[jira] [Commented] (CXF-7605) RequireDerivedKeys policy is read, but not executed
[ https://issues.apache.org/jira/browse/CXF-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16328899#comment-16328899 ] Colm O hEigeartaigh commented on CXF-7605: -- Yes, it's not supported for the StAX layer at this point in time. More complicated policies such as this one are supported instead by the DOM stack. > RequireDerivedKeys policy is read, but not executed > --- > > Key: CXF-7605 > URL: https://issues.apache.org/jira/browse/CXF-7605 > Project: CXF > Issue Type: Bug > Components: Soap Binding, WS-* Components >Affects Versions: 3.1.14, 3.1.15, 3.2.2 > Environment: * cxf-rt-frontend-jaxws > * cxf-rt-frontend-jaxrs > * cxf-rt-transports-http > * cxf-rt-rs-client > * cxf-rt-rs-service-description > * cxf-rt-ws-security > * cxf-tools-common > * cxf-rt-ws-policy >Reporter: Lukas >Priority: Major > Labels: Security > Attachments: build.gradle.working, build.gralde.failing, code.java, > full_wsdl.wsdl, policy_fragment.xml > > > CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac > signature, while ws-policy states that derived keys are required > ({{}} in {{effective Policy}}). > The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which > is not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a > derived symetric key) > The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle > task. > Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the > contents of > {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}} > (SupportEndorsingTokens) contain a nested Policy setting > {{RequireDerivedKeys}}. > This reflects the structure and contents of the attached policy (see > policy_fragment.xml). > CXF correctly embeds a SAML Token as requested by the policy and signs using > a symmetric key (got by WS-Secureconversation / WS-Trust previously) - both > steps are defined in the attached policy. > CXF should however, sign with a key *derived* from said symmetric key, > specified by {{}}, this step is ignored, thus > resulting an a request that does not adhere to the policy. > The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object > with the RequestDerivedKeys Assertion set to asserted=true. > {{WSS4JStaxOutInterceptor, line 159}} > {{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}} > > {{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces > {{true}} (which is default) > {{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces > {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}} > all other properties related to derived keys are null / 0 / their defaults. > *Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the > classpath simulataneously - so i assume key derivation happened in the > version packed in the bundle.* > *build.gradle.working* results in a soap envelope with an hmac signature on > the timestamp, produced by derivating a key from the > ws-secureconversationkey, containing this element: > {{ xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512; > wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"> xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd; > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; > > ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;> > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID;>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3024QktGO31p79qn7dhom83QNQ==}} > *build.gradle.failing* results in a soap envelope with an hmac signature > produced with the ws-secureconversation key. The Derived key element is > missing, as no key is derived. > Attached are: > * full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped > of irrelevant endpoints and domain names) > * code.java - code snippet demonstrating the use-case > * policy_fragment.xml - the policy to save looking for it in the wsdl -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CXF-7605) RequireDerivedKeys policy is read, but not executed
[ https://issues.apache.org/jira/browse/CXF-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16318424#comment-16318424 ] Lukas commented on CXF-7605: disabling streaming (stax) makes it work > RequireDerivedKeys policy is read, but not executed > --- > > Key: CXF-7605 > URL: https://issues.apache.org/jira/browse/CXF-7605 > Project: CXF > Issue Type: Bug > Components: Soap Binding, WS-* Components >Affects Versions: 3.1.14, 3.1.15, 3.2.2 > Environment: * cxf-rt-frontend-jaxws > * cxf-rt-frontend-jaxrs > * cxf-rt-transports-http > * cxf-rt-rs-client > * cxf-rt-rs-service-description > * cxf-rt-ws-security > * cxf-tools-common > * cxf-rt-ws-policy >Reporter: Lukas > Labels: Security > Attachments: build.gradle.working, build.gralde.failing, code.java, > full_wsdl.wsdl, policy_fragment.xml > > > CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac > signature, while ws-policy states that derived keys are required > ({{}} in {{effective Policy}}). > The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which > is not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a > derived symetric key) > The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle > task. > Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the > contents of > {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}} > (SupportEndorsingTokens) contain a nested Policy setting > {{RequireDerivedKeys}}. > This reflects the structure and contents of the attached policy (see > policy_fragment.xml). > CXF correctly embeds a SAML Token as requested by the policy and signs using > a symmetric key (got by WS-Secureconversation / WS-Trust previously) - both > steps are defined in the attached policy. > CXF should however, sign with a key *derived* from said symmetric key, > specified by {{}}, this step is ignored, thus > resulting an a request that does not adhere to the policy. > The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object > with the RequestDerivedKeys Assertion set to asserted=true. > {{WSS4JStaxOutInterceptor, line 159}} > {{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}} > > {{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces > {{true}} (which is default) > {{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces > {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}} > all other properties related to derived keys are null / 0 / their defaults. > *Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the > classpath simulataneously - so i assume key derivation happened in the > version packed in the bundle.