You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Dimuthu Leelarathne <mu...@opensource.lk> on 2004/09/08 19:23:10 UTC
[wss4j] WSTrust , WS-SecConv Interop
Hi All,
I am facing a very interesting problem, while implementing "WS_Trust
Secure conversation" inerop document. The problem is "There are two
derivedKey tokens in the message. How should I figure out which derived
key to use for decryption?"
There are two DerivedKey tokens - one is used for signing and the other
for encryption.
Using one DerivedKeyToke the wsa:messageID, timestamp and etc.. are
signed. Then this signature-element and the soap:Body is encrypted using
the other DerivedKey Token. And the message appears as below(at the end of
the mail - the first message from "R to S" in interop document, i.e. the
figure 3 in the interop docuemnt).
The problem is at the reciever's end of this message. When I am performing
decryption how am I suppose to figure out which DerivedKey token is used
for decryption? According to the interop document there is no keyInfo
element inside the xenc:EncryptedData elements.
Am I missing out on something ? Or what could be the done ? I'll be
grateful for your input.
Thank you,
Dimuthu.
The message looks like this,
POST /axis/services/Ping1 HTTP/1.1Content-Type: text/xml;
charset=utf-8SOAPAction: ""User-Agent: Jakarta
Commons-HttpClient/3.0-alpha1Host: 127.0.0.1:9080Content-Length:
10856<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-14600371"/>
<xenc:DataReference URI="#EncDataId-26108059"/>
</xenc:ReferenceList>
<xenc:EncryptedData Id="EncDataId-14600371"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>XskBz4JLbey1De4TWLAd+mr4rxhiRowCXvHC+6F4MLueAd2fitViSzYHmxVV0CdrkKPiEzmKetmXvLT5In52QIVwwSBvBlmtFImPGxE0w50vChZOVIVbnC+469ysLrh0JhcSHjoYSepyScNUg4wZtLT7jURm1P7prZOKrM15KWKhrZp7kuAl/
/jHfLIVSAv9Gai04fV6od2JCawiZJlhcoQs3Apfxu8nIRG9BDD0LYb1z8Kj1oo2
6jj0fxWLwpJjc5h0FhnB1TvixisvwWQ+gUPjnPPWFFxqHGaRA8rIr+0B3TAhEzdoxlnhNyT4keSk
nDYP7n2aqbd6oVs=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<Assertion
AssertionID="uuid:8f8a6868-cb87-4d90-8f5d-f6efdb6a83f4"
IssueInstant="2004-06-23T09:04:50Z"
Issuer="http://fabrikam.com/ident1" MajorVersion="1"
MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<Conditions NotBefore="2004-06-23T09:04:50Z"
NotOnOrAfter="2004-06-23T21:04:50Z"/>
<AuthenticationStatement
AuthenticationInstant="2004-06-23T17:32:24Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
david@fabrikam.com </NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</ConfirmationMethod>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="Sx">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
k6fH4HRh8BL1huQELs7coA==
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
WdibbBitnC4x0wROs3fkqQ==
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#uuid:8f8a6868-cb87-4d90-8f5d-f6efdb6a83f4">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped_signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>D5qCn59zOJiwHdV7gOvqCw==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue> b21p3MWT3WMKbqbIwBHitQ== </ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"> v9N7fj4wzPQumAL3zc+DmA==
