[
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539257#comment-14539257
]
Brian Storm Graversen commented on CXF-6398:
--------------------------------------------
Certainly, it looks like this
{code:xml}
<wsse:Security S11:mustUnderstand="1">
<wsu:Timestamp wsu:Id="sec_timestamp">
<wsu:Created>2015-05-12T05:13:12.953Z</wsu:Created>
<wsu:Expires>2015-05-12T13:13:12.953Z</wsu:Expires>
</wsu:Timestamp>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
<Reference URI="#action">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
</Reference>
<Reference URI="#messageid">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>ALh9N6nRIAs/RouHzRwJC/8jTwc=</DigestValue>
</Reference>
<Reference URI="#relatesto">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>J8Kw5vHYfKO4VFsblOFQCzahtT4=</DigestValue>
</Reference>
<Reference URI="#sec_timestamp">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>GUD+jt+n6AINFBmyzJaK5LjupiE=</DigestValue>
</Reference>
<Reference URI="#body">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>fsTrPTLBf66FMbP9loRXsMpkGT4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>B5vE2dySowVd4JQtvAJzRdMeh54ygU4jBgVnbvVTgLgk89Lo13V3bYH12LxS2n1YgjEnEVZQL42+wP10giFdPdfTZnIlCvoPr+pT7uF2dBkvsIYY03iMvx1F/Z0H1yeqeWTwM2X1vZlnTUafwNXLXRmzSNXf2XfTPNF5eaPmTSeUHtLueUDynUn9R6Z0pIKUVodkKu/Ax2fpyVIHHrE58hOhT95B+uxhNd0tOW2uzG8zh/iebb6yp62CRS92P2rRV9i8yL5HC+CR0oDd/P0gVgfuxPpQtNxXXU3g8RmzETJXWS+4Nr89Eu+HHa7t9ly+7fV8KYfviTZRZU635MuC8g==</SignatureValue>
</Signature>
</wsse:Security>
{code}
> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
> Key: CXF-6398
> URL: https://issues.apache.org/jira/browse/CXF-6398
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.0.5
> Reporter: Brian Storm Graversen
>
> I'm receiving a response from a (.NET) webservice, where the security
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
> <Reference URI="#action">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
> </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the
> enveloped-signature transform, and the response is rejected, exception shown
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
> at client.WSClient.hello(WSClient.java:19)
> at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual
> validation, and it scans through all the Transforms, and reject the Reference
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one
> transform that is c14n (or similar), and allow the eveloped-signature
> transform?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
