It's a little bit ambiguous. The designer of the service probably meant the AlgorithmSuite in the SymmetricBinding to apply to the message level security, and not the AlgorithmSuite of the TransportBinding. However, CXF does not interpret the policies in this way, as *all* of the policies must be valid (you are not using policy alternatives). In a nutshell, yes including two different AlgorithmSuite policies is a contradiction in terms, or at least that's how CXF sees it.
Colm. On Thu, Oct 27, 2016 at 10:12 AM, Martin Fernau <[email protected] > wrote: > So, how can I interpret this situation? Is it a clear mistake (or > misconfiguration) of the remote service? > > Although it's no problem to change the wsdl to overcome this problem (in > this case) - I dislike such an approach because we (my company) _must_ use > their service and we need to pay for the acceptance of our client using it. > And we've other problems with other methods (you know the topic about the > encrypted header) where I currently can't say if its not another problem > with their possible misconfiguration. > > Is the following correct? > - The communication use a symmetric key which is generated by my client > (CXF) > - For the key generated by me the Basic128Rsa15 AlgorithmSuite in > SymmetricBinding applies which means a key of 128 bit length > - Because the key itself is 128 bit the derived keys can't be higher > encrypted and thus are 128 bit (?) > - For the replies this means that the keys are still 128 bit > > If the above conclusion of myself is correct and if I interpret this side > [1] correct (where your previous comment is confirmed that Basic256 means > that signature needs to be 192 and encryption needs to be 256 bit) then > Basic256 as the AlgorithmSuite in TransportBinding and Basic128Rsa15 as the > AlgorithmSuite in SymmetricBinding must be a contradiction in terms? > > Thanks > Martin > > [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws > -securitypolicy-1.2-spec-os.html#_Toc161826547 > > Am 26.10.2016 um 21:39 schrieb Colm O hEigeartaigh: > >> The problem is that all of the policies must be enforced. CXF is rejecting >> the Basic256 policy, as the signature derivation key lengths in the >> message >> do not match it. >> >> As the TransportBinding policy is only being used here to require that TLS >> is used, I would just omit the AlgorithmSuite altogether from the >> TransportBinding policy and it should work. >> >> Colm. >> >> On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau < >> [email protected]> >> wrote: >> >> Sure, but the WSDL is somewhat complex. >>> For that reason I truncated the WSDL to the related parts: >>> >>> --cut >>> <?xml version="1.0" encoding="utf-8"?> >>> <wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur >>> i.org/" >>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:xsd=" >>> http://www.w3.org/2001/XMLSchema"; >>> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004 >>> 01-wss-wssecurity-utility-1.0.xsd" >>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; >>> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:tns=" >>> http://tempuri.org/"; >>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; >>> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; >>> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"; >>> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; >>> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"; >>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >>> xmlns:wsa10="http://www.w3.org/2005/08/addressing"; >>> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";> >>> <wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy"> >>> <wsp:ExactlyOne> >>> <wsp:All> >>> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <wsp:Policy> >>> <sp:ProtectionToken> >>> <wsp:Policy> >>> <sp:X509Token >>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/ >>> securitypolicy/IncludeToken/Never"> >>> <wsp:Policy> >>> <sp:RequireDerivedKeys/> >>> <sp:RequireThumbprintReference/> >>> <sp:WssX509V3Token10/> >>> </wsp:Policy> >>> </sp:X509Token> >>> </wsp:Policy> >>> </sp:ProtectionToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic128Rsa15/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Strict/> >>> </wsp:Policy> >>> </sp:Layout> >>> <sp:IncludeTimestamp/> >>> <sp:OnlySignEntireHeadersAndBody/> >>> </wsp:Policy> >>> </sp:SymmetricBinding> >>> <sp:EndorsingSupportingTokens >>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >>> <wsp:Policy> >>> <sp:X509Token >>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/ >>> securitypolicy/IncludeToken/AlwaysToRecipient"> >>> <wsp:Policy> >>> <sp:RequireThumbprintReference/> >>> <sp:WssX509V3Token10/> >>> </wsp:Policy> >>> </sp:X509Token> >>> </wsp:Policy> >>> </sp:EndorsingSupportingTokens> >>> <sp:Wss11 xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <wsp:Policy> >>> <sp:MustSupportRefThumbprint/> >>> <sp:MustSupportRefEncryptedKey/> >>> <sp:RequireSignatureConfirmation/> >>> </wsp:Policy> >>> </sp:Wss11> >>> <sp:Trust10 xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <wsp:Policy> >>> <sp:MustSupportIssuedTokens/> >>> <sp:RequireClientEntropy/> >>> <sp:RequireServerEntropy/> >>> </wsp:Policy> >>> </sp:Trust10> >>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <wsp:Policy> >>> <sp:TransportToken> >>> <wsp:Policy> >>> <sp:HttpsToken >>> RequireClientCertificate="false"/> >>> </wsp:Policy> >>> </sp:TransportToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic256/> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Strict/> >>> </wsp:Policy> >>> </sp:Layout> >>> <sp:IncludeTimestamp/> >>> </wsp:Policy> >>> </sp:TransportBinding> >>> <wsaw:UsingAddressing/> >>> </wsp:All> >>> </wsp:ExactlyOne> >>> </wsp:Policy> >>> <wsp:Policy wsu:Id="CustomBinding_IService >>> Customer_GetContractsByCustomerID_Input_policy"> >>> <wsp:ExactlyOne> >>> <wsp:All> >>> <sp:SignedParts xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <sp:Body/> >>> <sp:Header Name="To" Namespace="http://www.w3.org/2 >>> 005/08/addressing"/> >>> <sp:Header Name="From" Namespace=" >>> http://www.w3.org/2 >>> 005/08/addressing"/> >>> <sp:Header Name="FaultTo" Namespace=" >>> http://www.w3.org/2005/08/addressing"/> >>> <sp:Header Name="ReplyTo" Namespace=" >>> http://www.w3.org/2005/08/addressing"/> >>> <sp:Header Name="MessageID" Namespace=" >>> http://www.w3.org/2005/08/addressing"/> >>> <sp:Header Name="RelatesTo" Namespace=" >>> http://www.w3.org/2005/08/addressing"/> >>> <sp:Header Name="Action" Namespace=" >>> http://www.w3.org/2005/08/addressing"/> >>> </sp:SignedParts> >>> <sp:EncryptedParts xmlns:sp="http://schemas.xmlso >>> ap.org/ws/2005/07/securitypolicy"> >>> <sp:Body/> >>> </sp:EncryptedParts> >>> </wsp:All> >>> </wsp:ExactlyOne> >>> </wsp:Policy> >>> [... several Policy-Types more ...] >>> <wsdl:types> >>> [...] >>> </wsdl:types> >>> <wsdl:message name="IServiceCustomer_GetCont >>> ractsByCustomerID_InputMessage"> >>> <wsdl:part name="parameters" element="tns:GetContractsByCus >>> tomerID"/> >>> </wsdl:message> >>> <wsdl:message name="IServiceCustomer_GetCont >>> ractsByCustomerID_OutputMessage"> >>> <wsdl:part name="parameters" element="tns:GetContractsByCus >>> tomerIDResponse"/> >>> </wsdl:message> >>> [... several Message-Types more ...] >>> <wsdl:portType name="IServiceCustomer"> >>> <wsdl:operation name="GetContractsByCustomerID"> >>> <wsdl:input wsaw:Action="http://tempuri.or >>> g/IServiceCustomer/GetContractsByCustomerID" >>> message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/> >>> <wsdl:output >>> wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract >>> sByCustomerIDResponse" >>> message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/> >>> </wsdl:operation> >>> [...] >>> </wsdl:portType> >>> <wsdl:binding name="CustomBinding_IServiceCustomer" >>> type="tns:IServiceCustomer"> >>> <wsp:PolicyReference URI="#CustomBinding_IServiceCu >>> stomer_policy"/> >>> <soap:binding transport="http://schemas.xmlsoap.org/soap/http >>> "/> >>> <wsdl:operation name="GetContractsByCustomerID"> >>> <soap:operation >>> soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID >>> " >>> style="document"/> >>> <wsdl:input> >>> <wsp:PolicyReference >>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI >>> D_Input_policy"/> >>> <soap:body use="literal"/> >>> </wsdl:input> >>> <wsdl:output> >>> <wsp:PolicyReference >>> URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI >>> D_output_policy"/> >>> <soap:body use="literal"/> >>> </wsdl:output> >>> </wsdl:operation> >>> [...] >>> </wsdl:binding> >>> <wsdl:service name="ServiceCustomer"> >>> <wsdl:port name="CustomBinding_IServiceCustomer" >>> binding="tns:CustomBinding_IServiceCustomer"> >>> <soap:address >>> location="[...]"