Bryan, WSS4J does not support any mechanisms/profiles for the version 1.1 of the OASIS WSS specifications.
This is the reason why your interop tests fail. AFAIK the specification version 1.1 are not finished yet and I'm not quite sure if the state of the 1.1 specs is somewaht stable. According to the experiences with WSS 1.0 I would start with the implementation only after the specs are somewhat stable (the WSS 1.0 had considerable changes between the last draft and the final specs causing massive implementation changes, interop retests and other problems because many deployments of WSS 1.0 used the draft specifications). Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: Bryan Field-Elliot [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 9. Mai 2005 18:34 > An: [email protected] > Betreff: Wsse support for KeyIdentifier ThumbprintSHA1? > > > We are on the receiving end, trying to interop with an implementation > using WSSE, and WSSecurityEngine is throwing an exception: > > General security error (Unexpected number of X509Data: for decryption > (KeyId)) > > > The relevent section of code from WSSecurityEngine is here: > > else if (secRef.containsKeyIdentifier()) { > X509Certificate[] certs = secRef.getKeyIdentifier(crypto); > if (certs == null || certs.length != 1 || certs[0] == null) { > throw new WSSecurityException(WSSecurityException.FAILURE, > "invalidX509Data", new Object[]{"for decryption (KeyId)"}); > } > > > Tracing through to getKeyIdentifier, it seems like the key identifier > used in the other implementation (which I am trying to > interop with) is > not supported - ThumbprintSHA1. > > Here is the SOAP Body I'm receiving: > > <s:Body u:Id="_5"> > <e:EncryptedData Id="_7" > Type="http://www.w3.org/2001/04/xmlenc#Content"; > xmlns:e="http://www.w3.org/2001/04/xmlenc#";> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256- > cbc" /> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <o:SecurityTokenReference xmlns:o="http://docs.oasis- > open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:Reference URI="#_6" /> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>... (omitted) ...</e:CipherValue> > </e:CipherData> > </e:EncryptedData> > </s:Body> > > > > Here's the derived key token in the SOAP Header: > > <c:DerivedKeyToken u:Id="_6" > xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";> > <o:SecurityTokenReference> > <o:Reference > URI="#uuid-0f81598d-e254-4dba-93dc-f63295f20956-2" /> > </o:SecurityTokenReference> > <c:Generation>0</c:Generation> > <c:Length>32</c:Length> > <c:Nonce>417l3wDvPqBpGGIItwp0Tg==</c:Nonce> > </c:DerivedKeyToken> > > > And here is the Encrypted Key in the header: > > <e:EncryptedKey Id="uuid-0f81598d-e254-4dba-93dc-f63295f20956-2" > xmlns:e="http://www.w3.org/2001/04/xmlenc#";> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa- > oaep-mgf1p" /> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <o:SecurityTokenReference> > <o:KeyIdentifier ValueType="http://docs.oasis- > open.org/wss/2004/xx/oasis-2004xx-wss-x509-token- > profile-1.1#X509ThumbprintSHA1">7u6YK+DkkQOCyilYuOz4+rfi+ > +8=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue> ... (omitted) ... </e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > > > Is there something I am doing wrong which is causing this failure? > > Thank you, > > Bryan > >
