Thank you very much, Colm. After enabling RSA15, I ran into another exception:
org.apache.cxf.binding.soap.SoapFault: BSP:R5406: Any CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a PrefixList attribute unless the PrefixList is empty at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:809) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:316) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:94) .... Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5406: Any CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a PrefixList attribute unless the PrefixList is empty at org.apache.wss4j.dom.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) at org.apache.wss4j.dom.processor.SignatureProcessor.checkBSPCompliance(SignatureProcessor.java:730) at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:403) at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:421) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:260) ... 40 more :( On Wed, Feb 12, 2014 at 8:49 AM, Colm O hEigeartaigh <[email protected]>wrote: > > In this case you need to set the "allowRSA15KeyTransportAlgorithm" > property to "true" on the receiving side. > > Colm. > > > On Tue, Feb 11, 2014 at 5:51 PM, Wabi Sabi <[email protected]> wrote: > >> Yes it's done with Action property via code. Action looks like: >> "UsernameToken Timestamp Signature Encrypt", and the signature element is >> as follows "{Element}{ >> http://et.srv.gov.ca/}ES;{Element}{http://ip.ebs.srv.gov.ca/}ID;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body >> " >> >> >> >> >> >> On Tue, Feb 11, 2014 at 11:45 AM, Colm O hEigeartaigh < >> [email protected]> wrote: >> >>> Ok, and what is the security policy of the service? Or is security >>> configured manually using the "Action" based approach? >>> >>> Colm. >>> >>> >>> On Tue, Feb 11, 2014 at 4:37 PM, Wabi Sabi <[email protected]> >>> wrote: >>> >>> > I can't find the reference to AlgorithmSuite in the associated WSDL. >>> > Somehow this worked ok with CXF 2.7 >>> > >>> > Here is how the failing response looks like. >>> > >>> > ID: 1 >>> > Response-Code: 200 >>> > Encoding: ISO-8859-1 >>> > Content-Type: text/xml >>> > Headers: {Cache-Control=[no-cache, no-store], connection=[Keep-Alive], >>> > Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb >>> 2014 >>> > 16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked], >>> > X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]} >>> > Payload: <?xml version="1.0" encoding="UTF-8"?> >>> > <soapenv:Envelope >>> > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ >>> > "><soapenv:Header><wsse:Security >>> > soapenv:mustUnderstand="1" xmlns:wsse=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>> > "><xenc:EncryptedKey >>> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod >>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:dsig=" >>> > http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig=" >>> > http://www.w3.org/2000/09/xmldsig# >>> > "><wsse:SecurityTokenReference><wsse:KeyIdentifier >>> > ValueType=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier >>> > " >>> > EncodingType=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary >>> > >>> ">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData >>> > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# >>> > >>> "><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference >>> > >>> > >>> URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp >>> > wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>> > >>> "><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken >>> > wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" >>> EncodingType=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary >>> > " >>> > ValueType=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >>> > " >>> > xmlns:wsu=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>> > ">....</wsse:BinarySecurityToken><Signature >>> > xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> > <SignedInfo> >>> > <CanonicalizationMethod Algorithm=" >>> > http://www.w3.org/2001/10/xml-exc-c14n# >>> > "/> >>> > <SignatureMethod Algorithm=" >>> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >>> > <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7"> >>> > <Transforms> >>> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> > </Transforms> >>> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> > <DigestValue>...</DigestValue> >>> > </Reference> >>> > <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4"> >>> > <Transforms> >>> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> > </Transforms> >>> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> > <DigestValue>...