[jira] Created: (RAMPART-218) EncryptedElements assertion failed validation in PolicyBasedResultsValidator

Mon, 09 Mar 2009 08:33:12 -0700 

EncryptedElements assertion failed validation in PolicyBasedResultsValidator
----------------------------------------------------------------------------

                 Key: RAMPART-218
                 URL: https://issues.apache.org/jira/browse/RAMPART-218
             Project: Rampart
          Issue Type: Bug
          Components: rampart-core
            Reporter: Stefan Vladov
            Assignee: Ruchith Udayanga Fernando


I've encountered some problems using the EncryptedElements assertion:

1) Rampart is not executed when the EncryptedElements assertion is the only 
protection assertion in the message (no other encryption / signature / 
timestamp), since the RampartUtil#isSecHeaderReuired check fails. Essentially 
the execution does not get in the following block

if (rpd.isEncryptBody() || rpd.getEncryptedParts().size() != 0 && 
rpd.getEncryptedElements().size() != 0 ) {
            return true;
}

and thus the method returns false. Shouldn't it be enough to have an 
EncryptedElements assertion to trigger rampart and why is it required to also 
have EncryptedParts ?

2) In the PolicyBasedResultsValidator#validateEncryptedParts when calling 
isRefIdPresent(encrRefs, encPart.getEncId()) the encId of the encrypted element 
has a "#" before the id (as if it ware a reference). Essentially after 
decrypting the element, the EncryptedKeyProcessor in WSS4J adds a wsu:Id 
attribute to that element with the "#" sign 
(EncryptedKeyProcessor#decryptDataRef in the end of the method it calls 

                    ((Element)node).setAttributeNS(WSConstants.WSU_NS, 
wsuPrefix + ":Id", dataRefURI);
                    wsDataRef.setWsuId(dataRefURI.substring(1));

where the dataRefURI is the encrypted element id with the "#" in front.

). Since the wsu:Id attribute contains the "#" character the method 
isRefIdPresent fails to find the element id in the list of references and the 
validation fails. I'm not sure whether this is a problem in wss4j or in rampart 
but a simple workaround would be to add the following lines in the 
validateEncryptedParts method:

            if (encPart.getEncId() == null) {
                throw new RampartException("encryptedPartMissing", 
                        new 
String[]{encPart.getNamespace()+":"+encPart.getName()});
            } else {
                String encId = encPart.getEncId();
                if (encId != null && encId.startsWith("#")) {
                    encId = encId.substring(1);
                }
                if (!isRefIdPresent(encrRefs, encId)) {
                    throw new RampartException("encryptedPartMissing", 
                            new 
String[]{encPart.getNamespace()+":"+encPart.getName()});                
                }
            }


instead of 

            if (encPart.getEncId() == null) {
                throw new RampartException("encryptedPartMissing", 
                        new 
String[]{encPart.getNamespace()+":"+encPart.getName()});
            } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
                throw new RampartException("encryptedPartMissing", 
                        new 
String[]{encPart.getNamespace()+":"+encPart.getName()});                
            }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to