </Transforms>
>>> <DigestMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#sha1"/>
>>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
>>> <KeyInfo>
>>> <o:SecurityTokenReference>
>>> <o:Reference ValueType="http://schemas.xmls
>>> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
>>> </o:SecurityTokenReference>
>>> </KeyInfo>
>>> </Signature>
>>> </o:Security>
>>> </s:Header>
>>> <s:Body u:Id="_4">
>>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"
>>> Id="_5"
>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>> <e:EncryptionMethod Algorithm="http://www.w3.org/2
>>> 001/04/xmlenc#aes128-cbc"/>
>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>>> <o:Reference ValueType="http://schemas.xmls
>>> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
>>> </o:SecurityTokenReference>
>>> </KeyInfo>
>>> <e:CipherData>
>>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
>>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
>>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
>>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
>>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
>>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
>>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
>>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
>>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
>>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
>>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
>>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
>>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
>>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
>>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
>>> </e:CipherData>
>>> </e:EncryptedData>
>>> </s:Body>
>>> </s:Envelope>
>>> --cut
>>>
>>>
>>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>>>
>>> The error message seems to be referring to derivation key length. Does
>>>> the
>>>> message contain a security header containing a Signature and derived
>>>> keys?
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>>>> martin.fernau@fernausoft.de>
>>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>>> I've a wsdl with the following partial content:
>>>>>
>>>>> --cut
>>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>>> ap.org/ws/2005/07/securitypolicy">
>>>>> <wsp:Policy>
>>>>> <sp:TransportToken>
>>>>> <wsp:Policy>
>>>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>>>> </wsp:Policy>
>>>>> </sp:TransportToken>
>>>>> <sp:AlgorithmSuite>
>>>>> <wsp:Policy>
>>>>> <sp:Basic256/>
>>>>> </wsp:Policy>
>>>>> </sp:AlgorithmSuite>
>>>>> <sp:Layout>
>>>>> <wsp:Policy>
>>>>> <sp:Strict/>
>>>>> </wsp:Policy>
>>>>> </sp:Layout>
>>>>> <sp:IncludeTimestamp/>
>>>>> </wsp:Policy>
>>>>> </sp:TransportBinding>
>>>>> --cut
>>>>>
>>>>> If I call this service the response from the server gets rejected by
>>>>> CXF:
>>>>>
>>>>> --cut
>>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
>>>>> policy alternatives can not be satisfied:
>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
>>>>> The
>>>>> signature derived key length does not match the requirement
>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>>>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>>>> y.java:161)
>>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown
>>>>> Source)
>>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
>>>>> actsByCustomerID(TestComm.java:135)
>>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
>>>>> m.java:128)
>>>>> --cut
>>>>>
>>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>>>> accepted.
>>>>> Is this a problem with the remote service or with CXF?
>>>>>
>>>>> AFAIK TransportBinding applies to the connection which is SSL
>>>>> encrypted.
>>>>> If I check the SSL Certificate with "openssl s_client -showcerts
>>>>> -connect
>>>>> [server]:443" I get:
>>>>>
>>>>> --cut
>>>>> CONNECTED(00000003)
>>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
>>>>> Root
>>>>> CA
>>>>> verify return:1
>>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>>>> Validation CA - SHA256 - G2
>>>>> verify return:1
>>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>> CA -
>>>>> SHA256 - G2
>>>>> -----BEGIN CERTIFICATE-----
>>>>> [...]
>>>>> -----END CERTIFICATE-----
>>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>> CA -
>>>>> SHA256 - G2
>>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>>>> -----BEGIN CERTIFICATE-----
>>>>> [...]
>>>>> -----END CERTIFICATE-----
>>>>> ---
>>>>> Server certificate
>>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
>>>>> CA
>>>>> -
>>>>> SHA256 - G2
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> ---
>>>>> SSL handshake has read 3072 bytes and written 471 bytes
>>>>> ---
>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>>>> Server public key is 2048 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1.2
>>>>> Cipher : ECDHE-RSA-AES256-SHA384
>>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>>>> 145C745FD134466567345539C6AA1BE676
>>>>> Session-ID-ctx:
>>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>>>> Key-Arg : None
>>>>> PSK identity: None
>>>>> PSK identity hint: None
>>>>> SRP username: None
>>>>> Start Time: 1477495032
>>>>> Timeout : 300 (sec)
>>>>> Verify return code: 0 (ok)
>>>>> --cut
>>>>>
>>>>> Thanks
>>>>> Martin
>>>>>
>>>>>
>>>>>
>>>> --
>>> FERNAUSOFT GmbH
>>> Gartenstraße 42 - 37269 Eschwege
>>>
>>> Telefon (0 56 51) 95 99-0
>>> Telefax (0 56 51) 95 99-90
>>>
>>> eMail martin.fernau@fernausoft.de
>>> Internet http://www.fernausoft.de
>>>
>>> Handelsregister Eschwege, HRB 1585
>>> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
>>> Steuernummer 025 233 00041
>>> USt-ID-Nr. DE 178 554 622
>>>
>>>
>>>
>>>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Martin Fernau <ma...@fernausoft.de>.
