Alessio Soldano created CXF-5892:
------------------------------------
Summary: Ensure EncryptedKey references BST before it
Key: CXF-5892
URL: https://issues.apache.org/jira/browse/CXF-5892
Project: CXF
Issue Type: Improvement
Components: WS-* Components
Reporter: Alessio Soldano
When using a policy as follows:
{noformat}
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDes/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<!-- <sp:IncludeTimestamp/> -->
<!-- <sp:EncryptSignature/> -->
<sp:OnlySignEntireHeadersAndBody/>
<!-- <sp:SignBeforeEncrypting/> -->
<!-- <sp:EncryptBeforeSigning/> -->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
{noformat}
a message like this is generated
{noformat}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EK-CFCC32406441E262D414056082408016">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#CFCC32406441E262D414056082408017"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>EU9cFqu6lqJ6iq1ZqHGVoidA0iT6MHIwimvNuQQP2WU/kUbldgLlS7CP1h8OPE7uJMpBztciQ27H/fOZqGsQntqsUIOFLyDjalHjYBiGGzmHG1k/4Yd4ibsN+NacJYbTPaHclkO81H06eImW+yNIxFvb2bw9HJht9ehWGVUoy4k=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-CFCC32406441E262D414056082408118"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="CFCC32406441E262D414056082408017">MIICNzCCAaCgAwIBAgIEURPj3TANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxEDAOBgNVBAcTB1JhbGVpZ2gxEDAOBgNVBAoTB1JlZCBIYXQxDDAKBgNVBAsTA0dTUzES...+vR2eMo4a45eWPj2hAqvBNpmB5mcuQGuOo/aRjoQS86vX6wIsy/UeaAlG9shvZSIwL0kwZBNuubkbikMdNIsBHROSp5v/gbMHa9O9qDOzQQnMn6cgeJePdYnq1oTuDK+g5M1znja31HtbQTo9NiaXjuQfL05v5dA==</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-CFCC32406441E262D414056082407262">MIICNzCCAaCgAwIBAgIEURPj9jANBgkqhkiG9w0BAQUFADBgMQswCQY...MFwS4DphvWgHfyDxLBtsJ45ZLdE+s0fXjjn+W8KCDYR0ayuUjO/KeKiLBo24U44ULy4mJOQ==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-CFCC32406441E262D414056082407385">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_CFCC32406441E262D414056082407081">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6lB8Vv8WAxUPs19VJwUcPETjz5M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>pm9eB0Qe8zb0O+5kf4i6MPFfn9t8TGt/m1Y8dwy2wHo0b1KvD1JrR/h7Qr7Jj4czGETsIRgLYJFNrTtTAGpgSFru8IVca+11kJL78nQiSwWnZZt6FvzwAoTxbbn4DQ+RqX01a1Y2GXB1CXJvUs5+K/0aL0lDQ3w4qOtvQ8nk7vM=</ds:SignatureValue>
<ds:KeyInfo Id="KI-CFCC32406441E262D414056082407283">
<wsse:SecurityTokenReference
wsu:Id="STR-CFCC32406441E262D414056082407294">
<wsse:Reference URI="#X509-CFCC32406441E262D414056082407262"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_CFCC32406441E262D414056082407081">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="ED-CFCC32406441E262D414056082408118"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
<wsse:Reference URI="#EK-CFCC32406441E262D414056082408016"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>mRsetHTV4FexRWIY1Qk2qZy/zbsRgweqcCzeyDzBViVfLW7TqK8KXKRxSP2lMkBBn0e+yg15tlTFuFOwGcRf9AY20MnjoUqxSx6vjdHe6Jb4nPzHbinDQTXj+mvU1Osy</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
{noformat}
... notice the EncryptedKey element is referencing a BST that's after the
EncryptedKey. This can cause problems to different vendors parsing the message.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