</DigestValue> >>> > </Reference> >>> > </SignedInfo> >>> > >>> > >>> <SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference >>> > xmlns=""><wsse:Reference >>> > URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >>> > >>> "/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body >>> > wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu=" >>> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>> > "><ns2:listResponse >>> > xmlns:ns4="http://srv.gov.ca/"; xmlns:ns3="http://ip.srv.gov.ca/"; >>> > xmlns:ns2=" >>> > http://et.srv.gov.ca/";><xenc:EncryptedData Id="G0x7fda3d296d98-46D" >>> Type=" >>> > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc=" >>> > http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm=" >>> > http://www.w3.org/2001/04/xmlenc#aes128-cbc >>> > >>> > >>> "/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope> >>> > >>> > Thank you very much, Colm, for your help looking into this! >>> > >>> > >>> > >>> > On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh >>> > <[email protected]>wrote: >>> > >>> > > There are no CXF 2.7.x based solutions. The exception message seems >>> to be >>> > > that you are using the RSA 1.5 key transport algorithm even though >>> there >>> > is >>> > > no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy >>> are >>> > you >>> > > using? Is it a CXF client or some other stack? What does the failing >>> > > request look like? >>> > > >>> > > Colm. >>> > > >>> > > >>> > > On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <[email protected]> >>> > wrote: >>> > > >>> > > > Thank you very much, Colm for detailed and complete responses. I >>> tried >>> > > > building client with CXF 3, but it seems to break even the calls >>> that >>> > > > worked before. I now get: >>> > > > >>> > > > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An >>> error >>> > > was >>> > > > discovered processing the <wsse:Security> header >>> > > > >>> > > > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor: >>> > > > >>> > > > if >>> > > > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod) >>> > > > && !data.isAllowRSA15KeyTransportAlgorithm() >>> > > > && >>> > > > >>> > > > >>> > > >>> > >>> !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) >>> > > > { >>> > > > log.debug( >>> > > > "The Key transport method does not match the >>> > requirement" >>> > > > ); >>> > > > throw new >>> > > > >>> WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); >>> > > > } >>> > > > >>> > > > >>> > > > I would greatly appreciate any pointers for implementing a CXF >>> > 2.7-based >>> > > > solution for the decryption... >>> > > > >>> > > > >>> > > > >>> > > > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh >>> > > > <[email protected]>wrote: >>> > > > >>> > > > > Here is a blog article describing how to use this new >>> functionality >>> > in >>> > > > > CXF... >>> > > > > >>> > > > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html >>> > > > > >>> > > > > Colm. >>> > > > > >>> > > > > >>> > > > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh < >>> > > [email protected] >>> > > > > >wrote: >>> > > > > >>> > > > > > >>> > > > > > Signing + encrypting/decrypting SOAP Attachments is not >>> supported >>> > in >>> > > > CXF >>> > > > > > 2.7.x. However it is supported on CXF trunk at the moment, and >>> will >>> > > be >>> > > > > > included in the forthcoming CXF 3.0.0 release. Here are some >>> tests >>> > if >>> > > > you >>> > > > > > are interested: >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/ >>> > > > > > >>> > > > > > Colm. >>> > > > > > >>> > > > > > >>> > > > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi < >>> [email protected]> >>> > > > > wrote: >>> > > > > > >>> > > > > >> Hello, >>> > > > > >> >>> > > > > >> I wonder if CXF can be configured to decrypt attachments that >>> come >>> > > as >>> > > > a >>> > > > > >> web >>> > > > > >> service response? >>> > > > > >> >>> > > > > >> I hoped that WSS4JInInterceptor will take care of this use >>> case, >>> > but >>> > > > it >>> > > > > >> fails with "The signature or decryption was invalid" >>> exception, >>> > > which >>> > > > is >>> > > > > >> caused by >>> > > "org.apache.xml.security.encryption.XMLEncryptionException: >>> > > > > >> Could >>> > > > > >> not find a resolver for URI >>> > > > > >> cid:urn%3Auuid%@apache.org and Base null >>> > > > > >> >>> > > > > >> I managed to write a custom resolver to provide attachment >>> data, >>> > but >>> > > > > then >>> > > > > >> it fails with yet another exception: >>> > > > > >> org.apache.xml.security.encryption.XMLEncryptionException: >>> > > > > >> Unknown transformation. No handler installed for URI >>> > > > > >> >>> > > > > >> >>> > > > > >>> > > > >>> > > >>> > >>> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform >>> > > > > >> >>> > > > > >> Can somebody point me in the right direction, please? Any >>> help is >>> > > > > greatly >>> > > > > >> appreciated. >>> > > > > >> >>> > > > > >> Thanks in advance. >>> > > > > >> >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > -- >>> > > > > > Colm O hEigeartaigh >>> > > > > > >>> > > > > > Talend Community Coder >>> > > > > > http://coders.talend.com >>> > > > > > >>> > > > > >>> > > > > >>> > > > > >>> > > > > -- >>> > > > > Colm O hEigeartaigh >>> > > > > >>> > > > > Talend Community Coder >>> > > > > http://coders.talend.com >>> > > > > >>> > > > >>> > > >>> > > >>> > > >>> > > -- >>> > > Colm O hEigeartaigh >>> > > >>> > > Talend Community Coder >>> > > http://coders.talend.com >>> > > >>> > >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >>> >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
