Hi Dennis, > Caused by: org.apache.ws.security.WSSecurityException: An error was > discovered processing the <wsse:Security> header (WSSecurityEngine: > DataReference - referenced data not found)
Ok I've merged a fix for this. The ReferenceListProcessor only tries to decrypt a DataReference if it hasn't already been decrypted. > though I don't understand why the UsernameToken would work correctly in > this case (since that should be the EncyptedData in the header). The EncryptedData Element is successfully decrypted, and the UsernameTokenProcessor is called on the decrypted Element. > So what needs to be changed to move the ReferenceList before the > EncryptedData? If you look at the AbstractBindingBuilder in the CXF Security runtime, it contains a number of methods that the concrete builders use to append/prepend/etc security tokens to the security header. Colm. On Fri, Feb 24, 2012 at 6:57 AM, Dennis Sosnoski <[email protected]> wrote: > Hi Colm, > > I tried using CXF 2.5.3-SNAPSHOT for the latest changes, including the > WSS4J 1.6.5 nightly build. This looks much better, getting as far as > verifying the UsernameToken on the server before dying with a data > reference error: > > Caused by: org.apache.ws.security.WSSecurityException: An error was > discovered processing the <wsse:Security> header (WSSecurityEngine: > DataReference - referenced data not found) > at > org.apache.ws.security.processor.ReferenceListProcessor.findEncryptedDataElement(ReferenceListProcessor.java:248) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:124) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:97) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:258) > > I guess this is due to the order of items in the header: > > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > soap:mustUnderstand="1"> > <wsu:Timestamp wsu:Id="TS-1"> > ... > </wsu:Timestamp> > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="EK-038897D5CBACC128F513300662077711"> > ... > </xenc:EncryptedKey> > <wsc:DerivedKeyToken > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; wsu:Id="DK-3"> > ... > </wsc:DerivedKeyToken> > <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element";> > ... > </xenc:EncryptedData> > <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:DataReference URI="#ED-4"/> > <xenc:DataReference URI="#ED-5"/> > </xenc:ReferenceList> > </wsse:Security> > > though I don't understand why the UsernameToken would work correctly in > this case (since that should be the EncyptedData in the header). > > So what needs to be changed to move the ReferenceList before the > EncryptedData? > > Thanks, > > - Dennis > > > On 02/15/2012 04:34 AM, Colm O hEigeartaigh wrote: >> Hi Dennis, >> >> There seems to be two problems here. >> >> The first problem is that the ReferenceList is appended to the >> security header, i.e. *after* the EncryptedData part to which it >> refers: >> >> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> >> <xenc:DataReference URI="#ED-4"/> >> <xenc:DataReference URI="#ED-5"/> >> </xenc:ReferenceList> >> >> If it were before the EncryptedData Element in the header, the >> ReferenceListProcessor would be able to handle decrypting the Element >> without a problem. >> >> The second is that the EncryptedDataProcessor can't handle a >> SecurityTokenReference, as you pointed out. I have just committed a >> fix for this here: >> >> http://svn.apache.org/viewvc?view=revision&revision=1243996 >> >> Could you try with WSS4J 1.6.5-SNAPSHOT and let me know how you get >> on? You will also need Santuario 1.5.0 if you are not using maven in >> your test