Hi Colm,
I tried using CXF 2.5.3-SNAPSHOT for the latest changes, including the
WSS4J 1.6.5 nightly build. This looks much better, getting as far as
verifying the UsernameToken on the server before dying with a data
reference error:
Caused by: org.apache.ws.security.WSSecurityException: An error was
discovered processing the <wsse:Security> header (WSSecurityEngine:
DataReference - referenced data not found)
at
org.apache.ws.security.processor.ReferenceListProcessor.findEncryptedDataElement(ReferenceListProcessor.java:248)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:124)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:97)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:258)
I guess this is due to the order of items in the header:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-1">
...
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EK-038897D5CBACC128F513300662077711">
...
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; wsu:Id="DK-3">
...
</wsc:DerivedKeyToken>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element";>
...
</xenc:EncryptedData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:DataReference URI="#ED-4"/>
<xenc:DataReference URI="#ED-5"/>
</xenc:ReferenceList>
</wsse:Security>
though I don't understand why the UsernameToken would work correctly in
this case (since that should be the EncyptedData in the header).
So what needs to be changed to move the ReferenceList before the
EncryptedData?
Thanks,
- Dennis
On 02/15/2012 04:34 AM, Colm O hEigeartaigh wrote:
> Hi Dennis,
>
> There seems to be two problems here.
>
> The first problem is that the ReferenceList is appended to the
> security header, i.e. *after* the EncryptedData part to which it
> refers:
>
> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:DataReference URI="#ED-4"/>
> <xenc:DataReference URI="#ED-5"/>
> </xenc:ReferenceList>
>
> If it were before the EncryptedData Element in the header, the
> ReferenceListProcessor would be able to handle decrypting the Element
> without a problem.
>
> The second is that the EncryptedDataProcessor can't handle a
> SecurityTokenReference, as you pointed out. I have just committed a
> fix for this here:
>
> http://svn.apache.org/viewvc?view=revision&revision=1243996
>
> Could you try with WSS4J 1.6.5-SNAPSHOT and let me know how you get
> on? You will also need Santuario 1.5.0 if you are not using maven in
> your test setup.
>
> Colm.
>
> On Tue, Feb 14, 2012 at 7:16 AM, Dennis Sosnoski <[email protected]> wrote:
>> I'm trying to use a UsernameToken to validate the client when
>> establishing a WS-SecureConversation. The policy I'm using is accepted
>> by CXF, and the client generates the RST message without problem. The
>> CXF server code returns the error "An unsupported signature or
>> encryption algorithm was used (WSSecurityEngine: EncryptedData does not
>> contain xenc:EncryptedKey)". This is coming from
>> org.apache.ws.security.processor.EncryptedDataProcessor.handleToken in
>> wss4j, which expects to always find an EncryptedKey within the
>> EncryptedData/KeyInfo. The generated request is using a
>> SecurityTokenReference rather than an EncryptedKey, which I'd think is
>> correct in this situation.
>>
>> Is there some problem with encrypting a supporting token?
>>
>> Here's the policy I'm using:
>>
>> <wsp:Policy wsu:Id="SecureConv"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>> xmlns:wsp="http://www.w3.org/ns/ws-policy";
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>> <wsap:UsingAddressing
>> xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"/>
>> <sp:SymmetricBinding>
>> <wsp:Policy>
>> <sp:ProtectionToken>
>> <wsp:Policy>
>> <sp:SecureConversationToken
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>> <wsp:Policy>
>> <sp:RequireDerivedKeys/>
>> <sp:BootstrapPolicy>
>> <wsp:Policy>
>> <sp:AsymmetricBinding>
>> <wsp:Policy>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>> <wsp:Policy>
>> <sp:RequireDerivedKeys/>
>> <sp:WssX509V3Token11/>
>> <sp:RequireIssuerSerialReference/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256Sha256/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:IncludeTimestamp/>
>> <sp:OnlySignEntireHeadersAndBody/>
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>> <sp:SignedEncryptedSupportingTokens>
>> <wsp:Policy>
>> <sp:UsernameToken
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
>> </wsp:Policy>
>> </sp:SignedEncryptedSupportingTokens>
>> <sp:SignedParts>
>> <sp:Body/>
>> </sp:SignedParts>
>> <sp:EncryptedParts>
>> <sp:Body/>
>> </sp:EncryptedParts>
>> <sp:Trust13>
