In this case you need to set the "allowRSA15KeyTransportAlgorithm" property to "true" on the receiving side.
Colm. On Tue, Feb 11, 2014 at 5:51 PM, Wabi Sabi <[email protected]> wrote: > Yes it's done with Action property via code. Action looks like: > "UsernameToken Timestamp Signature Encrypt", and the signature element is > as follows "{Element}{ > http://et.srv.gov.ca/}ES;{Element}{http://ip.ebs.srv.gov.ca/}ID;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body > " > > > > > > On Tue, Feb 11, 2014 at 11:45 AM, Colm O hEigeartaigh <[email protected] > > wrote: > >> Ok, and what is the security policy of the service? Or is security >> configured manually using the "Action" based approach? >> >> Colm. >> >> >> On Tue, Feb 11, 2014 at 4:37 PM, Wabi Sabi <[email protected]> >> wrote: >> >> > I can't find the reference to AlgorithmSuite in the associated WSDL. >> > Somehow this worked ok with CXF 2.7 >> > >> > Here is how the failing response looks like. >> > >> > ID: 1 >> > Response-Code: 200 >> > Encoding: ISO-8859-1 >> > Content-Type: text/xml >> > Headers: {Cache-Control=[no-cache, no-store], connection=[Keep-Alive], >> > Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb >> 2014 >> > 16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked], >> > X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]} >> > Payload: <?xml version="1.0" encoding="UTF-8"?> >> > <soapenv:Envelope >> > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ >> > "><soapenv:Header><wsse:Security >> > soapenv:mustUnderstand="1" xmlns:wsse=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> > "><xenc:EncryptedKey >> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod >> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:dsig=" >> > http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig=" >> > http://www.w3.org/2000/09/xmldsig# >> > "><wsse:SecurityTokenReference><wsse:KeyIdentifier >> > ValueType=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier >> > " >> > EncodingType=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary >> > >> ">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData >> > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# >> > >> "><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference >> > >> > >> URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp >> > wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> > >> "><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken >> > wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" >> EncodingType=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary >> > " >> > ValueType=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >> > " >> > xmlns:wsu=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> > ">....</wsse:BinarySecurityToken><Signature >> > xmlns="http://www.w3.org/2000/09/xmldsig#";> >> > <SignedInfo> >> > <CanonicalizationMethod Algorithm=" >> > http://www.w3.org/2001/10/xml-exc-c14n# >> > "/> >> > <SignatureMethod Algorithm=" >> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >> > <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7"> >> > <Transforms> >> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> > </Transforms> >> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> > <DigestValue>...</DigestValue> >> > </Reference> >> > <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4"> >> > <Transforms> >> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> > </Transforms> >> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> > <DigestValue>...</DigestValue> >> > </Reference> >> > </SignedInfo> >> > >> > >> <SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference >> > xmlns=""><wsse:Reference >> > URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >> > >> "/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body >> > wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> > "><ns2:listResponse >> > xmlns:ns4="http://srv.gov.ca/"; xmlns:ns3="http://ip.srv.gov.ca/"; >> > xmlns:ns2=" >> > http://et.srv.gov.ca/";><xenc:EncryptedData Id="G0x7fda3d296d98-46D" >> Type=" >> > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc=" >> > http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm=" >> > http://www.w3.org/2001/04/xmlenc#aes128-cbc >> > >> > >> "/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope> >> > >> > Thank you very much, Colm, for your help looking into this! >> > >> > >> > >> > On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh >> > <[email protected]>wrote: >> > >> > > There are no CXF 2.7.x based solutions. The exception message seems >> to be >> > > that you are using the RSA 1.5 key transport algorithm even though >> there >> > is >> > > no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy are >> > you >> > > using? Is it a CXF client or some other stack? What does the failing >> > > request look like? >> > > >> > > Colm. >> > > >> > > >> > > On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <[email protected]> >> > wrote: >> > > >> > > > Thank you very much, Colm for detailed and complete responses. I >> tried >> > > > building client with CXF 3, but it seems to break even the calls >> that >> > > > worked before. I now get: >> > > > >> > > > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An >> error >> > > was >> > > > discovered processing the <wsse:Security> header >> > > > >> > > > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor: >> > > > >> > > > if >> > > > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod) >> > > > && !data.isAllowRSA15KeyTransportAlgorithm() >> > > > && >> > > > >> > > > >> > > >> > >> !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) >> > > > { >> > > > log.debug( >> > > > "The Key transport method does not match the >> > requirement" >> > > > ); >> > > > throw new >> > > > WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); >> > > > } >> > > > >> > > > >> > > > I would greatly appreciate any pointers for implementing a CXF >> > 2.7-based >> > > > solution for the decryption... >> > > > >> > > > >> > > > >> > > > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh >> > > > <[email protected]>wrote: >> > > > >> > > > > Here is a blog article describing how to use this new >> functionality >> > in >> > > > > CXF... >> > > > > >> > > > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html >> > > > > >> > > > > Colm. >> > > > > >> > > > > >> > > > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh < >> > > [email protected] >> > > > > >wrote: >> > > > > >> > > > > > >> > > > > > Signing + encrypting/decrypting SOAP Attachments is not >> supported >> > in >> > > > CXF >> > > > > > 2.7.x. However it is supported on CXF trunk at the moment, and >> will >> > > be >> > > > > > included in the forthcoming CXF 3.0.0 release. Here are some >> tests >> > if >> > > > you >> > > > > > are interested: >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/ >> > > > > > >> > > > > > Colm. >> > > > > > >> > > > > > >> > > > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi < >> [email protected]> >> > > > > wrote: >> > > > > > >> > > > > >> Hello, >> > > > > >> >> > > > > >> I wonder if CXF can be configured to decrypt attachments that >> come >> > > as >> > > > a >> > > > > >> web >> > > > > >> service response? >> > > > > >> >> > > > > >> I hoped that WSS4JInInterceptor will take care of this use >> case, >> > but >> > > > it >> > > > > >> fails with "The signature or decryption was invalid" exception, >> > > which >> > > > is >> > > > > >> caused by >> > > "org.apache.xml.security.encryption.XMLEncryptionException: >> > > > > >> Could >> > > > > >> not find a resolver for URI >> > > > > >> cid:urn%3Auuid%@apache.org and Base null >> > > > > >> >> > > > > >> I managed to write a custom resolver to provide attachment >> data, >> > but >> > > > > then >> > > > > >> it fails with yet another exception: >> > > > > >> org.apache.xml.security.encryption.XMLEncryptionException: >> > > > > >> Unknown transformation. No handler installed for URI >> > > > > >> >> > > > > >> >> > > > > >> > > > >> > > >> > >> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform >> > > > > >> >> > > > > >> Can somebody point me in the right direction, please? Any help >> is >> > > > > greatly >> > > > > >> appreciated. >> > > > > >> >> > > > > >> Thanks in advance. >> > > > > >> >> > > > > > >> > > > > > >> > > > > > >> > > > > > -- >> > > > > > Colm O hEigeartaigh >> > > > > > >> > > > > > Talend Community Coder >> > > > > > http://coders.talend.com >> > > > > > >> > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > Colm O hEigeartaigh >> > > > > >> > > > > Talend Community Coder >> > > > > http://coders.talend.com >> > > > > >> > > > >> > > >> > > >> > > >> > > -- >> > > Colm O hEigeartaigh >> > > >> > > Talend Community Coder >> > > http://coders.talend.com >> > > >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
