Hi Colm, hi Andrei, with the fix the Enc-Element in the response message contains now KeyIdentifier data. Thanks.
Best regards Kai 2014-05-19 12:42 GMT+02:00 Colm O hEigeartaigh <[email protected]>: > There is some inconsistency in how CXF handles token referencing between > the initiator + recipient sides for X.509 tokens, which I've since fixed. > > Colm. > > > On Fri, May 16, 2014 at 1:07 PM, Kai Rommel <[email protected] > >wrote: > > > Hi Colm, > > I set up a scenario and was wondering about the KeyInfo elements. > > > > > > Policy P1 for WS-Consumer and WS-Provider > > > > CXF ---sends requestA ----> CXF > > <--- sends responseB--- > > > > Policy is > > <p:policies enabled="true" xmlns:p="http://cxf.apache.org/policy";> > > <wsp:Policy wsu:Id="AsymmetricII" > > xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > xmlns:wsp="http://www.w3.org/ns/ws-policy";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > "> > > <wsp:Policy> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > > "> > > <wsp:Policy> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict /> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp /> > > <sp:OnlySignEntireHeadersAndBody /> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:TripleDesRsa15 /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:Wss10 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefIssuerSerial /> > > </wsp:Policy> > > </sp:Wss10> > > <sp:SignedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:Body /> > > <sp:Header Name="Timestamp" > > Namespace=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > /> > > </sp:SignedParts> > > <sp:EncryptedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:Body /> > > </sp:EncryptedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > </p:policies> > > > > When I have a closer look to the messages, these look like this: > > > > > > A: > > Enc-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > > Sig-Element: KeyInfo/SecurityTokenReference/Reference > > > > B: > > Enc-Element: KeyInfo/SecurityTokenReference/X509Data > > Sig-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > > > > > > Is there any reason, that the request message contains in the encryption > > part the KeyIdentifier and the response message the X509Data element? > > > > I am using CXF version 2.7.10 > > > > Best regards > > Kai > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
