[
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539609#comment-14539609
]
Colm O hEigeartaigh commented on CXF-6398:
------------------------------------------
Hmm looking at the security header, it appears that the enveloped transform is
not being used correctly at all. The enveloped transform is used when the
Signature is a child Element of the Element that is signed, in which case the
transform tells the signature calculation process to remove the Signature from
the digest calculation. In your case, it appears that none of the elements that
are signed are parent elements of the Signature Element, and hence the
enveloped transform can be left out altogether.
Colm.
> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
> Key: CXF-6398
> URL: https://issues.apache.org/jira/browse/CXF-6398
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.0.5
> Reporter: Brian Storm Graversen
> Assignee: Colm O hEigeartaigh
>
> I'm receiving a response from a (.NET) webservice, where the security
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
> <Reference URI="#action">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
> </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the
> enveloped-signature transform, and the response is rejected, exception shown
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
> at client.WSClient.hello(WSClient.java:19)
> at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual
> validation, and it scans through all the Transforms, and reject the Reference
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one
> transform that is c14n (or similar), and allow the eveloped-signature
> transform?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