/> >>> <wsa10:EndpointReference> >>> <wsa10:Address>[...]</wsa10:Address> >>> <Identity xmlns="http://schemas.xmlsoap. >>> org/ws/2006/02/addressingidentity"> >>> <Dns>localhost</Dns> >>> </Identity> >>> </wsa10:EndpointReference> >>> </wsdl:port> >>> </wsdl:service> >>> </wsdl:definitions> >>> --cut >>> >>> >>> Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh: >>> >>> For Basic256, the signature derived key length must be 192 bits (and 256 >>>> for encryption). However in the sample message it is just using 128 bits >>>> for both. Let's see the full security policy configuration, where is it >>>> getting the information from to secure the message? Above it's just the >>>> TransportBinding configuration. >>>> >>>> Colm. >>>> >>>> On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau < >>>> [email protected]> >>>> wrote: >>>> >>>> Yes it does. >>>> >>>>> For simplicity I paste the whole response after these lines. >>>>> >>>>> --cut >>>>> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; >>>>> xmlns:a=" >>>>> http://www.w3.org/2005/08/addressing"; xmlns:u="http://docs.oasis-ope >>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> >>>>> <s:Header> >>>>> <a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I >>>>> ServiceCustomer/GetContractsByCustomerIDResponse</a:Action> >>>>> <a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41 >>>>> 51-4720-9911-6f533112b4fa</a:RelatesTo> >>>>> <o:Security xmlns:o="http://docs.oasis-ope >>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >>>>> s:mustUnderstand="1"> >>>>> <u:Timestamp u:Id="uuid-eb38523b-3459-439a- >>>>> 8576-47af2ed4b522-470"> >>>>> <u:Created>2016-10-26T15:32:20.723Z</u:Created> >>>>> <u:Expires>2016-10-26T15:37:20.723Z</u:Expires> >>>>> </u:Timestamp> >>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa >>>>> p.org/ws/2005/02/sc" >>>>> u:Id="_0"> >>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope >>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType=" >>>>> http://docs.oasis-open.org/wss/oasis-wss-soap- >>>>> message-security-1.1#EncryptedKey"> >>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o >>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" >>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- >>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz >>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier> >>>>> </o:SecurityTokenReference> >>>>> <c:Offset>0</c:Offset> >>>>> <c:Length>16</c:Length> >>>>> <c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce> >>>>> </c:DerivedKeyToken> >>>>> <c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa >>>>> p.org/ws/2005/02/sc" >>>>> u:Id="_3"> >>>>> <o:SecurityTokenReference xmlns:k="http://docs.oasis-ope >>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType=" >>>>> http://docs.oasis-open.org/wss/oasis-wss-soap- >>>>> message-security-1.1#EncryptedKey"> >>>>> <o:KeyIdentifier ValueType="http://docs.oasis-o >>>>> pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" >>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- >>>>> 200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz >>>>> pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier> >>>>> </o:SecurityTokenReference> >>>>> <c:Offset>0</c:Offset> >>>>> <c:Length>16</c:Length> >>>>> <c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce> >>>>> </c:DerivedKeyToken> >>>>> <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";> >>>>> <e:DataReference URI="#_5"/> >>>>> </e:ReferenceList> >>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope >>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1" >>>>> Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/> >>>>> <k:SignatureConfirmation