Apache Rampart test failure with wss4j 1.6.5 and later

Tue, 08 Jul 2014 04:56:26 -0700 

Hi everyone,
   Our team worked on new functionality that is to be released with
upcoming wss4j 1.6.16 (WSS-500
<https://issues.apache.org/jira/browse/WSS-500> & WSS-501
<https://issues.apache.org/jira/browse/WSS-501>). We have managed to
integrate this functionality within Apache Rampart 1.6.2 and are willing to
contribute the necessary pieces there as well. However, so far we have been
using wss4j 1.6.4 + the corresponding patches and they seem to work fine
with Rampart 1.6.2.
Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build
Rampart 1.6.2 against it, just to make sure it can adopt this new version
in near future.
However, I stumbled upon a test failure in Rampart integration module,
which I managed to track down to a specific commit in wss4j. The commit is
quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The
change that causes trouble is the following:

http://svn.apache.org/viewvc?view=revision&revision=1294114

Log message says "Only decrypt a Data Reference in the
ReferenceListProcessor, if it hasn't already been decrypted by the
EncryptedDataProcessor".

The specific Rampart test that fails is
"org.apache.rampart.RampartTest#testWithPolicy()" using the following
security policy:

http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml

I'm attaching the SOAP request and response (request.xml and response.xml),
the actual error message is on the client side, when processing the
response from the service:
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
    at java.lang.String.charAt(String.java:658)
    at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)
    at
org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)
    at
org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53)
    at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398)
    at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
    at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:147)

The stack trace is generated using wss4j revision 1294114.

It can be seen that the response contains invalid references (URI not
correctly set):

<wsse:SecurityTokenReference ...
wsu:Id="STR-AA4ACE8415228CCC8E140481886870110">
    <wsse:Reference URI="#"  ValueType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>

I'm now trying to figure out what is the root cause of this and whether the
problem is on the wss4j side or on Rampart's side, but I would be glad if
anyone more experienced takes a look into this and provides some feedback.

Thanks!

