[ https://issues.apache.org/jira/browse/WSS-475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alessio Soldano resolved WSS-475. --------------------------------- Resolution: Fixed > Issue with multiple processing of ReferenceList in EncryptedKey element > ----------------------------------------------------------------------- > > Key: WSS-475 > URL: https://issues.apache.org/jira/browse/WSS-475 > Project: WSS4J > Issue Type: Bug > Affects Versions: 1.6.9 > Reporter: Alessio Soldano > Assignee: Colm O hEigeartaigh > Fix For: 1.6.12 > > > I have an incoming request message looking as follows: > {noformat} > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > soap:mustUnderstand="1"> > ... > <wsse:BinarySecurityToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" > wsu:Id="BST-23456">...</wsse:BinarySecurityToken> > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" > Id="XSIG-7896"> > ... > <dsig:KeyInfo> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#EK-ABCDE" > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > </wsse:SecurityTokenReference> > </dsig:KeyInfo> > </dsig:Signature> > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > ... > </dsig:Signature> > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > Id="EK-ABCDE"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> > <dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > </xenc:EncryptionMethod> > <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > <wsse:SecurityTokenReference > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="STR-8901"> > <wsse:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </dsig:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" > xmime:contentType="application/octet-stream">...</xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference URI="#_REF123"/> > </xenc:ReferenceList> > </xenc:EncryptedKey> > </wsse:Security> > </soap:Header> > <soapenv:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="Body-5678"> > <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > Type="http://www.w3.org/2001/04/xmlenc#Content" Id="_REF123"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> > <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > <wsse:SecurityTokenReference > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <wsse:Reference URI="#EK-ABCDE" > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > </wsse:SecurityTokenReference> > </dsig:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" > xmime:contentType="application/octet-stream">...</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </soapenv:Body> > </soapenv:Envelope> > {noformat} > WSS4J fails on processing this as the ReferenceList within the EncryptedKey > is processed twice (the first time when dealing with XSIG-7896 Signature > element and the second time when actually dealing with the EncryptedKey > element). The second time the ReferenceList is processed, the reference to > Id="_REF123" can't be resolved, as the EncryptedData has likely been > decrypted in the previous pass. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org