[jira] [Commented] (CXF-6398) AlgorithmSuitePolicyValidator rejects enveloped-signature Transform

[Brian Storm Graversen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539280#comment-14539280
 ] 

Brian Storm Graversen commented on CXF-6398:
--------------------------------------------

I modified the checkDataRefs() method to this in AlgorithmSuitePolicyValidator 
class, which h

{code}
    private boolean checkDataRefs(List<WSDataRef> dataRefs, AlgorithmSuite 
algorithmPolicy, AssertionInfo ai) {
        AlgorithmSuiteType algorithmSuiteType = 
algorithmPolicy.getAlgorithmSuiteType();
        for (WSDataRef dataRef : dataRefs) {
            String digestMethod = dataRef.getDigestAlgorithm();
            if (!algorithmSuiteType.getDigest().equals(digestMethod)) {
                ai.setNotAsserted("The digest method does not match the 
requirement");
                return false;
            }
            
            List<String> transformAlgorithms = dataRef.getTransformAlgorithms();

            // Only a max of 2 transforms per reference is allowed
            if (transformAlgorithms == null || transformAlgorithms.size() > 2) {
                ai.setNotAsserted("The transform algorithms do not match the 
requirement");
                return false;
            }
            String transformAlgorithm = 
transformAlgorithms.get(transformAlgorithms.size() - 1);

            if 
(!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm)
                || 
WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithm)
                || STRTransform.TRANSFORM_URI.equals(transformAlgorithm)
                || 
WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(transformAlgorithm)
                || 
WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(transformAlgorithm))) {

                ai.setNotAsserted("The transform algorithms do not match the 
requirement");
                return false;
            }
        }

        return true;
    }
{code}

The only difference is that it just checks the last Transform and not all of 
them.

In SignatureProcessor there is a method called checkBSPCompliance() that checks 
all the references. It allows enveloped-signature as a Transform as long as it 
is not the last Transform, here it only allows the c14n variants

Snippet from that method is shown here

{code}
        // Check References
        for (Object refObject : xmlSignature.getSignedInfo().getReferences()) {
            Reference reference = (Reference)refObject;
            if (reference.getTransforms().isEmpty()) {
                bspEnforcer.handleBSPRule(BSPRule.R5416);
            }
            for (int i = 0; i < reference.getTransforms().size(); i++) {
                Transform transform = 
(Transform)reference.getTransforms().get(i);
                String algorithm = transform.getAlgorithm();
                if (!(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(algorithm)
                    || STRTransform.TRANSFORM_URI.equals(algorithm)
                    || WSConstants.NS_XMLDSIG_FILTER2.equals(algorithm)
                    || 
WSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE.equals(algorithm)
                    || 
WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithm)
                    || 
WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithm))) {
                    bspEnforcer.handleBSPRule(BSPRule.R5423);
                }
                if (i == (reference.getTransforms().size() - 1)
                    && !(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(algorithm)
                        || STRTransform.TRANSFORM_URI.equals(algorithm)
                        || 
WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithm)
                        || 
WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithm))) {
                    bspEnforcer.handleBSPRule(BSPRule.R5412);
                }
                
                if (WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(algorithm)) {
                    parameterSpec = transform.getParameterSpec();
                    if (parameterSpec != null && !(parameterSpec instanceof 
ExcC14NParameterSpec)) {
                        bspEnforcer.handleBSPRule(BSPRule.R5407);
                    }
                }
            }
        }
{code}

It is interesting to note that BSP rule 5423 explicitly allows 
enveloped-signature 
(http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#SignatureTransforms)


> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
>                 Key: CXF-6398
>                 URL: https://issues.apache.org/jira/browse/CXF-6398
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.5
>            Reporter: Brian Storm Graversen
>
> I'm receiving a response from a (.NET) webservice, where the security 
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the 
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
>       <Reference URI="#action">
>               <Transforms>
>                       <Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
>                       <Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
>               </Transforms>
>               <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
>               <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
>       </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the 
> enveloped-signature transform, and the response is rejected, exception shown 
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy 
> alternatives can not be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: 
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
>       at 
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
>       at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
>       at client.WSClient.hello(WSClient.java:19)
>       at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy 
> alternatives can not be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: 
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
>       at 
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
>       at 
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
>       at 
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
>       at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
>       at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual 
> validation, and it scans through all the Transforms, and reject the Reference 
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one 
> transform that is c14n (or similar), and allow the eveloped-signature 
> transform?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)