Sure, but the WSDL is somewhat complex.
For that reason I truncated the WSDL to the related parts:
--cut
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceCustomer"
targetNamespace="http://tempuri.org/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:tns="http://tempuri.org/"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsa10="http://www.w3.org/2005/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy
wsu:Id="CustomBinding_IServiceCustomer_GetContractsByCustomerID_Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
[... several Policy-Types more ...]
<wsdl:types>
[...]
</wsdl:types>
<wsdl:message
name="IServiceCustomer_GetContractsByCustomerID_InputMessage">
<wsdl:part name="parameters"
element="tns:GetContractsByCustomerID"/>
</wsdl:message>
<wsdl:message
name="IServiceCustomer_GetContractsByCustomerID_OutputMessage">
<wsdl:part name="parameters"
element="tns:GetContractsByCustomerIDResponse"/>
</wsdl:message>
[... several Message-Types more ...]
<wsdl:portType name="IServiceCustomer">
<wsdl:operation name="GetContractsByCustomerID">
<wsdl:input
wsaw:Action="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID"
message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
<wsdl:output
wsaw:Action="http://tempuri.org/IServiceCustomer/GetContractsByCustomerIDResponse"
message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
</wsdl:operation>
[...]
</wsdl:portType>
<wsdl:binding name="CustomBinding_IServiceCustomer"
type="tns:IServiceCustomer">
<wsp:PolicyReference URI="#CustomBinding_IServiceCustomer_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetContractsByCustomerID">
<soap:operation
soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID"
style="document"/>
<wsdl:input>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerID_Input_policy"/>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerID_output_policy"/>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
[...]
</wsdl:binding>
<wsdl:service name="ServiceCustomer">
<wsdl:port name="CustomBinding_IServiceCustomer"
binding="tns:CustomBinding_IServiceCustomer">
<soap:address
location="[...]"/>
<wsa10:EndpointReference>
<wsa10:Address>[...]</wsa10:Address>
<Identity
xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Dns>localhost</Dns>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
--cut
Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
> For Basic256, the signature derived key length must be 192 bits (and 256
> for encryption). However in the sample message it is just using 128 bits
> for both. Let's see the full security policy configuration, where is it
> getting the information from to secure the message? Above it's just the
> TransportBinding configuration.
>
> Colm.
>
> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <ma...@fernausoft.de>
> wrote:
>
>> Yes it does.
>>
>> For simplicity I paste the whole response after these lines.
>>
>> --cut
>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="
>> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>> <s:Header>
>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
>> 51-4720-9911-6f533112b4fa</a:RelatesTo>
>> <o:Security xmlns:o="http://docs.oasis-ope
>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> s:mustUnderstand="1">
>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
>> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
>> </u:Timestamp>
>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
>> u:Id="_0">
>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>> message-security-1.1#EncryptedKey">
>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>> </o:SecurityTokenReference>
>> <c:Offset>0</c:Offset>
>> <c:Length>16</c:Length>
>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
>> </c:DerivedKeyToken>
>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
>> u:Id="_3">
>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
>> http://docs.oasis-open.org/wss/oasis-wss-soap-
>> message-security-1.1#EncryptedKey">
>> <o:KeyIdentifier ValueType="http://docs.oasis-o
>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
>> </o:SecurityTokenReference>
>> <c:Offset>0</c:Offset>
>> <c:Length>16</c:Length>
>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
>> </c:DerivedKeyToken>
>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>> <e:DataReference URI="#_5"/>
>> </e:ReferenceList>
>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> <SignatureMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#hmac-sha1"/>
>> <Reference URI="#_4">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
>> </Reference>
>> <Reference URI="#_6">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
>> </Reference>
>> <Reference URI="#_7">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
>> </Reference>
>> <Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
>> </Reference>
>> <Reference URI="#_1">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
>> </Reference>
>> <Reference URI="#_2">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2
>> 001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2
>> 000/09/xmldsig#sha1"/>
>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
>> <KeyInfo>
>> <o:SecurityTokenReference>
>> <o:Reference ValueType="http://schemas.xmls
>> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
>> </o:SecurityTokenReference>
>> </KeyInfo>
>> </Signature>
>> </o:Security>
>> </s:Header>
>> <s:Body u:Id="_4">
>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="_5"
>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>> <e:EncryptionMethod Algorithm="http://www.w3.org/2
>> 001/04/xmlenc#aes128-cbc"/>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>> <o:Reference ValueType="http://schemas.xmls
>> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
>> </o:SecurityTokenReference>
>> </KeyInfo>
>> <e:CipherData>
>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
>> </e:CipherData>
>> </e:EncryptedData>
>> </s:Body>
>> </s:Envelope>
>> --cut
>>
>>
>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>>
>>> The error message seems to be referring to derivation key length. Does the
>>> message contain a security header containing a Signature and derived keys?
