Ok, and what is the security policy of the service? Or is security configured manually using the "Action" based approach?
Colm. On Tue, Feb 11, 2014 at 4:37 PM, Wabi Sabi <[email protected]> wrote: > I can't find the reference to AlgorithmSuite in the associated WSDL. > Somehow this worked ok with CXF 2.7 > > Here is how the failing response looks like. > > ID: 1 > Response-Code: 200 > Encoding: ISO-8859-1 > Content-Type: text/xml > Headers: {Cache-Control=[no-cache, no-store], connection=[Keep-Alive], > Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb 2014 > 16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked], > X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]} > Payload: <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "><soapenv:Header><wsse:Security > soapenv:mustUnderstand="1" xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "><xenc:EncryptedKey > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:dsig=" > http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig=" > http://www.w3.org/2000/09/xmldsig# > "><wsse:SecurityTokenReference><wsse:KeyIdentifier > ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > " > EncodingType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > ">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > "><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference > > URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp > wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken > wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" EncodingType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > " > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">....</wsse:BinarySecurityToken><Signature > xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n# > "/> > <SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>...</DigestValue> > </Reference> > <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>...</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference > xmlns=""><wsse:Reference > URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > "/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body > wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "><ns2:listResponse > xmlns:ns4="http://srv.gov.ca/"; xmlns:ns3="http://ip.srv.gov.ca/"; > xmlns:ns2=" > http://et.srv.gov.ca/";><xenc:EncryptedData Id="G0x7fda3d296d98-46D" Type=" > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#aes128-cbc > > "/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope> > > Thank you very much, Colm, for your help looking into this! > > > > On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh > <[email protected]>wrote: > > > There are no CXF 2.7.x based solutions. The exception message seems to be > > that you are using the RSA 1.5 key transport algorithm even though there > is > > no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy are > you > > using? Is it a CXF client or some other stack? What does the failing > > request look like? > > > > Colm. > > > > > > On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <[email protected]> > wrote: > > > > > Thank you very much, Colm for detailed and complete responses. I tried > > > building client with CXF 3, but it seems to break even the calls that > > > worked before. I now get: > > > > > > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An error > > was > > > discovered processing the <wsse:Security> header > > > > > > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor: > > > > > > if > > > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod) > > > && !data.isAllowRSA15KeyTransportAlgorithm() > > > && > > > > > > > > > !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) > > > { > > > log.debug( > > > "The Key transport method does not match the > requirement" > > > ); > > > throw new > > > WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); > > > } > > > > > > > > > I would greatly appreciate any pointers for implementing a CXF > 2.7-based > > > solution for the decryption... > > > > > > > > > > > > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh > > > <[email protected]>wrote: > > > > > > > Here is a blog article describing how to use this new functionality > in > > > > CXF... > > > > > > > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html > > > > > > > > Colm. > > > > > > > > > > > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh < > > [email protected] > > > > >wrote: > > > > > > > > > > > > > > Signing + encrypting/decrypting SOAP Attachments is not supported > in > > > CXF > > > > > 2.7.x. However it is supported on CXF trunk at the moment, and will > > be > > > > > included in the forthcoming CXF 3.0.0 release. Here are some tests > if > > > you > > > > > are interested: > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/ > > > > > > > > > > Colm. > > > > > > > > > > > > > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi <[email protected]> > > > > wrote: > > > > > > > > > >> Hello, > > > > >> > > > > >> I wonder if CXF can be configured to decrypt attachments that come > > as > > > a > > > > >> web > > > > >> service response? > > > > >> > > > > >> I hoped that WSS4JInInterceptor will take care of this use case, > but > > > it > > > > >> fails with "The signature or decryption was invalid" exception, > > which > > > is > > > > >> caused by > > "org.apache.xml.security.encryption.XMLEncryptionException: > > > > >> Could > > > > >> not find a resolver for URI > > > > >> cid:urn%3Auuid%@apache.org and Base null > > > > >> > > > > >> I managed to write a custom resolver to provide attachment data, > but > > > > then > > > > >> it fails with yet another exception: > > > > >> org.apache.xml.security.encryption.XMLEncryptionException: > > > > >> Unknown transformation. No handler installed for URI > > > > >> > > > > >> > > > > > > > > > > http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform > > > > >> > > > > >> Can somebody point me in the right direction, please? Any help is > > > > greatly > > > > >> appreciated. > > > > >> > > > > >> Thanks in advance. > > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
