You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Hugo Trippaers <tr...@gmail.com> on 2015/06/15 17:47:37 UTC

Attachment signing/encryption and MTOM

Hello Folks,

I’m running into a problem with url encoding of attachments identifiers. The versions i’m using are WSS4j 2.0.3 and CXF 3.0.4 (so if this is solved in future versions, please tell me ;-) as i haven’t been able to test it.

I have a web service that returns an encrypted attachment, works fine without MTOM, but when i enable MTOM i get an error.

Caused by: org.apache.wss4j.common.ext.WSSecurityException: Attachment not found
	at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:363)
	at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:213)
	at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:121)
	at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:80)

Tracing it, it fails on comparing the attachments Ids between the mime parts and the references in the soap code.

In the mime header of the attachment, the attachment id is not encoded
Content-ID: <f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http://schubergphilis.com/2015/

However the reference in both the CipherReference and Signature soap part is url encoded:
<xenc:CipherReference URI="cid:f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http%3A%2F%2Fschubergphilis.com%2F2015%2F03%2Fmidlayer-schema-20150319.xsd”>

<ds:Reference
        URI="cid:f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http%3A%2F%2Fschubergphilis.com%2F2015%2F03%2Fmidlayer-schema-20150319.xsd">
    <ds:Transforms>
        <ds:Transform
                Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>yHytVyICcbG5TDfcL4iZHFyalbI=</ds:DigestValue>
</ds:Reference>


What should be correct? I don’t think the content in the attribute should be URL encoded, but should be entitiy encoded. Yet it is encoded in AttachmentUtil.createContentID and decoded before creating the mime part in AttachmentSerializer.writeHeaders

Happy to help solve this..

Cheers,

Hugo

Re: Attachment signing/encryption and MTOM

Posted by Aki Yoshida <el...@gmail.com>.

the content-id in the uri-form i.e. "cid:..." needs to be url-encoded
because some characters allowed in the content-id header value are
reserved in the URI syntax.
see http://www.ietf.org/rfc/rfc2111.txt  section 2.

I'm moving this thread to users@cxf.


2015-06-15 17:47 GMT+02:00 Hugo Trippaers <tr...@gmail.com>:
> Hello Folks,
>
> I’m running into a problem with url encoding of attachments identifiers. The versions i’m using are WSS4j 2.0.3 and CXF 3.0.4 (so if this is solved in future versions, please tell me ;-) as i haven’t been able to test it.
>
> I have a web service that returns an encrypted attachment, works fine without MTOM, but when i enable MTOM i get an error.
>
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Attachment not found
>         at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:363)
>         at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:213)
>         at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:121)
>         at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:80)
>
> Tracing it, it fails on comparing the attachments Ids between the mime parts and the references in the soap code.
>
> In the mime header of the attachment, the attachment id is not encoded
> Content-ID: <f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http://schubergphilis.com/2015/
>
> However the reference in both the CipherReference and Signature soap part is url encoded:
> <xenc:CipherReference URI="cid:f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http%3A%2F%2Fschubergphilis.com%2F2015%2F03%2Fmidlayer-schema-20150319.xsd”>
>
> <ds:Reference
>         URI="cid:f2eeb606-bca8-4c0b-8cc8-1f0f4d6e930d-4@http%3A%2F%2Fschubergphilis.com%2F2015%2F03%2Fmidlayer-schema-20150319.xsd">
>     <ds:Transforms>
>         <ds:Transform
>                 Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform"/>
>     </ds:Transforms>
>     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>     <ds:DigestValue>yHytVyICcbG5TDfcL4iZHFyalbI=</ds:DigestValue>
> </ds:Reference>
>
>
> What should be correct? I don’t think the content in the attribute should be URL encoded, but should be entitiy encoded. Yet it is encoded in AttachmentUtil.createContentID and decoded before creating the mime part in AttachmentSerializer.writeHeaders
>
> Happy to help solve this..
>
> Cheers,
>
> Hugo