Hi Dobri,
There was a bug in PolicyBasedResultValidator which causes a problem
when handling empty reference lists. I think it is the same issue here.
Take a look at this issue in Ramaprt.
http://issues.apache.org/jira/browse/RAMPART-92
This was fixed in http://svn.apache.org/viewvc?rev=582216&view=rev.
I am not sure how Reampart works in this case. AFAIK in SymmetricBinding one
> Derived Key is used generated by whom? I mean somehow the initiator and
> the
> recipient use an ephemeral key generated from something I do not know from
> what? Can you provide me some information how this works? Does it use the
> X509? Which one the client or the service X509? I have read the Thread
> "DerivedKeys in SymmetricBinding", but I did not get the whole thing.
IFAIK, In SymmetricBinding when derived keys are used, initiator create an
ephemeral key
which is a random key. Then an encrypted key is generated using that
ephemeral key and
for that encryption token or protection token defined the policy is used. In
your case it
is the X509 certificate of the server. It can be some other token too
according to the given
policy. Then initiator creates one or two derived keys using the ephemeral
key and use them
to sign and encrypt the message. How the derived keys are generated is
defined in the
WS-SecureConversation spec , Section 8 - deriving keys. Then the request is
sent which
includes the encrypted key and the two derived keys. In the server, it can
extract the
ephemeral key from the encrypted key and regenerate the derived keys itself.
In the response, server uses same ephemeral key and derive two more derived
keys and
use those to encrypt and sign. In the derived keys it states a reference to
the encrypted
key it used to extract the ephemeral key. But in the rampart current
implementation, we
create another encrypted key in the server side and use that to generate two
derived keys.
This will be changed soon. Hope this answers your question.
Btw, I tried your policy and it works well for me. I've attached the soap
request and the
response.
Regards,
Nandana
POST /services/UsernameForCertificateSign_IPingService HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://xmlsoap.org/Ping";
User-Agent: Axis2
Host: 127.0.0.1:1999
Transfer-Encoding: chunked
f9c
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-31427481">
<wsu:Created>2007-10-16T02:00:21.062Z</wsu:Created>
<wsu:Expires>2007-10-16T02:05:21.062Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-1192500022843">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>Xeg55vRyK3ZhAEhEf+YT0z986L0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>dzjWMjVce92jiljN06B/V7f3/TMRgcF1yd6Up4v7t9iPQWcvxoTgFNrq1BGBF3NZ+ubpSNsuH870UTRFu9AHYwMRUp75XeckMxylZKi6BA0gDTL/L3TN2tUfLKT5ziGF+O0l8vzHw8MGqmlqspvhOJMm1woB8Jl2sF5izcFWuso=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-6349096">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EncKeyId-1192500022843" />
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>253Z0lTV9lp4RC6R3Zfmjw==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<xenc:ReferenceList />
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-11918020">
<wsse:Username>alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>MuFvj8WQow2qO/0imEG8zjVZoiQ=</wsse:Password>
<wsse:Nonce>cFUEXclO5dUa11N0zc6/sA==</wsse:Nonce>
<wsu:Created>2007-10-16T02:00:22.859Z</wsu:Created>
</wsse:UsernameToken>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-29094346">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EncKeyId-1192500022843" />
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>TKKghR4Sts/xXNJ/lvEaiw==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-3753023">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
<ds:Reference URI="#Timestamp-31427481">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>2zzaVcTE7HDpcwfYKSp4nu16+Bs=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-11918020">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>dHO7IhuvdwMCkd/MGe4qJRSvkyU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>zOJ9ANWpWuP0j5Al1DcGEqQsmkw=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-14306161">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-26156414">
<wsse:Reference URI="#derivedKeyId-29094346" />
</wsse:SecurityTokenReference>
</ds:KeyIn16ffo>
</ds:Signature>
</wsse:Security>
<wsa:To>http://127.0.0.1:1110/services/UsernameForCertificateSign_IPingService</wsa:To>
<wsa:MessageID>urn:uuid:2E4A341186DC7B321E1192500020915</wsa:MessageID>
<wsa:Action>http://xmlsoap.org/Ping</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns0:Ping xmlns:ns0="http://xmlsoap.org/Ping";>ping</ns0:Ping>
</soapenv:Body>
</soapenv:Envelope>0HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 16 Oct 2007 02:00:23 GMT
d30
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-11160355">
<wsu:Created>2007-10-16T02:00:23.875Z</wsu:Created>
<wsu:Expires>2007-10-16T02:05:23.875Z</wsu:Expires>
</wsu:Timestamp>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-12935839">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>/cJFi/O4hyAzucfV8rgv9VVhj3U=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>VVMKCCoa7SzRwnp72XEG5w==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
/>
<wsc:DerivedKeyToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-23810287">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>/cJFi/O4hyAzucfV8rgv9VVhj3U=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>Y+N2qmwnFLBm6wNAYWS7Cw==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-392724">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
<ds:Reference URI="#Id-2816419">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>P3SLg5risAncEmA+29R0MM2bTDI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-11160355">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>Lfwg7JAt8uYSOlpTMgWXvbrFwnc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>l/YZKk152/IGRfYFBK4hq65t4tM=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-23847538">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-31438958">
<wsse:Reference URI="#derivedKeyId-23810287" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-2816419">
<PingResponse xmlns="http://xmlsoap.org/Ping";>ping</PingResponse>
</soapenv:Body>
</soapenv:Envelope>
0
