Sure, but the WSDL is somewhat complex.
For that reason I truncated the WSDL to the related parts:
--cut
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceCustomer"
targetNamespace="http://tempuri.org/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/";
xmlns:tns="http://tempuri.org/";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";>
<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy
wsu:Id="CustomBinding_IServiceCustomer_GetContractsByCustomerID_Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
[... several Policy-Types more ...]
<wsdl:types>
[...]
</wsdl:types>
<wsdl:message
name="IServiceCustomer_GetContractsByCustomerID_InputMessage">
<wsdl:part name="parameters"
element="tns:GetContractsByCustomerID"/>
</wsdl:message>
<wsdl:message
name="IServiceCustomer_GetContractsByCustomerID_OutputMessage">
<wsdl:part name="parameters"
element="tns:GetContractsByCustomerIDResponse"/>
</wsdl:message>
[... several Message-Types more ...]
<wsdl:portType name="IServiceCustomer">
<wsdl:operation name="GetContractsByCustomerID">
<wsdl:input
wsaw:Action="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID";
message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
<wsdl:output
wsaw:Action="http://tempuri.org/IServiceCustomer/GetContractsByCustomerIDResponse";
message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
</wsdl:operation>
[...]
</wsdl:portType>
<wsdl:binding name="CustomBinding_IServiceCustomer"
type="tns:IServiceCustomer">
<wsp:PolicyReference URI="#CustomBinding_IServiceCustomer_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetContractsByCustomerID">
<soap:operation
soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID";
style="document"/>
<wsdl:input>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerID_Input_policy"/>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerID_output_policy"/>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
[...]
</wsdl:binding>
<wsdl:service name="ServiceCustomer">
<wsdl:port name="CustomBinding_IServiceCustomer"
binding="tns:CustomBinding_IServiceCustomer">
<soap:address
location="[...]"/>
<wsa10:EndpointReference>
<wsa10:Address>[...]</wsa10:Address>
<Identity
xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";>
<Dns>localhost</Dns>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
--cut
Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
For Basic256, the signature derived key length must be 192 bits (and 256
for encryption). However in the sample message it is just using 128 bits
for both. Let's see the full security policy configuration, where is it
getting the information from to secure the message? Above it's just the
TransportBinding configuration.
Colm.
On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <[email protected]>
wrote:
Yes it does.
For simplicity I paste the whole response after these lines.
--cut
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:a="
http://www.w3.org/2005/08/addressing"; xmlns:u="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
<a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
51-4720-9911-6f533112b4fa</a:RelatesTo>
<o:Security xmlns:o="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<u:Created>2016-10-26T15:32:20.723Z</u:Created>
<u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
</u:Timestamp>
<c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";
u:Id="_0">
<o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-soap-
message-security-1.1#EncryptedKey">
<o:KeyIdentifier ValueType="http://docs.oasis-o
pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";
u:Id="_3">
<o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-soap-
message-security-1.1#EncryptedKey">
<o:KeyIdentifier ValueType="http://docs.oasis-o
pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:DataReference URI="#_5"/>
</e:ReferenceList>
<k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
<k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
</Reference>
<Reference URI="#uuid-eb38523b-3459-439a-8576-47af2ed4b522-470">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmls
oap.org/ws/2005/02/sc/dk" URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_4">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"; Id="_5"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2
001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmls
oap.org/ws/2005/02/sc/dk" URI="#_3"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
--cut
Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
The error message seems to be referring to derivation key length. Does the
message contain a security header containing a Signature and derived keys?
Colm.
On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
[email protected]>
wrote:
Hi,
I've a wsdl with the following partial content:
--cut
<sp:TransportBinding xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
--cut
If I call this service the response from the server gets rejected by CXF:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
The
signature derived key length does not match the requirement
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
y.java:161)
at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr
actsByCustomerID(TestComm.java:135)
at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom
m.java:128)
--cut
If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
accepted.
Is this a problem with the remote service or with CXF?
AFAIK TransportBinding applies to the connection which is SSL encrypted.
If I check the SSL Certificate with "openssl s_client -showcerts -connect
[server]:443" I get:
--cut
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - SHA256 - G2
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
-
SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3072 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: CD4B00002CD328917F89C4AF9010C5
145C745FD134466567345539C6AA1BE676
Session-ID-ctx:
Master-Key: 11B433DDEF0B003A6F261390EA6D50
F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1477495032
Timeout : 300 (sec)
Verify return code: 0 (ok)
--cut
Thanks
Martin
--
FERNAUSOFT GmbH
Gartenstraße 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail [email protected]
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