* > *build.gradle.working* results in a soap envelope with an hmac signature on > the timestamp, produced by derivating a key from the > ws-secureconversationkey, containing this element: > {{ xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512; > wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"> xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd; > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; > > ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;> > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID;>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3024QktGO31p79qn7dhom83QNQ==}} > *build.gradle.failing* results in a soap envelope with an hmac signature > produced with the ws-secureconversation key. The Derived key element is > missing, as no key is derived. > Attached are: > * full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped > of irrelevant endpoints and domain names) > * code.java - code snippet demonstrating the use-case > * policy_fragment.xml - the policy to save looking for it in the wsdl -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (CXF-7605) RequireDerivedKeys policy is read, but not executed
[ https://issues.apache.org/jira/browse/CXF-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16318129#comment-16318129 ] Lukas commented on CXF-7605: StaxTransportBindingHandler, line 311: the branch for Issued Token does not implement options for derived keys - maybe this is it? > RequireDerivedKeys policy is read, but not executed > --- > > Key: CXF-7605 > URL: https://issues.apache.org/jira/browse/CXF-7605 > Project: CXF > Issue Type: Bug > Components: Soap Binding, WS-* Components >Affects Versions: 3.1.14, 3.1.15, 3.2.2 > Environment: * cxf-rt-frontend-jaxws > * cxf-rt-frontend-jaxrs > * cxf-rt-transports-http > * cxf-rt-rs-client > * cxf-rt-rs-service-description > * cxf-rt-ws-security > * cxf-tools-common > * cxf-rt-ws-policy >Reporter: Lukas > Attachments: build.gradle.working, build.gralde.failing, code.java, > full_wsdl.wsdl, policy_fragment.xml > > > CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac > signature, while ws-policy states that derived keys are required > ({{}} in {{effective Policy}}). > The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which > is not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a > derived symetric key) > The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle > task. > Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the > contents of > {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}} > (SupportEndorsingTokens) contain a nested Policy setting > {{RequireDerivedKeys}}. > This reflects the structure and contents of the attached policy (see > policy_fragment.xml). > CXF correctly embeds a SAML Token as requested by the policy and signs using > a symmetric key (got by WS-Secureconversation / WS-Trust previously) - both > steps are defined in the attached policy. > CXF should however, sign with a key *derived* from said symmetric key, > specified by {{}}, this step is ignored, thus > resulting an a request that does not adhere to the policy. > The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object > with the RequestDerivedKeys Assertion set to asserted=true. > {{WSS4JStaxOutInterceptor, line 159}} > {{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}} > > {{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces > {{true}} (which is default) > {{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces > {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}} > all other properties related to derived keys are null / 0 / their defaults. > *Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the > classpath simulataneously - so i assume key derivation happened in the > version packed in the bundle.* > *build.gradle.working* results in a soap envelope with an hmac signature on > the timestamp, produced by derivating a key from the > ws-secureconversationkey, containing this element: > {{ xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512; > wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"> xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd; > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; > > ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;> > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID;>nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3024QktGO31p79qn7dhom83QNQ==}} > *build.gradle.failing* results in a soap envelope with an hmac signature > produced with the ws-secureconversation key. The Derived key element is > missing, as no key is derived. > Attached are: > * full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped > of irrelevant endpoints and domain names) > * code.java - code snippet demonstrating the use-case > * policy_fragment.xml - the policy to save looking for it in the wsdl -- This message was sent by Atlassian JIRA (v6.4.14#64029)