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
<wsu:Timestamp wsu:Id="id-3157607"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2004-09-08T10:26:20Z</wsu:Created>
<wsu:Expires>2004-09-08T10:31:20Z</wsu:Expires>
</wsu:Timestamp>
<wsc:DerivedKeyToken wsu:Id="897429607"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2004/04/sc"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsc:Label>WSSecureConversationWSSecureConversation</wsc:Label>
<wsc:Nonce>nonce.....</wsc:Nonce>
<wsc:Generation>0</wsc:Generation>
</wsc:DerivedKeyToken>
<wsc:DerivedKeyToken wsu:Id="1303392597"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2004/04/sc"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="uuid:8f8a6868-cb87-4d90-8f5d-f6efdb6a83f4"
ValueType="http://www.docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertion-1.0"/>
</wsse:SecurityTokenReference>
<wsc:Label>WSSecureConversationWSSecureConversation</wsc:Label>
<wsc:Nonce>nonce.....</wsc:Nonce>
<wsc:Generation>0</wsc:Generation>
</wsc:DerivedKeyToken>
</wsse:Security>
<wsa:MessageID wsu:Id="id-29945686" soapenv:actor=""
soapenv:mustUnderstand="0"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:jeznFLUNzWdaAg==</wsa:MessageID>
<wsa:Action wsu:Id="id-5424820" soapenv:actor=""
soapenv:mustUnderstand="0"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT</wsa:Action>
<wsa:To wsu:Id="id-7572744" soapenv:actor=""
soapenv:mustUnderstand="0"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://fabrikam.com/service</wsa:To>
</soapenv:Header>
<soapenv:Body wsu:Id="id-20357537"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="EncDataId-26108059"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>ydegQYeiuXAzQvjYKRl3zpXvlbtYXKhyBI4fp6DmfpJuXqbgXCTOd7941XeXiqmaLlKp8NpXzFyKLZ0mZeJU6FZkdNemHFuCUBc8A9dnl9GoSn/3LqYZFnV/Q8WEPBymhCyQlMVMKLYL4dNmjBHrqCoKjjWJePo18+giRNTioUWbh88loA27gjgAQbalsVRzn+h7JKt+NOZqsHfK4xkcPiFx5kjmvRUDhYnJRVHBJWEXKyS55L2j3YjFSAO+BUG7z28el/bug/+lv80WJvbc/8FzJGT73/pgA3gC4Q0dIUlNTa9oFBWZCp35H2V1A2PBRUnDKgzUjS43Ahz3USv3YS1hzLL0cnNtwylY4UC1NUwRqGL1lRFdNPagYQ8dne4kLr4sQgtVxMJ1e3pkLJDTPKkZlIFDVx8GO+t48dUYsKL/qeihrdW7+BOa7PD/207obWg9f7SWN3QRAlk1QKioaXgWj0y8fS1641zc+z+wezj+rohP/T/vMdwzIWsrGO9Fu/Dm02QerTrkWZk4VLNLcI5DdM0gwMVoF3klYruKEJm+i3UDUKg+Mbtx6z1mf2UU+i/LDPUcktSKG/BEkdec0S/oXdrbECvGXwVNe0Gv58l55FrNqqNCqBqvJm0URfEp3SNeqawPaRE26K+OVIiYR1SmG12/F6tC8AiShtczJIwMidC6qB7Dtu2/56LSXF3YKOVioSZqdMKQcC9VqCx9a1rgbZ910hKvsn++2F6wD6uHSVK+DZAmAvQ7OwflDFTRK5ZjHzHH2+Hd9Tntoqp/x+STt1f/mn6payzqhb5Ow1lBeSylF0nuUDZp1PMMB/hJWvwT6r3pJbwOau5ydK/15jQU4Bq12kgmNd6/lGzZq/Jnf3sLDeZZZteGsEG6MTSigJ+DCmYDGGQoyjbKrvHeEbSfXIku462H5J5S3exm/fCNmQbfMHO+AAm2HALIc4ap4z9hHR08wySpjqPMRazTHp5H2qLtMjiGeQPIHatXjruW5/OMqpSw+pg2cwc9FbiCTIJJARi2nurojw/9Ahjc7excjpSCw7KGAe1PYD01HECjfA6MpTi9hb30LcImfo069SHTQsAKXpxJIWGDpOm5UdZAmURNlq3soRerSpD4oPHK00h3bQIUby3jbNhIFIR5M7f+4tfQd9FBshCys12k6UoyytJwCJXsq23lZfGS1f9KXwYgumgeHvQEgyC6i+5lRgGH3ofPU6spFQyrStzJ2w==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
--
Lanka Software Foundation http://www.opensource.lk