[
https://issues.apache.org/jira/browse/RAMPART-330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski reassigned RAMPART-330:
---------------------------------------
Assignee: Robert Lazarski
> Interop with WSIT: SignatureConfirmation header must be encrypted when
> <sp:EncryptSignature/> is specified
> ----------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-330
> URL: https://issues.apache.org/jira/browse/RAMPART-330
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.4, 1.5
> Reporter: Rustam Abdullaev
> Assignee: Robert Lazarski
> Priority: Major
>
> Interop with WSIT issue: com.sun.xml.wss.XWSSecurityException: Policy
> verification error:Missing target SignatureConfirmation for Encryption
> Caused by the fact that Rampart doesn't handle <sp:EncryptSignature/>
> correctly. When EncryptSignature is specified, SignatureConfirmation must be
> encrypted, but isn't in all Rampart versions including 1.5.
> According to WS-SecurityPolicy specification:
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826550
> 6.4 [Signature Protection] Property
> This boolean property specifies whether the signature must be encrypted. If
> the value is 'true', the primary signature MUST be encrypted and any
> signature confirmation elements MUST also be encrypted. If the value is
> 'false', the primary signature MUST NOT be encrypted and any signature
> confirmation elements MUST NOT be encrypted.
> Here's a SOAP response from Rampart's policy sample 04
> (rampart-samples/policy/sample04) which shows SignatureConfirmation headers
> are not encrypted:
> <?xml version='1.0' encoding='utf-8'?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Header
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soapenv:mustUnderstand="1">
> <wsu:Timestamp
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-85">
>
> <wsu:Created>2011-03-14T14:09:32.410Z</wsu:Created>
>
> <wsu:Expires>2011-03-14T14:14:32.410Z</wsu:Expires>
> </wsu:Timestamp>
> <wsc:DerivedKeyToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="derivedKeyId-90">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>BjZtgjN6OKwzy5h0nf4y9WmsQRs=
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>tmE7px+eJLYGz1dftcOQBA==</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <xenc:ReferenceList
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:DataReference URI="#EncDataId-91" />
> <xenc:DataReference URI="#EncDataId-92" />
> </xenc:ReferenceList>
> <wsse11:SignatureConfirmation
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> Value="LI7peNNLVlZp5lvAtGsCtGSWFD+WdLPIAJeDL6Nfp5kdiypnhFvKA9eOXKWY6yJ4Cjf7376AcYVe1DGTHfeQS4kRSvyRgGV8Y+CPJAnD7dL59G8nf1yJD8Mf6f83oH4RDcO0pCghCpkh1xxOEeMmAC5G1RiCPA3pyhpzwl63OME="
> wsu:Id="SigConf-86" />
> <wsse11:SignatureConfirmation
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> Value="Gd/qMXptxoxpGLzjTi1ZFCzEC7k="
> wsu:Id="SigConf-87" />
> <wsc:DerivedKeyToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="derivedKeyId-88">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>BjZtgjN6OKwzy5h0nf4y9WmsQRs=
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>7Tj/+Hrw4SOhHi/p1VXQ6g==</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncDataId-92"
> Type="http://www.w3.org/2001/04/xmlenc#Element";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#derivedKeyId-90" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>xB1bfBI0PLv/VBEUrB93VH.........
>
> ZtOBDxaxg88K/GBy+/3bDJjdKvGY3L1UAg==</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </wsse:Security>
>
> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
>
> <wsa:MessageID>urn:uuid:22AD6B2F5CD166F4CC1300111772450</wsa:MessageID>
>
> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</wsa:Action>
>
> <wsa:RelatesTo>urn:uuid:58FEB2F4DD594836A11300111766887</wsa:RelatesTo>
> </soapenv:Header>
> <soapenv:Body
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Id-25252664">
> <xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncDataId-91"
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <wsse:Reference URI="#derivedKeyId-90"
> />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>vWYZFT3RQDSLsQJAd11JUUgm.........
> ZxV6Az5gNqk9upVlQA==</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </soapenv:Body>
> </soapenv:Envelope>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
