For Basic256, the signature derived key length must be 192 bits (and 256 for encryption). However in the sample message it is just using 128 bits for both. Let's see the full security policy configuration, where is it getting the information from to secure the message? Above it's just the TransportBinding configuration.
Colm. On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <[email protected]> wrote: > Yes it does. > > For simplicity I paste the whole response after these lines. > > --cut > <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:a=" > http://www.w3.org/2005/08/addressing"; xmlns:u="http://docs.oasis-ope > n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> > <s:Header> > <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I > ServiceCustomer/GetContractsByCustomerIDResponse</a:Action> > <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41 > 51-4720-9911-6f533112b4fa</a:RelatesTo> > <o:Security xmlns:o="http://docs.oasis-ope > n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > s:mustUnderstand="1"> > <u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470"> > <u:Created>2016-10-26T15:32:20.723Z</u:Created> > <u:Expires>2016-10-26T15:37:20.723Z</u:Expires> > </u:Timestamp> > <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"; > u:Id="_0"> > <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope > n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-soap- > message-security-1.1#EncryptedKey"> > <o:KeyIdentifier ValueType="http://docs.oasis-o > pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz > pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier> > </o:SecurityTokenReference> > <c:Offset>0</c:Offset> > <c:Length>16</c:Length> > <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce> > </c:DerivedKeyToken> > <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"; > u:Id="_3"> > <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope > n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-soap- > message-security-1.1#EncryptedKey"> > <o:KeyIdentifier ValueType="http://docs.oasis-o > pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz > pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier> > </o:SecurityTokenReference> > <c:Offset>0</c:Offset> > <c:Length>16</c:Length> > <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce> > </c:DerivedKeyToken> > <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";> > <e:DataReference URI="#_5"/> > </e:ReferenceList> > <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope > n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1" > Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/> > <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope > n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2" > Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/ > dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt > l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X > p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ > GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL > r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > <SignatureMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#hmac-sha1"/> > <Reference URI="#_4"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue> > </Reference> > <Reference URI="#_6"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue> > </Reference> > <Reference URI="#_7"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue> > </Reference> > <Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue> > </Reference> > <Reference URI="#_1"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue> > </Reference> > <Reference URI="#_2"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2 > 001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2 > 000/09/xmldsig#sha1"/> > <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue> > <KeyInfo> > <o:SecurityTokenReference> > <o:Reference ValueType="http://schemas.xmls > oap.org/ws/2005/02/sc/dk" URI="#_0"/> > </o:SecurityTokenReference> > </KeyInfo> > </Signature> > </o:Security> > </s:Header> > <s:Body u:Id="_4"> > <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"; Id="_5" > Type="http://www.w3.org/2001/04/xmlenc#Content";> > <e:EncryptionMethod Algorithm="http://www.w3.org/2 > 001/04/xmlenc#aes128-cbc"/> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope > n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:Reference ValueType="http://schemas.xmls > oap.org/ws/2005/02/sc/dk" URI="#_3"/> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC > iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y > sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM > V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI > p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol > xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o > dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq > B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk > s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn > yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK > 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo > SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G > qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB > HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM > YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue> > </e:CipherData> > </e:EncryptedData> > </s:Body> > </s:Envelope> > --cut > > > Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh: > >> The error message seems to be referring to derivation key length. Does the >> message contain a security header containing a Signature and derived keys? >> >> Colm. >> >> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau < >> [email protected]> >> wrote: >> >> Hi, >>> >>> I've a wsdl with the following partial content: >>> >>> --cut >>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <wsp:Policy> >>> <sp:TransportToken> >>> <wsp:Policy> >>> <sp:HttpsToken RequireClientCertificate="false"/> >>> </wsp:Policy> >>> </sp:TransportToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic256/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Strict/> >>> </wsp:Policy> >>> </sp:Layout> >>> <sp:IncludeTimestamp/> >>> </wsp:Policy> >>> </sp:TransportBinding> >>> --cut >>> >>> If I call this service the response from the server gets rejected by CXF: >>> >>> --cut >>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These >>> policy alternatives can not be satisfied: >>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite: >>> The >>> signature derived key length does not match the requirement >>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256 >>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >>> y.java:161) >>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source) >>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr >>> actsByCustomerID(TestComm.java:135) >>> at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom >>> m.java:128) >>> --cut >>> >>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is >>> accepted. >>> Is this a problem with the remote service or with CXF? >>> >>> AFAIK TransportBinding applies to the connection which is SSL encrypted. >>> If I check the SSL Certificate with "openssl s_client -showcerts -connect >>> [server]:443" I get: >>> >>> --cut >>> CONNECTED(00000003) >>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root >>> CA >>> verify return:1 >>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization >>> Validation CA - SHA256 - G2 >>> verify return:1 >>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX >>> verify return:1 >>> --- >>> Certificate chain >>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX >>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - >>> SHA256 - G2 >>> -----BEGIN CERTIFICATE----- >>> [...] >>> -----END CERTIFICATE----- >>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - >>> SHA256 - G2 >>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA >>> -----BEGIN CERTIFICATE----- >>> [...] >>> -----END CERTIFICATE----- >>> --- >>> Server certificate >>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX >>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA >>> - >>> SHA256 - G2 >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 3072 bytes and written 471 bytes >>> --- >>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 >>> Server public key is 2048 bit >>> Secure Renegotiation IS supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>> Protocol : TLSv1.2 >>> Cipher : ECDHE-RSA-AES256-SHA384 >>> Session-ID: CD4B00002CD328917F89C4AF9010C5 >>> 145C745FD134466567345539C6AA1BE676 >>> Session-ID-ctx: >>> Master-Key: 11B433DDEF0B003A6F261390EA6D50 >>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591 >>> Key-Arg : None >>> PSK identity: None >>> PSK identity hint: None >>> SRP username: None >>> Start Time: 1477495032 >>> Timeout : 300 (sec) >>> Verify return code: 0 (ok) >>> --cut >>> >>> Thanks >>> Martin >>> >>> >> >> > -- > FERNAUSOFT GmbH > Gartenstraße 42 - 37269 Eschwege > > Telefon (0 56 51) 95 99-0 > Telefax (0 56 51) 95 99-90 > > eMail [email protected] > Internet http://www.fernausoft.de > > Handelsregister Eschwege, HRB 1585 > Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau > Steuernummer 025 233 00041 > USt-ID-Nr. DE 178 554 622 > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
