Interop with WSIT: SignatureConfirmation header must be encrypted when
<sp:EncryptSignature/> is specified
----------------------------------------------------------------------------------------------------------
Key: RAMPART-330
URL: https://issues.apache.org/jira/browse/RAMPART-330
Project: Rampart
Issue Type: Bug
Affects Versions: 1.5, 1.4
Reporter: Rustam Abdullaev
Interop with WSIT issue: com.sun.xml.wss.XWSSecurityException: Policy
verification error:Missing target SignatureConfirmation for Encryption
Caused by the fact that Rampart doesn't handle <sp:EncryptSignature/>
correctly. When EncryptSignature is specified, SignatureConfirmation must be
encrypted, but isn't in all Rampart versions including 1.5.
According to WS-SecurityPolicy specification:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826550
6.4 [Signature Protection] Property
This boolean property specifies whether the signature must be encrypted. If the
value is 'true', the primary signature MUST be encrypted and any signature
confirmation elements MUST also be encrypted. If the value is 'false', the
primary signature MUST NOT be encrypted and any signature confirmation elements
MUST NOT be encrypted.
Here's a SOAP response from Rampart's policy sample 04
(rampart-samples/policy/sample04) which shows SignatureConfirmation headers are
not encrypted:
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Header
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-85">
<wsu:Created>2011-03-14T14:09:32.410Z</wsu:Created>
<wsu:Expires>2011-03-14T14:14:32.410Z</wsu:Expires>
</wsu:Timestamp>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-90">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>BjZtgjN6OKwzy5h0nf4y9WmsQRs=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>tmE7px+eJLYGz1dftcOQBA==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:DataReference URI="#EncDataId-91" />
<xenc:DataReference URI="#EncDataId-92" />
</xenc:ReferenceList>
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
Value="LI7peNNLVlZp5lvAtGsCtGSWFD+WdLPIAJeDL6Nfp5kdiypnhFvKA9eOXKWY6yJ4Cjf7376AcYVe1DGTHfeQS4kRSvyRgGV8Y+CPJAnD7dL59G8nf1yJD8Mf6f83oH4RDcO0pCghCpkh1xxOEeMmAC5G1RiCPA3pyhpzwl63OME="
wsu:Id="SigConf-86" />
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
Value="Gd/qMXptxoxpGLzjTi1ZFCzEC7k="
wsu:Id="SigConf-87" />
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-88">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>BjZtgjN6OKwzy5h0nf4y9WmsQRs=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>7Tj/+Hrw4SOhHi/p1VXQ6g==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncDataId-92"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#derivedKeyId-90" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>xB1bfBI0PLv/VBEUrB93VH.........
ZtOBDxaxg88K/GBy+/3bDJjdKvGY3L1UAg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsa:MessageID>urn:uuid:22AD6B2F5CD166F4CC1300111772450</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</wsa:Action>
<wsa:RelatesTo>urn:uuid:58FEB2F4DD594836A11300111766887</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-25252664">
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncDataId-91"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference URI="#derivedKeyId-90"
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>vWYZFT3RQDSLsQJAd11JUUgm.........
ZxV6Az5gNqk9upVlQA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
