[
https://issues.apache.org/jira/browse/CXF-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukas updated CXF-7605:
-----------------------
Description:
CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac
signature, while ws-policy states that derived keys are required
({{<ws:RequireDerivedKeys/>}} in {{effective Policy}}).
The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which is
not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a derived
symetric key)
The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle
task.
Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents
of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
(SupportEndorsingTokens) contain a nested Policy setting {{RequireDerivedKeys}}.
This reflects the structure and contents of the attached policy (see
policy_fragment.xml).
CXF correctly embeds a SAML Token as requested by the policy and signs using a
symmetric key (got by WS-Secureconversation / WS-Trust previously) - both steps
are defined in the attached policy.
CXF should however, sign with a key *derived* from said symmetric key,
specified by {{<wsp:RequestDerivedKeys />}}, this step is ignored, thus
resulting an a request that does not adhere to the policy.
The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object
with the RequestDerivedKeys Assertion set to asserted=true.
{{WSS4JStaxOutInterceptor, line 159}}
{{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}}
{{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces {{true}}
(which is default)
{{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces
{{http://www.w3.org/2000/09/xmldsig#hmac-sha1}}
all other properties related to derived keys are null / 0 / their defaults.
*Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the
classpath simulataneously - so i assume key derivation happened in the version
packed in the bundle.*
*build.gradle.working* results in a soap envelope with an hmac signature on the
timestamp, produced by derivating a key from the ws-secureconversationkey,
containing this element:
{{<wsc:DerivedKeyToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"><wsse:SecurityTokenReference
xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsc:Offset>0</wsc:Offset><wsc:Length>24</wsc:Length><wsc:Nonce>QktGO31p79qn7dhom83QNQ==</wsc:Nonce></wsc:DerivedKeyToken>}}
*build.gradle.failing* results in a soap envelope with an hmac signature
produced with the ws-secureconversation key. The Derived key element is
missing, as no key is derived.
Attached are:
* full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped
of irrelevant endpoints and domain names)
* code.java - code snippet demonstrating the use-case
* policy_fragment.xml - the policy to save looking for it in the wsdl
was:
CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac
signature, while ws-policy states that derived keys are required
({{<ws:RequireDerivedKeys/>}} in {{effective Policy}}).
The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle
task.
Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents
of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
(SupportEndorsingTokens) contain a nested Policy setting {{RequireDerivedKeys}}.
This reflects the structure and contents of the attached policy (see
policy_fragment.xml).
CXF correctly embeds a SAML Token as requested by the policy and signs using a
symmetric key (got by WS-Secureconversation / WS-Trust previously) - both steps
are defined in the attached policy.
CXF should however, sign with a key *derived* from said symmetric key,
specified by {{<wsp:RequestDerivedKeys />}}, this step is ignored, thus
resulting an a request that does not adhere to the policy.
The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object
with the RequestDerivedKeys Assertion set to asserted=true.
{{WSS4JStaxOutInterceptor, line 159}}
{{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}}
{{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces {{true}}
(which is default)
{{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces
{{http://www.w3.org/2000/09/xmldsig#hmac-sha1}}
all other properties related to derived keys are null / 0 / their defaults.
*Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the
classpath simulataneously - so i assume key derivation happened in the version
packed in the bundle.*
*build.gradle.working* results in a soap envelope with an hmac signature on the
timestamp, produced by derivating a key from the ws-secureconversationkey,
containing this element:
{{<wsc:DerivedKeyToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"><wsse:SecurityTokenReference
xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsc:Offset>0</wsc:Offset><wsc:Length>24</wsc:Length><wsc:Nonce>QktGO31p79qn7dhom83QNQ==</wsc:Nonce></wsc:DerivedKeyToken>}}
*build.gradle.failing* results in a soap envelope with an hmac signature
produced with the ws-secureconversation key. The Derived key element is
missing, as no key is derived.
Attached are:
* full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped
of irrelevant endpoints and domain names)
* code.java - code snippet demonstrating the use-case
* policy_fragment.xml - the policy to save looking for it in the wsdl
> RequireDerivedKeys policy is read, but not executed
> ---------------------------------------------------
>
> Key: CXF-7605
> URL: https://issues.apache.org/jira/browse/CXF-7605
> Project: CXF
> Issue Type: Bug
> Components: Soap Binding, WS-* Components
> Affects Versions: 3.1.14, 3.1.15, 3.2.2
> Environment: * cxf-rt-frontend-jaxws
> * cxf-rt-frontend-jaxrs
> * cxf-rt-transports-http
> * cxf-rt-rs-client
> * cxf-rt-rs-service-description
> * cxf-rt-ws-security
> * cxf-tools-common
> * cxf-rt-ws-policy
> Reporter: Lukas
> Attachments: build.gradle.working, build.gralde.failing, code.java,
> full_wsdl.wsdl, policy_fragment.xml
>
>
> CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac
> signature, while ws-policy states that derived keys are required
> ({{<ws:RequireDerivedKeys/>}} in {{effective Policy}}).
> The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which
> is not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a
> derived symetric key)
> The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle
> task.
> Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the
> contents of
> {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
> (SupportEndorsingTokens) contain a nested Policy setting
> {{RequireDerivedKeys}}.
> This reflects the structure and contents of the attached policy (see
> policy_fragment.xml).
> CXF correctly embeds a SAML Token as requested by the policy and signs using
> a symmetric key (got by WS-Secureconversation / WS-Trust previously) - both
> steps are defined in the attached policy.
> CXF should however, sign with a key *derived* from said symmetric key,
> specified by {{<wsp:RequestDerivedKeys />}}, this step is ignored, thus
> resulting an a request that does not adhere to the policy.
> The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object
> with the RequestDerivedKeys Assertion set to asserted=true.
> {{WSS4JStaxOutInterceptor, line 159}}
> {{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}}
>
> {{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces
> {{true}} (which is default)
> {{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces
> {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}}
> all other properties related to derived keys are null / 0 / their defaults.
> *Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the
> classpath simulataneously - so i assume key derivation happened in the
> version packed in the bundle.*
> *build.gradle.working* results in a soap envelope with an hmac signature on
> the timestamp, produced by derivating a key from the
> ws-secureconversationkey, containing this element:
> {{<wsc:DerivedKeyToken
> xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"><wsse:SecurityTokenReference
> xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><wsse:KeyIdentifier
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsc:Offset>0</wsc:Offset><wsc:Length>24</wsc:Length><wsc:Nonce>QktGO31p79qn7dhom83QNQ==</wsc:Nonce></wsc:DerivedKeyToken>}}
> *build.gradle.failing* results in a soap envelope with an hmac signature
> produced with the ws-secureconversation key. The Derived key element is
> missing, as no key is derived.
> Attached are:
> * full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped
> of irrelevant endpoints and domain names)
> * code.java - code snippet demonstrating the use-case
> * policy_fragment.xml - the policy to save looking for it in the wsdl
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