>>>
>>> Colm.
>>>
>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>>> martin.fernau@fernausoft.de>
>>> wrote:
>>>
>>> Hi,
>>>> I've a wsdl with the following partial content:
>>>>
>>>> --cut
>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic256/>
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Strict/>
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:IncludeTimestamp/>
>>>> </wsp:Policy>
>>>> </sp:TransportBinding>
>>>> --cut
>>>>
>>>> If I call this service the response from the server gets rejected by CXF:
>>>>
>>>> --cut
>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
>>>> policy alternatives can not be satisfied:
>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
>>>> The
>>>> signature derived key length does not match the requirement
>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>>> y.java:161)
>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
>>>> actsByCustomerID(TestComm.java:135)
>>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
>>>> m.java:128)
>>>> --cut
>>>>
>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>>> accepted.
>>>> Is this a problem with the remote service or with CXF?
>>>>
>>>> AFAIK TransportBinding applies to the connection which is SSL encrypted.
>>>> If I check the SSL Certificate with "openssl s_client -showcerts -connect
>>>> [server]:443" I get:
>>>>
>>>> --cut
>>>> CONNECTED(00000003)
>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
>>>> CA
>>>> verify return:1
>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>>> Validation CA - SHA256 - G2
>>>> verify return:1
>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>>> verify return:1
>>>> ---
>>>> Certificate chain
>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>>>> SHA256 - G2
>>>> -----BEGIN CERTIFICATE-----
>>>> [...]
>>>> -----END CERTIFICATE-----
>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>>>> SHA256 - G2
>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>>> -----BEGIN CERTIFICATE-----
>>>> [...]
>>>> -----END CERTIFICATE-----
>>>> ---
>>>> Server certificate
>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
>>>> -
>>>> SHA256 - G2
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 3072 bytes and written 471 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>>> Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1.2
>>>> Cipher : ECDHE-RSA-AES256-SHA384
>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>>> 145C745FD134466567345539C6AA1BE676
>>>> Session-ID-ctx:
>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>>> Key-Arg : None
>>>> PSK identity: None
>>>> PSK identity hint: None
>>>> SRP username: None
>>>> Start Time: 1477495032
>>>> Timeout : 300 (sec)
>>>> Verify return code: 0 (ok)
>>>> --cut
>>>>
>>>> Thanks
>>>> Martin
>>>>
>>>>
>>>
>> --
>> FERNAUSOFT GmbH
>> Gartenstra�e 42 - 37269 Eschwege
>>
>> Telefon (0 56 51) 95 99-0
>> Telefax (0 56 51) 95 99-90
>>
>> eMail martin.fernau@fernausoft.de
>> Internet http://www.fernausoft.de
>>
>> Handelsregister Eschwege, HRB 1585
>> Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
>> Steuernummer 025 233 00041
>> USt-ID-Nr. DE 178 554 622
>>
>>
>>
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Colm O hEigeartaigh <co...@apache.org>.
For Basic256, the signature derived key length must be 192 bits (and 256
for encryption). However in the sample message it is just using 128 bits
for both. Let's see the full security policy configuration, where is it
getting the information from to secure the message? Above it's just the
TransportBinding configuration.
Colm.
On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <ma...@fernausoft.de>
wrote:
> Yes it does.
>
> For simplicity I paste the whole response after these lines.
