Yes it does.
For simplicity I paste the whole response after these lines.
--cut
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action s:mustUnderstand="1"
u:Id="_6">http://tempuri.org/IServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
<a:RelatesTo
u:Id="_7">urn:uuid:9f796ce4-4151-4720-9911-6f533112b4fa</a:RelatesTo>
<o:Security
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<u:Created>2016-10-26T15:32:20.723Z</u:Created>
<u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
</u:Timestamp>
<c:DerivedKeyToken
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"; u:Id="_0">
<o:SecurityTokenReference
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>/vaenfbIzpR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"; u:Id="_3">
<o:SecurityTokenReference
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>/vaenfbIzpR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:DataReference URI="#_5"/>
</e:ReferenceList>
<k:SignatureConfirmation
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
u:Id="_1" Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
<k:SignatureConfirmation
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
u:Id="_2"
Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvtl1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44Xp1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZGwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gLr4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_4">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
</Reference>
<Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"; URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_4">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#";
Id="_5" Type="http://www.w3.org/2001/04/xmlenc#Content";>
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"; URI="#_3"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbCiuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7ysTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUMV/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayIp4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8OlxGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9odBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9IcrqB4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVks/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSnyF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0ooSCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1GqAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fBHFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARMYpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
--cut
Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
The error message seems to be referring to derivation key length. Does the
message contain a security header containing a Signature and derived keys?
Colm.
On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <[email protected]>
wrote:
Hi,
I've a wsdl with the following partial content:
--cut
<sp:TransportBinding xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
--cut
If I call this service the response from the server gets rejected by CXF:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite: The
signature derived key length does not match the requirement
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
y.java:161)
at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
actsByCustomerID(TestComm.java:135)
at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
m.java:128)
--cut
If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
accepted.
Is this a problem with the remote service or with CXF?
AFAIK TransportBinding applies to the connection which is SSL encrypted.
If I check the SSL Certificate with "openssl s_client -showcerts -connect
[server]:443" I get:
--cut
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - SHA256 - G2
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3072 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: CD4B00002CD328917F89C4AF9010C5
145C745FD134466567345539C6AA1BE676
Session-ID-ctx:
Master-Key: 11B433DDEF0B003A6F261390EA6D50
F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1477495032
Timeout : 300 (sec)
Verify return code: 0 (ok)
--cut
Thanks
Martin
--
FERNAUSOFT GmbH
Gartenstraße 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail [email protected]
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