   Detelin

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
	<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";>
		<wsse:Security
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
			xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
			soapenv:mustUnderstand="1">
			<wsu:Timestamp wsu:Id="TS-1">
				<wsu:Created>2014-07-08T10:20:52.896Z</wsu:Created>
				<wsu:Expires>2014-07-08T10:25:52.896Z</wsu:Expires>
			</wsu:Timestamp>
			<wsse:BinarySecurityToken
				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
				wsu:Id="511399BCF54C2C4D1314048148532892">MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=</wsse:BinarySecurityToken>
			<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
				Id="EK-511399BCF54C2C4D1314048148532861">
				<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
					<wsse:SecurityTokenReference>
						<wsse:Reference URI="#511399BCF54C2C4D1314048148532892"
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; />
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
				<xenc:CipherData>
					<xenc:CipherValue>RygAnlz+L6uSbXMbZ8lNFY6kHQAybTiJxy+o+QYiWN67LcGiTF+wa3rEcCq7E5QjZpMqBovPSTyCf0e1UVY1hOM4JdICuEAIorL8FmrfaiATtmJMFWGCsztDM1yWyUF2mNXLzFdnu8dvaFYgznqAdKhPbMhspSlFTr094vomS6Y=</xenc:CipherValue>
				</xenc:CipherData>
			</xenc:EncryptedKey>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
				wsu:Id="DK-4">
				<wsse:SecurityTokenReference
					xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
					wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
					wsu:Id="STR-511399BCF54C2C4D1314048148533636">
					<wsse:Reference URI="#EK-511399BCF54C2C4D1314048148532861"
						ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>24</wsc:Length>
				<wsc:Nonce>pz+grp4NC7tUOyeaO9a81Q==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
				<xenc:DataReference URI="#ED-5" />
			</xenc:ReferenceList>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
				wsu:Id="DK-2">
				<wsse:SecurityTokenReference
					xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
					wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
					wsu:Id="STR-511399BCF54C2C4D1314048148533123">
					<wsse:Reference URI="#EK-511399BCF54C2C4D1314048148532861"
						ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>24</wsc:Length>
				<wsc:Nonce>ci95JymmpbjBvkrOWXWplg==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
				Id="SIG-3">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
						<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
							PrefixList="wsa soapenv" />
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
					<ds:Reference URI="#Id-1706718789">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
						<ds:DigestValue>ytv+c2M0+a1R7QOrQx8/3dcLi2Y=</ds:DigestValue>
					</ds:Reference>
					<ds:Reference URI="#TS-1">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse wsa soapenv" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
						<ds:DigestValue>4W3aUCLNSPQOOWMMNwvhGcrsPGU=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>TwufDaPnk/o2cN7+An+tGKLzhVM=</ds:SignatureValue>
				<ds:KeyInfo Id="KI-511399BCF54C2C4D1314048148533194">
					<wsse:SecurityTokenReference wsu:Id="STR-511399BCF54C2C4D1314048148533195">
						<wsse:Reference URI="#DK-2" />
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
		<wsa:To>http://127.0.0.1:5555/axis2/services/SecureService7</wsa:To>
		<wsa:MessageID>urn:uuid:7a65c54e-3b02-4887-bcd5-7aaae372cebc</wsa:MessageID>
		<wsa:Action>urn:echo</wsa:Action>
	</soapenv:Header>
	<soapenv:Body
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
		wsu:Id="Id-1706718789">
		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
			Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Content";>
			<xenc:EncryptionMethod
				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
				<wsse:SecurityTokenReference
					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
					<wsse:Reference URI="#DK-4" />
				</wsse:SecurityTokenReference>
			</ds:KeyInfo>
			<xenc:CipherData>
				<xenc:CipherValue>eZD84msWk9OJUmCjj6jZzLKfOW/ZCo/1VFL+wCW1pZRDqfEKki7rcGEUwAGPIrZ29iCCTv8mfsKCrE8iJqSrUk7zRBeGsJHB8i/CWH5H/ubsHAgMAK+Lk/DfjGhF5QBW0yX1QHHlDcXh9dfK0XpggZ1q1ajOd5ySHxhRRFhe8sDClhzAU7SUGcEZkZm6Ym14k7AJsyDhk6XiwNtniuzJg9CwYUxb/HWVh9pB8SqvOknEyzXQa4EkNhdw8s0xEe6EfwJ1Cb76O4+uGaGGJuxWNARjNbZJcycvYLZcRwjtTC7RIBw8FCv5yT6DPYahfDDzQgI8QbyZjw5ovSSGkAfR9UPut1iVg/6Jkv8PCTSWSiqc4jewd8kFbOZqXpo77zL3O3KOcWpT3fcv7AVjmlLUdw==</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</soapenv:Body>
</soapenv:Envelope>
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
	<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";>
		<wsse:Security
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
			xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
			soapenv:mustUnderstand="1">
			<wsu:Timestamp wsu:Id="TS-6">
				<wsu:Created>2014-07-08T11:27:48.695Z</wsu:Created>
				<wsu:Expires>2014-07-08T11:32:48.695Z</wsu:Expires>
			</wsu:Timestamp>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
				wsu:Id="DK-9">
				<wsse:SecurityTokenReference
					xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
					wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
					wsu:Id="STR-AA4ACE8415228CCC8E140481886870110">
					<wsse:Reference URI="#"
						ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>24</wsc:Length>
				<wsc:Nonce>GzJA5VDywoJ0U8Ueeu+c4A==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
				<xenc:DataReference URI="#ED-10" />
			</xenc:ReferenceList>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
				wsu:Id="DK-7">
				<wsse:SecurityTokenReference
					xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
					wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
					wsu:Id="STR-AA4ACE8415228CCC8E14048188686967">
					<wsse:Reference URI="#"
						ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>24</wsc:Length>
				<wsc:Nonce>7Odo7cyxjlDlfr0xcLuTXw==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
				Id="SIG-8">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
						<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
							PrefixList="wsa soapenv" />
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
					<ds:Reference URI="#Id-711978920">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
						<ds:DigestValue>wWvPubUMWr8PUoEBdl3QO/1wK+I=</ds:DigestValue>
					</ds:Reference>
					<ds:Reference URI="#TS-6">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse wsa soapenv" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
						<ds:DigestValue>VFpRJTMZAZZmKZL5rhag5H72qfw=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>QSMi0CzGBP51BiJP478qxo+2ALs=</ds:SignatureValue>
				<ds:KeyInfo Id="KI-AA4ACE8415228CCC8E14048188686968">
					<wsse:SecurityTokenReference wsu:Id="STR-AA4ACE8415228CCC8E14048188686969">
						<wsse:Reference URI="#DK-7" />
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
		<wsa:Action>urn:echoResponse</wsa:Action>
		<wsa:RelatesTo>urn:uuid:fbde9753-738b-40d6-a0f0-1a99577b9918</wsa:RelatesTo>
	</soapenv:Header>
	<soapenv:Body
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
		wsu:Id="Id-711978920">
		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
			Id="ED-10" Type="http://www.w3.org/2001/04/xmlenc#Content";>
			<xenc:EncryptionMethod
				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
				<wsse:SecurityTokenReference
					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
					<wsse:Reference URI="#DK-9" />
				</wsse:SecurityTokenReference>
			</ds:KeyInfo>
			<xenc:CipherData>
				<xenc:CipherValue>tQaypzgclwBqaa8ssDfVETiDDkS4m4snKFZ+ppHJWHwc6UhI6zshIbOfzc6/LATGH7a/PHitTf5QLnPFiGab8CPE7GDWvhuEN4uD6Wnj06HNZi4jH4xSFXN2Syj5bQmZfzoIS6nCIGsx8JjW5RuYikxbmT79P8u9snaVUUUVxuGE1luSZP5JjaAqyNioyCLnUC4KNlLU5DNIAzSyulHQl/so/+oxCc9m36nkbJuS5rnzvDYpp/IywCKLJEi0c7m7KJd7wkOE3lz2ij1/8gSxgd3OVqHVemlPcAI1bGFgv5vxCbHqznJ4GW5SpELBvuM6eyRXZ64A2t47pTZ/pyWuZIPHo5umv649MzNRsKAlPu3oYXmf/wzvMhq+ivN/Xea0kKcGwfY9dL+sqoCPsnOpDg==
				</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</soapenv:Body>
</soapenv:Envelope>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to