>
> --cut
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="
> http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-ope
> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <s:Header>
> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
> 51-4720-9911-6f533112b4fa</a:RelatesTo>
> <o:Security xmlns:o="http://docs.oasis-ope
> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> s:mustUnderstand="1">
> <u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
> <u:Created>2016-10-26T15:32:20.723Z</u:Created>
> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
> </u:Timestamp>
> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
> u:Id="_0">
> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-
> message-security-1.1#EncryptedKey">
> <o:KeyIdentifier ValueType="http://docs.oasis-o
> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> <c:Offset>0</c:Offset>
> <c:Length>16</c:Length>
> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
> </c:DerivedKeyToken>
> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
> u:Id="_3">
> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-
> message-security-1.1#EncryptedKey">
> <o:KeyIdentifier ValueType="http://docs.oasis-o
> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> <c:Offset>0</c:Offset>
> <c:Length>16</c:Length>
> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
> </c:DerivedKeyToken>
> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:DataReference URI="#_5"/>
> </e:ReferenceList>
> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#hmac-sha1"/>
> <Reference URI="#_4">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
> </Reference>
> <Reference URI="#_6">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
> </Reference>
> <Reference URI="#_7">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
> </Reference>
> <Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
> </Reference>
> <Reference URI="#_1">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
> </Reference>
> <Reference URI="#_2">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2
> 001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2
> 000/09/xmldsig#sha1"/>
> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference>
> <o:Reference ValueType="http://schemas.xmls
> oap.org/ws/2005/02/sc/dk" URI="#_0"/>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </o:Security>
> </s:Header>
> <s:Body u:Id="_4">
> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="_5"
> Type="http://www.w3.org/2001/04/xmlenc#Content">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2
> 001/04/xmlenc#aes128-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:Reference ValueType="http://schemas.xmls
> oap.org/ws/2005/02/sc/dk" URI="#_3"/>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedData>
> </s:Body>
> </s:Envelope>
> --cut
>
>
> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
>
>> The error message seems to be referring to derivation key length. Does the
>> message contain a security header containing a Signature and derived keys?
>>
>> Colm.
>>
>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
>> martin.fernau@fernausoft.de>
>> wrote:
>>
>> Hi,
>>>
>>> I've a wsdl with the following partial content:
>>>
>>> --cut
>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>>> ap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken RequireClientCertificate="false"/>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256/>
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict/>
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp/>
>>> </wsp:Policy>
>>> </sp:TransportBinding>
>>> --cut
>>>
>>> If I call this service the response from the server gets rejected by CXF:
>>>
>>> --cut
>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
>>> policy alternatives can not be satisfied:
>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
>>> The
>>> signature derived key length does not match the requirement
>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>> y.java:161)
>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
>>> actsByCustomerID(TestComm.java:135)
>>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
>>> m.java:128)
>>> --cut
>>>
>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>>> accepted.
>>> Is this a problem with the remote service or with CXF?
>>>
>>> AFAIK TransportBinding applies to the connection which is SSL encrypted.
>>> If I check the SSL Certificate with "openssl s_client -showcerts -connect
>>> [server]:443" I get:
>>>
>>> --cut
>>> CONNECTED(00000003)
>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
>>> CA
>>> verify return:1
>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>>> Validation CA - SHA256 - G2
>>> verify return:1
>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>>> SHA256 - G2
>>> -----BEGIN CERTIFICATE-----
>>> [...]
>>> -----END CERTIFICATE-----
>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>>> SHA256 - G2
>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>>> -----BEGIN CERTIFICATE-----
>>> [...]
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
>>> -
>>> SHA256 - G2
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3072 bytes and written 471 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1.2
>>> Cipher : ECDHE-RSA-AES256-SHA384
>>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>>> 145C745FD134466567345539C6AA1BE676
>>> Session-ID-ctx:
>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>>> Key-Arg : None
>>> PSK identity: None
>>> PSK identity hint: None
>>> SRP username: None
>>> Start Time: 1477495032
>>> Timeout : 300 (sec)
>>> Verify return code: 0 (ok)
>>> --cut
>>>
>>> Thanks
>>> Martin
>>>
>>>
>>
>>
> --
> FERNAUSOFT GmbH
> Gartenstraße 42 - 37269 Eschwege
>
> Telefon (0 56 51) 95 99-0
> Telefax (0 56 51) 95 99-90
>
> eMail martin.fernau@fernausoft.de
> Internet http://www.fernausoft.de
>
> Handelsregister Eschwege, HRB 1585
> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
> Steuernummer 025 233 00041
> USt-ID-Nr. DE 178 554 622
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Martin Fernau <ma...@fernausoft.de>.
Yes it does.
For simplicity I paste the whole response after these lines.