>> <wsp:Policy>
>> <sp:MustSupportIssuedTokens/>
>> <sp:RequireClientEntropy/>
>> <sp:RequireServerEntropy/>
>> </wsp:Policy>
>> </sp:Trust13>
>> </wsp:Policy>
>> </sp:BootstrapPolicy>
>> </wsp:Policy>
>> </sp:SecureConversationToken>
>> </wsp:Policy>
>> </sp:ProtectionToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:IncludeTimestamp/>
>> <sp:EncryptSignature/>
>> <sp:OnlySignEntireHeadersAndBody/>
>> </wsp:Policy>
>> </sp:SymmetricBinding>
>> <sp:SignedParts>
>> <sp:Body/>
>> </sp:SignedParts>
>> <sp:EncryptedParts>
>> <sp:Body/>
>> </sp:EncryptedParts>
>> </wsp:Policy>
>>
>> Here's a sample of the request sent by the client:
>>
>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>> <soap:Header>
>> <Action
>> xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</Action>
>> <MessageID
>> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:80d059b4-87ef-4edb-a69d-2e26b46ad493</MessageID>
>> <To
>> xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8800/wsstest</To>
>> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
>> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>> </ReplyTo>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>> soap:mustUnderstand="1">
>> <wsu:Timestamp wsu:Id="TS-1">
>> <wsu:Created>2012-02-10T11:53:52.568Z</wsu:Created>
>> <wsu:Expires>2012-02-10T11:58:52.568Z</wsu:Expires>
>> </wsu:Timestamp>
>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
>> Id="EK-3325E85711A0FD3C1013288748329521">
>> <xenc:EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <wsse:SecurityTokenReference>
>> <ds:X509Data>
>> <ds:X509IssuerSerial>
>> <ds:X509IssuerName>CN=Dennis
>> Sosnoski,OU=Unknown,O=Sosnoski Software Associates Ltd.,L=Paraparaumu
>> Beach,ST=Wellington,C=NZ</ds:X509IssuerName>
>> <ds:X509SerialNumber>1239532339</ds:X509SerialNumber>
>> </ds:X509IssuerSerial>
>> </ds:X509Data>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> <xenc:CipherData>
>>
>> <xenc:CipherValue>UyGnAx6pl+ZERphViFz9Slw5hEajY0fFY8EgrrX0ceKRjkmk4+rgubc7A4hWGF4rw81i5CeLgh3RichfpbZiQJXqGpbs1CUnkNelUuxvJDG4BFfkJXVUy3D9sY8bjlEhRStTUQ5fE8k4vhyrmh9yCLExwxmjNd7D/nAm7osXTOE=</xenc:CipherValue>
>> </xenc:CipherData>
>> </xenc:EncryptedKey>
>> <wsc:DerivedKeyToken
>> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; wsu:Id="DK-3">
>> <wsse:SecurityTokenReference
>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
>> wsu:Id="STR-3325E85711A0FD3C1013288748329712">
>> <wsse:Reference URI="#EK-3325E85711A0FD3C1013288748329521"
>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
>> </wsse:SecurityTokenReference>
>> <wsc:Offset>0</wsc:Offset>
>> <wsc:Length>32</wsc:Length>
>> <wsc:Nonce>FYC8xkAu0dS4jNXunaIeYA==</wsc:Nonce>
>> </wsc:DerivedKeyToken>
>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
>> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element";>
>> <xenc:EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <wsse:SecurityTokenReference
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
>> <wsse:Reference URI="#DK-3"/>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> <xenc:CipherData>
>>
>> <xenc:CipherValue>C04EfqTdgX8UVRXqfPgYzdvrd3k8JeYzA0lW7xk5j9TZBcpuRiKBOuFyhbdpMoyiFLflZg99s9e6X0wMsdd/Clmtn+PUiZEH0s/DC/SzW13SnRfmbFAJIjV1DyRG6K/KW9P1UxLYd47HlsCFPZSGVeBt8DrZj+sTu5izDZMkxsVA55hY4RWleQq4w/MIZ9c51bj1Jf7lYC8gBDEXbb1qCvjrcRlmjjIo2ipyAuYT/wYW6WMSViqrTqieW8yR/+RM2txgwqTMyMkA4MD0cIacwKgr+DoUmQ9so5l/WCgbjuxaQf2sAhmCN6ZPS2fiK2JkTCXeuaZuHSJ4zi6/7vxyJpYpAjVgjjUeUlWb8jwuSts=</xenc:CipherValue>
>> </xenc:CipherData>
>> </xenc:EncryptedData>
>> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
>> <xenc:DataReference URI="#ED-4"/>
>> <xenc:DataReference URI="#ED-5"/>
>> </xenc:ReferenceList>
>> </wsse:Security>
>> </soap:Header>
>> <soap:Body
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>> wsu:Id="Id-14712427">
>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
>> Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content";>
>> <xenc:EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <wsse:SecurityTokenReference
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
>> <wsse:Reference URI="#DK-3"/>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> <xenc:CipherData>
>> <xenc:CipherValue>hSU+Y3...2jbCTmg==</xenc:CipherValue>
>> </xenc:CipherData>
>> </xenc:EncryptedData>
>> </soap:Body>
>> </soap:Envelope>
>>
>> Thanks,
>>
>> - Dennis
>>
>> --
>>
>> Dennis M. Sosnoski
>> Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
>> CXF and Web Services Security Training
>> <http://www.sosnoski.com/training.html>
>> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
>>
>
>
