You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by Ch...@it.nrw.de on 2015/08/03 11:18:59 UTC
[WSS4J] empty when sending no attachments
Hello,
in our application we do send messages with and without SwA attachments. Both messages use the same WSS-Policy file:
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
wsu:Id="testpolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken=".../AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken=".../Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="http://example.com/custom/security-policy"/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="..."
Name="Messaging"/>
<sp:Attachments>
<sp13:ContentSignatureTransform/>
</sp:Attachments>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Attachments/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When sending a message without attachment it looks as follows:
<soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:eb3="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
xmlns:ebbp="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"
xmlns:ebint="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<S12:Header xmlns:S12="http://www.w3.org/2003/05/soap-envelope">
<eb3:Messaging S12:mustUnderstand="true" id="_ebmessaging_N65624"
wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c">
....
</eb3:Messaging>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
>wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
---> <xenc:ReferenceList/>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#N65670">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds eb3 ebbp ebint wsa wsse"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds ebbp ebint soap wsa wsse"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
>WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S12:Header>
<soap:Body wsu:Id="N65670"/>
</soap:Envelope>
An empty xenc:ReferenceList node is written which is not allowed according to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList. This causes issues with products from other vendors who reject such a message. Any help is greatly appreciated.
Cheers
Christian
Re: [WSS4J] empty when sending no attachments
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Ok this is now fixed in WSS4J: https://issues.apache.org/jira/browse/WSS-549
I also merged some related fixes to CXF.
Colm.
On Mon, Aug 3, 2015 at 10:18 AM, <Ch...@it.nrw.de> wrote:
> Hello,
>
> in our application we do send messages with and without SwA attachments.
> Both messages use the same WSS-Policy file:
>
> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:sp13="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
> wsu:Id="testpolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken=".../AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken=".../Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="
> http://example.com/custom/security-policy"/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Namespace="..."
> Name="Messaging"/>
> <sp:Attachments>
> <sp13:ContentSignatureTransform/>
> </sp:Attachments>
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Attachments/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> When sending a message without attachment it looks as follows:
>
> <soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:eb3="
> http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
> xmlns:ebbp="
> http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"
> xmlns:ebint="
> http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"
> xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
> xmlns:wsa="http://www.w3.org/2005/08/addressing"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <S12:Header xmlns:S12="
> http://www.w3.org/2003/05/soap-envelope">
> <eb3:Messaging S12:mustUnderstand="true"
> id="_ebmessaging_N65624"
>
> wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c">
> ....
> </eb3:Messaging>
> <wsse:Security
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> soap:mustUnderstand="true">
> <xenc:EncryptedKey xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#"
>
> Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492">
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
>
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>
> >wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier>
>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>...</xenc:CipherValue>
> </xenc:CipherData>
>
> ---> <xenc:ReferenceList/>
>
> </xenc:EncryptedKey>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"
>
> Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
> PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/>
>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#N65670">
> <ds:Transforms>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
> PrefixList="ds eb3 ebbp ebint wsa wsse"/>
>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference
> URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c">
> <ds:Transforms>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>
> PrefixList="ds ebbp ebint soap wsa wsse"/>
>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo
> Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858">
>
> <wsse:SecurityTokenReference
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8">
> <wsse:KeyIdentifier
>
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>
> >WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier>
>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </S12:Header>
> <soap:Body wsu:Id="N65670"/>
> </soap:Envelope>
>
>
> An empty xenc:ReferenceList node is written which is not allowed according
> to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList. This causes
> issues with products from other vendors who reject such a message. Any help
> is greatly appreciated.
>
> Cheers
> Christian
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com