--cut
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1"
u:Id="_6">http://tempuri.org/IServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
<a:RelatesTo
u:Id="_7">urn:uuid:9f796ce4-4151-4720-9911-6f533112b4fa</a:RelatesTo>
<o:Security
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<u:Created>2016-10-26T15:32:20.723Z</u:Created>
<u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
</u:Timestamp>
<c:DerivedKeyToken
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc" u:Id="_0">
<o:SecurityTokenReference
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIzpR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc" u:Id="_3">
<o:SecurityTokenReference
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIzpR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_5"/>
</e:ReferenceList>
<k:SignatureConfirmation
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
u:Id="_1" Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
<k:SignatureConfirmation
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
u:Id="_2"
Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvtl1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44Xp1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZGwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gLr4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_4">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
</Reference>
<Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_4">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"
Id="_5" Type="http://www.w3.org/2001/04/xmlenc#Content">
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#_3"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbCiuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7ysTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUMV/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayIp4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8OlxGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9odBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9IcrqB4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVks/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSnyF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0ooSCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1GqAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fBHFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARMYpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
--cut
Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
> The error message seems to be referring to derivation key length. Does the
> message contain a security header containing a Signature and derived keys?
>
> Colm.
>
> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <ma...@fernausoft.de>
> wrote:
>
>> Hi,
>>
>> I've a wsdl with the following partial content:
>>
>> --cut
>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
>> ap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken RequireClientCertificate="false"/>
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp/>
>> </wsp:Policy>
>> </sp:TransportBinding>
>> --cut
>>
>> If I call this service the response from the server gets rejected by CXF:
>>
>> --cut
>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
>> policy alternatives can not be satisfied:
>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite: The
>> signature derived key length does not match the requirement
>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>> y.java:161)
>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
>> actsByCustomerID(TestComm.java:135)
>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
>> m.java:128)
>> --cut
>>
>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
>> accepted.
>> Is this a problem with the remote service or with CXF?
>>
>> AFAIK TransportBinding applies to the connection which is SSL encrypted.
>> If I check the SSL Certificate with "openssl s_client -showcerts -connect
>> [server]:443" I get:
>>
>> --cut
>> CONNECTED(00000003)
>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
>> verify return:1
>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
>> Validation CA - SHA256 - G2
>> verify return:1
>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>> SHA256 - G2
>> -----BEGIN CERTIFICATE-----
>> [...]
>> -----END CERTIFICATE-----
>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>> SHA256 - G2
>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>> -----BEGIN CERTIFICATE-----
>> [...]
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>> SHA256 - G2
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 3072 bytes and written 471 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES256-SHA384
>> Session-ID: CD4B00002CD328917F89C4AF9010C5
>> 145C745FD134466567345539C6AA1BE676
>> Session-ID-ctx:
>> Master-Key: 11B433DDEF0B003A6F261390EA6D50
>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
>> Key-Arg : None
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1477495032
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> --cut
>>
>> Thanks
>> Martin
>>
>
>
--
FERNAUSOFT GmbH
Gartenstra�e 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail martin.fernau@fernausoft.de
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Gesch�ftsf�hrer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
Re: TransportBinding: Server response failed with "These policy
alternatives can not be satisfied"
Posted by Colm O hEigeartaigh <co...@apache.org>.
The error message seems to be referring to derivation key length. Does the
message contain a security header containing a Signature and derived keys?
Colm.
On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <ma...@fernausoft.de>
wrote:
> Hi,
>
> I've a wsdl with the following partial content:
>
> --cut
> <sp:TransportBinding xmlns:sp="http://schemas.xmlso
> ap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="false"/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> --cut
>
> If I call this service the response from the server gets rejected by CXF:
>
> --cut
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
> policy alternatives can not be satisfied:
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite: The
> signature derived key length does not match the requirement
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
> y.java:161)
> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
> actsByCustomerID(TestComm.java:135)
> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
> m.java:128)
> --cut
>
> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
> accepted.
> Is this a problem with the remote service or with CXF?
>
> AFAIK TransportBinding applies to the connection which is SSL encrypted.
> If I check the SSL Certificate with "openssl s_client -showcerts -connect
> [server]:443" I get:
>
> --cut
> CONNECTED(00000003)
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
> Validation CA - SHA256 - G2
> verify return:1
> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
> verify return:1
> ---
> Certificate chain
> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
> SHA256 - G2
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
> SHA256 - G2
> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
> SHA256 - G2
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3072 bytes and written 471 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-SHA384
> Session-ID: CD4B00002CD328917F89C4AF9010C5
> 145C745FD134466567345539C6AA1BE676
> Session-ID-ctx:
> Master-Key: 11B433DDEF0B003A6F261390EA6D50
> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1477495032
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> --cut
>
> Thanks
> Martin
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com