[jira] [Assigned] (CXF-5892) Ensure EncryptedKey references BST before it

Alessio Soldano (JIRA) Fri, 18 Jul 2014 09:22:12 -0700

     [ 
https://issues.apache.org/jira/browse/CXF-5892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Alessio Soldano reassigned CXF-5892:
------------------------------------

    Assignee: Alessio Soldano

> Ensure EncryptedKey references BST before it
> --------------------------------------------
>
>                 Key: CXF-5892
>                 URL: https://issues.apache.org/jira/browse/CXF-5892
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>            Reporter: Alessio Soldano
>            Assignee: Alessio Soldano
>             Fix For: 2.7.13, 3.0.2, 3.1.0
>
>
> When using a policy as follows:
> {noformat}
> <wsp:Policy 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="SecurityServiceSignThenEncryptPolicy">
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:AsymmetricBinding 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>           <wsp:Policy>
>             <sp:InitiatorToken>
>               <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
>                   <wsp:Policy>
>                     <sp:WssX509V1Token11/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:InitiatorToken>
>             <sp:RecipientToken>
>               <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
>                   <wsp:Policy>
>                     <sp:WssX509V1Token11/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:RecipientToken>
>             <sp:AlgorithmSuite>
>               <wsp:Policy>
>                 <sp:TripleDes/>
>               </wsp:Policy>
>             </sp:AlgorithmSuite>
>             <sp:Layout>
>               <wsp:Policy>
>                 <sp:Lax/>
>               </wsp:Policy>
>             </sp:Layout>
>             <!-- <sp:IncludeTimestamp/> -->
>             <!-- <sp:EncryptSignature/> -->
>             <sp:OnlySignEntireHeadersAndBody/>
>             <!-- <sp:SignBeforeEncrypting/> -->
>             <!-- <sp:EncryptBeforeSigning/> -->
>           </wsp:Policy>
>         </sp:AsymmetricBinding>
>         <sp:SignedParts 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>           <sp:Body/>
>         </sp:SignedParts>
>         <sp:EncryptedParts 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>           <sp:Body/>
>         </sp:EncryptedParts>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>
> {noformat}
> a message like this is generated
> {noformat}
> <?xml version="1.0" encoding="UTF-8"?><soap:Envelope 
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>   <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
>     <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  soap:mustUnderstand="1">
>       <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
> Id="EK-CFCC32406441E262D414056082408016">
>         <xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>           <wsse:SecurityTokenReference>
>             <wsse:Reference URI="#CFCC32406441E262D414056082408017" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>           </wsse:SecurityTokenReference>
>         </ds:KeyInfo>
>         <xenc:CipherData>
>           
> <xenc:CipherValue>EU9cFqu6lqJ6iq1ZqHGVoidA0iT6MHIwimvNuQQP2WU/kUbldgLlS7CP1h8OPE7uJMpBztciQ27H/fOZqGsQntqsUIOFLyDjalHjYBiGGzmHG1k/4Yd4ibsN+NacJYbTPaHclkO81H06eImW+yNIxFvb2bw9HJht9ehWGVUoy4k=</xenc:CipherValue>
>         </xenc:CipherData>
>         <xenc:ReferenceList>
>           <xenc:DataReference URI="#ED-CFCC32406441E262D414056082408118"/>
>         </xenc:ReferenceList>
>       </xenc:EncryptedKey>
>       <wsse:BinarySecurityToken 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="CFCC32406441E262D414056082408017">MIICNzCCAaCgAwIBAgIEURPj3TANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxEDAOBgNVBAcTB1JhbGVpZ2gxEDAOBgNVBAoTB1JlZCBIYXQxDDAKBgNVBAsTA0dTUzES...+vR2eMo4a45eWPj2hAqvBNpmB5mcuQGuOo/aRjoQS86vX6wIsy/UeaAlG9shvZSIwL0kwZBNuubkbikMdNIsBHROSp5v/gbMHa9O9qDOzQQnMn6cgeJePdYnq1oTuDK+g5M1znja31HtbQTo9NiaXjuQfL05v5dA==</wsse:BinarySecurityToken>
>       <wsse:BinarySecurityToken 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="X509-CFCC32406441E262D414056082407262">MIICNzCCAaCgAwIBAgIEURPj9jANBgkqhkiG9w0BAQUFADBgMQswCQY...MFwS4DphvWgHfyDxLBtsJ45ZLdE+s0fXjjn+W8KCDYR0ayuUjO/KeKiLBo24U44ULy4mJOQ==</wsse:BinarySecurityToken>
>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
> Id="SIG-CFCC32406441E262D414056082407385">
>         <ds:SignedInfo>
>           <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>             <ec:InclusiveNamespaces 
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
>           </ds:CanonicalizationMethod>
>           <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>           <ds:Reference URI="#_CFCC32406441E262D414056082407081">
>             <ds:Transforms>
>               <ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>                 <ec:InclusiveNamespaces 
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList=""/>
>               </ds:Transform>
>             </ds:Transforms>
>             <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <ds:DigestValue>6lB8Vv8WAxUPs19VJwUcPETjz5M=</ds:DigestValue>
>           </ds:Reference>
>         </ds:SignedInfo>
>         
> <ds:SignatureValue>pm9eB0Qe8zb0O+5kf4i6MPFfn9t8TGt/m1Y8dwy2wHo0b1KvD1JrR/h7Qr7Jj4czGETsIRgLYJFNrTtTAGpgSFru8IVca+11kJL78nQiSwWnZZt6FvzwAoTxbbn4DQ+RqX01a1Y2GXB1CXJvUs5+K/0aL0lDQ3w4qOtvQ8nk7vM=</ds:SignatureValue>
>         <ds:KeyInfo Id="KI-CFCC32406441E262D414056082407283">
>           <wsse:SecurityTokenReference 
> wsu:Id="STR-CFCC32406441E262D414056082407294">
>             <wsse:Reference URI="#X509-CFCC32406441E262D414056082407262" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>           </wsse:SecurityTokenReference>
>         </ds:KeyInfo>
>       </ds:Signature>
>     </wsse:Security>
>   </SOAP-ENV:Header>
>   <soap:Body 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="_CFCC32406441E262D414056082407081">
>     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
> Id="ED-CFCC32406441E262D414056082408118" 
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
>       <xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>         <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>  
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
>           <wsse:Reference URI="#EK-CFCC32406441E262D414056082408016"/>
>         </wsse:SecurityTokenReference>
>       </ds:KeyInfo>
>       <xenc:CipherData>
>         
> <xenc:CipherValue>mRsetHTV4FexRWIY1Qk2qZy/zbsRgweqcCzeyDzBViVfLW7TqK8KXKRxSP2lMkBBn0e+yg15tlTFuFOwGcRf9AY20MnjoUqxSx6vjdHe6Jb4nPzHbinDQTXj+mvU1Osy</xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedData>
>   </soap:Body>
> </soap:Envelope>
> {noformat}
> ... notice the EncryptedKey element is referencing a BST that's after the 
> EncryptedKey. This can cause problems to different vendors parsing the 
> message.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Assigned] (CXF-5892) Ensure EncryptedKey references BST before it

Reply via email to