setup. >> >> Colm. >> >> On Tue, Feb 14, 2012 at 7:16 AM, Dennis Sosnoski <[email protected]> wrote: >>> I'm trying to use a UsernameToken to validate the client when >>> establishing a WS-SecureConversation. The policy I'm using is accepted >>> by CXF, and the client generates the RST message without problem. The >>> CXF server code returns the error "An unsupported signature or >>> encryption algorithm was used (WSSecurityEngine: EncryptedData does not >>> contain xenc:EncryptedKey)". This is coming from >>> org.apache.ws.security.processor.EncryptedDataProcessor.handleToken in >>> wss4j, which expects to always find an EncryptedKey within the >>> EncryptedData/KeyInfo. The generated request is using a >>> SecurityTokenReference rather than an EncryptedKey, which I'd think is >>> correct in this situation. >>> >>> Is there some problem with encrypting a supporting token? >>> >>> Here's the policy I'm using: >>> >>> <wsp:Policy wsu:Id="SecureConv" >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>> xmlns:wsp="http://www.w3.org/ns/ws-policy"; >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsap:UsingAddressing >>> xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"/> >>> <sp:SymmetricBinding> >>> <wsp:Policy> >>> <sp:ProtectionToken> >>> <wsp:Policy> >>> <sp:SecureConversationToken >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >>> <wsp:Policy> >>> <sp:RequireDerivedKeys/> >>> <sp:BootstrapPolicy> >>> <wsp:Policy> >>> <sp:AsymmetricBinding> >>> <wsp:Policy> >>> <sp:RecipientToken> >>> <wsp:Policy> >>> <sp:X509Token >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> >>> <wsp:Policy> >>> <sp:RequireDerivedKeys/> >>> <sp:WssX509V3Token11/> >>> <sp:RequireIssuerSerialReference/> >>> </wsp:Policy> >>> </sp:X509Token> >>> </wsp:Policy> >>> </sp:RecipientToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic256Sha256/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:IncludeTimestamp/> >>> <sp:OnlySignEntireHeadersAndBody/> >>> </wsp:Policy> >>> </sp:AsymmetricBinding> >>> <sp:SignedEncryptedSupportingTokens> >>> <wsp:Policy> >>> <sp:UsernameToken >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/> >>> </wsp:Policy> >>> </sp:SignedEncryptedSupportingTokens> >>> <sp:SignedParts> >>> <sp:Body/> >>> </sp:SignedParts> >>> <sp:EncryptedParts> >>> <sp:Body/> >>> </sp:EncryptedParts> >>> <sp:Trust13> >>> <wsp:Policy> >>> <sp:MustSupportIssuedTokens/> >>> <sp:RequireClientEntropy/> >>> <sp:RequireServerEntropy/> >>> </wsp:Policy> >>> </sp:Trust13> >>> </wsp:Policy> >>> </sp:BootstrapPolicy> >>> </wsp:Policy> >>> </sp:SecureConversationToken> >>> </wsp:Policy> >>> </sp:ProtectionToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic128/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:IncludeTimestamp/> >>> <sp:EncryptSignature/> >>> <sp:OnlySignEntireHeadersAndBody/> >>> </wsp:Policy> >>> </sp:SymmetricBinding> >>> <sp:SignedParts> >>> <sp:Body/> >>> </sp:SignedParts> >>> <sp:EncryptedParts> >>> <sp:Body/> >>> </sp:EncryptedParts> >>> </wsp:Policy> >>> >>> Here's a sample of the request sent by the client: >>> >>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> >>> <soap:Header> >>> <Action >>> xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</Action> >>> <MessageID >>> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:80d059b4-87ef-4edb-a69d-2e26b46ad493</MessageID> >>> <To >>> xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8800/wsstest</To> >>> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> >>> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> >>> </ReplyTo> >>> <wsse:Security >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>> soap:mustUnderstand="1"> >>> <wsu:Timestamp wsu:Id="TS-1"> >>> <wsu:Created>2012-02-10T11:53:52.568Z</wsu:Created> >>> <wsu:Expires>2012-02-10T11:58:52.568Z</wsu:Expires> >>> </wsu:Timestamp> >>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>> Id="EK-3325E85711A0FD3C1013288748329521"> >>> <xenc:EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <wsse:SecurityTokenReference> >>> <ds:X509Data> >>> <ds:X509IssuerSerial> >>> <ds:X509IssuerName>CN=Dennis >>> Sosnoski,OU=Unknown,O=Sosnoski Software Associates Ltd.,L=Paraparaumu >>> Beach,ST=Wellington,C=NZ</ds:X509IssuerName> >>> <ds:X509SerialNumber>1239532339</ds:X509SerialNumber> >>> </ds:X509IssuerSerial> >>> </ds:X509Data> >>> </wsse:SecurityTokenReference> >>> </ds:KeyInfo> >>> <xenc:CipherData> >>> >>> <xenc:CipherValue>UyGnAx6pl+ZERphViFz9Slw5hEajY0fFY8EgrrX0ceKRjkmk4+rgubc7A4hWGF4rw81i5CeLgh3RichfpbZiQJXqGpbs1CUnkNelUuxvJDG4BFfkJXVUy3D9sY8bjlEhRStTUQ5fE8k4vhyrmh9yCLExwxmjNd7D/nAm7osXTOE=</xenc:CipherValue> >>> </xenc:CipherData> >>> </xenc:EncryptedKey> >>> <wsc:DerivedKeyToken >>> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; wsu:Id="DK-3"> >>> <wsse:SecurityTokenReference >>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; >>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; >>> wsu:Id="STR-3325E85711A0FD3C1013288748329712"> >>> <wsse:Reference URI="#EK-3325E85711A0FD3C1013288748329521" >>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> >>> </wsse:SecurityTokenReference> >>> <wsc:Offset>0</wsc:Offset> >>> <wsc:Length>32</wsc:Length> >>> <wsc:Nonce>FYC8xkAu0dS4jNXunaIeYA==</wsc:Nonce> >>> </wsc:DerivedKeyToken> >>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Element";> >>> <xenc:EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <wsse:SecurityTokenReference >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >>> <wsse:Reference URI="#DK-3"/> >>> </wsse:SecurityTokenReference> >>> </ds:KeyInfo> >>> <xenc:CipherData> >>> >>> <xenc:CipherValue>C04EfqTdgX8UVRXqfPgYzdvrd3k8JeYzA0lW7xk5j9TZBcpuRiKBOuFyhbdpMoyiFLflZg99s9e6X0wMsdd/Clmtn+PUiZEH0s/DC/SzW13SnRfmbFAJIjV1DyRG6K/KW9P1UxLYd47HlsCFPZSGVeBt8DrZj+sTu5izDZMkxsVA55hY4RWleQq4w/MIZ9c51bj1Jf7lYC8gBDEXbb1qCvjrcRlmjjIo2ipyAuYT/wYW6WMSViqrTqieW8yR/+RM2txgwqTMyMkA4MD0cIacwKgr+DoUmQ9so5l/WCgbjuxaQf2sAhmCN6ZPS2fiK2JkTCXeuaZuHSJ4zi6/7vxyJpYpAjVgjjUeUlWb8jwuSts=</xenc:CipherValue> >>> </xenc:CipherData> >>> </xenc:EncryptedData> >>> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> >>> <xenc:DataReference URI="#ED-4"/> >>> <xenc:DataReference URI="#ED-5"/> >>> </xenc:ReferenceList> >>> </wsse:Security> >>> </soap:Header> >>> <soap:Body >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>> wsu:Id="Id-14712427"> >>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >>> Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content";> >>> <xenc:EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <wsse:SecurityTokenReference >>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >>> <wsse:Reference URI="#DK-3"/> >>> </wsse:SecurityTokenReference> >>> </ds:KeyInfo> >>> <xenc:CipherData> >>> <xenc:CipherValue>hSU+Y3...2jbCTmg==</xenc:CipherValue> >>> </xenc:CipherData> >>> </xenc:EncryptedData> >>> </soap:Body> >>> </soap:Envelope> >>> >>> Thanks, >>> >>> - Dennis >>> >>> -- >>> >>> Dennis M. Sosnoski >>> Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html> >>> CXF and Web Services Security Training >>> <http://www.sosnoski.com/training.html> >>> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> >>> >> >> -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