xmlns:k="http://docs.oasis-ope >>>>> n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2" >>>>> Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/ >>>>> dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt >>>>> l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X >>>>> p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ >>>>> GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL >>>>> r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/> >>>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> >>>>> <SignedInfo> >>>>> <CanonicalizationMethod Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> <SignatureMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#hmac-sha1"/> >>>>> <Reference URI="#_4"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue> >>>>> </Reference> >>>>> <Reference URI="#_6"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue> >>>>> </Reference> >>>>> <Reference URI="#_7"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue> >>>>> </Reference> >>>>> <Reference URI="#uuid-eb38523b-3459-439a- >>>>> 8576-47af2ed4b522-470"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue> >>>>> </Reference> >>>>> <Reference URI="#_1"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue> >>>>> </Reference> >>>>> <Reference URI="#_2"> >>>>> <Transforms> >>>>> <Transform Algorithm="http://www.w3.org/2 >>>>> 001/10/xml-exc-c14n#"/> >>>>> </Transforms> >>>>> <DigestMethod Algorithm="http://www.w3.org/2 >>>>> 000/09/xmldsig#sha1"/> >>>>> <DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue> >>>>> </Reference> >>>>> </SignedInfo> >>>>> <SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue> >>>>> <KeyInfo> >>>>> <o:SecurityTokenReference> >>>>> <o:Reference ValueType="http://schemas.xmls >>>>> oap.org/ws/2005/02/sc/dk" URI="#_0"/> >>>>> </o:SecurityTokenReference> >>>>> </KeyInfo> >>>>> </Signature> >>>>> </o:Security> >>>>> </s:Header> >>>>> <s:Body u:Id="_4"> >>>>> <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#"; >>>>> Id="_5" >>>>> Type="http://www.w3.org/2001/04/xmlenc#Content";> >>>>> <e:EncryptionMethod Algorithm="http://www.w3.org/2 >>>>> 001/04/xmlenc#aes128-cbc"/> >>>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >>>>> <o:SecurityTokenReference xmlns:o="http://docs.oasis-ope >>>>> n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> >>>>> <o:Reference ValueType="http://schemas.xmls >>>>> oap.org/ws/2005/02/sc/dk" URI="#_3"/> >>>>> </o:SecurityTokenReference> >>>>> </KeyInfo> >>>>> <e:CipherData> >>>>> <e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC >>>>> iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y >>>>> sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM >>>>> V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI >>>>> p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol >>>>> xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o >>>>> dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq >>>>> B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk >>>>> s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn >>>>> yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK >>>>> 72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo >>>>> SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G >>>>> qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB >>>>> HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM >>>>> YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue> >>>>> </e:CipherData> >>>>> </e:EncryptedData> >>>>> </s:Body> >>>>> </s:Envelope> >>>>> --cut >>>>> >>>>> >>>>> Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh: >>>>> >>>>> The error message seems to be referring to derivation key length. Does >>>>> >>>>>> the >>>>>> message contain a security header containing a Signature and derived >>>>>> keys? >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau < >>>>>> [email protected]> >>>>>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I've a wsdl with the following partial content: >>>>>>> >>>>>>> --cut >>>>>>> <sp:TransportBinding xmlns:sp="http://schemas.xmlso >>>>>>> ap.org/ws/2005/07/securitypolicy"> >>>>>>> <wsp:Policy> >>>>>>> <sp:TransportToken> >>>>>>> <wsp:Policy> >>>>>>> <sp:HttpsToken RequireClientCertificate="false"/> >>>>>>> </wsp:Policy> >>>>>>> </sp:TransportToken> >>>>>>> <sp:AlgorithmSuite> >>>>>>> <wsp:Policy> >>>>>>> <sp:Basic256/> >>>>>>> </wsp:Policy> >>>>>>> </sp:AlgorithmSuite> >>>>>>> <sp:Layout> >>>>>>> <wsp:Policy> >>>>>>> <sp:Strict/> >>>>>>> </wsp:Policy> >>>>>>> </sp:Layout> >>>>>>> <sp:IncludeTimestamp/> >>>>>>> </wsp:Policy> >>>>>>> </sp:TransportBinding> >>>>>>> --cut >>>>>>> >>>>>>> If I call this service the response from the server gets rejected by >>>>>>> CXF: >>>>>>> >>>>>>> --cut >>>>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: >>>>>>> These >>>>>>> policy alternatives can not be satisfied: >>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite >>>>>>> : >>>>>>> The >>>>>>> signature derived key length does not match the requirement >>>>>>> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256 >>>>>>> at org.apache.cxf.jaxws.JaxWsClie >>>>>>> ntProxy.invoke(JaxWsClientProx >>>>>>> y.java:161) >>>>>>> at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown >>>>>>> Source) >>>>>>> at de.dmsserver.plugin.ford.test. >>>>>>> fhdsales.TestComm.testGetContr >>>>>>> actsByCustomerID(TestComm.java:135) >>>>>>> at de.dmsserver.plugin.ford.test. >>>>>>> fhdsales.TestComm.main(TestCom >>>>>>> m.java:128) >>>>>>> --cut >>>>>>> >>>>>>> If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is >>>>>>> accepted. >>>>>>> Is this a problem with the remote service or with CXF? >>>>>>> >>>>>>> AFAIK TransportBinding applies to the connection which is SSL >>>>>>> encrypted. >>>>>>> If I check the SSL Certificate with "openssl s_client -showcerts >>>>>>> -connect >>>>>>> [server]:443" I get: >>>>>>> >>>>>>> --cut >>>>>>> CONNECTED(00000003) >>>>>>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign >>>>>>> Root >>>>>>> CA >>>>>>> verify return:1 >>>>>>> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization >>>>>>> Validation CA - SHA256 - G2 >>>>>>> verify return:1 >>>>>>> depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX >>>>>>> verify return:1 >>>>>>> --- >>>>>>> Certificate chain >>>>>>> 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX >>>>>>> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization >>>>>>> Validation >>>>>>> CA - >>>>>>> SHA256 - G2 >>>>>>> -----BEGIN CERTIFICATE----- >>>>>>> [...] >>>>>>> -----END CERTIFICATE----- >>>>>>> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization >>>>>>> Validation >>>>>>> CA - >>>>>>> SHA256 - G2 >>>>>>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA >>>>>>> -----BEGIN CERTIFICATE----- >>>>>>> [...] >>>>>>> -----END CERTIFICATE----- >>>>>>> --- >>>>>>> Server certificate >>>>>>> subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX >>>>>>> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation >>>>>>> CA >>>>>>> - >>>>>>> SHA256 - G2 >>>>>>> --- >>>>>>> No client certificate CA names sent >>>>>>> --- >>>>>>> SSL handshake has read 3072 bytes and written 471 bytes >>>>>>> --- >>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 >>>>>>> Server public key is 2048 bit >>>>>>> Secure Renegotiation IS supported >>>>>>> Compression: NONE >>>>>>> Expansion: NONE >>>>>>> SSL-Session: >>>>>>> Protocol : TLSv1.2 >>>>>>> Cipher : ECDHE-RSA-AES256-SHA384 >>>>>>> Session-ID: CD4B00002CD328917F89C4AF9010C5 >>>>>>> 145C745FD134466567345539C6AA1BE676 >>>>>>> Session-ID-ctx: >>>>>>> Master-Key: 11B433DDEF0B003A6F261390EA6D50 >>>>>>> F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591 >>>>>>> Key-Arg : None >>>>>>> PSK identity: None >>>>>>> PSK identity hint: None >>>>>>> SRP username: None >>>>>>> Start Time: 1477495032 >>>>>>> Timeout : 300 (sec) >>>>>>> Verify return code: 0 (ok) >>>>>>> --cut >>>>>>> >>>>>>> Thanks >>>>>>> Martin >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>> >>>>> FERNAUSOFT GmbH >>>>> Gartenstraße 42 - 37269 Eschwege >>>>> >>>>> Telefon (0 56 51) 95 99-0 >>>>> Telefax (0 56 51) 95 99-90 >>>>> >>>>> eMail [email protected] >>>>> Internet http://www.fernausoft.de >>>>> >>>>> Handelsregister Eschwege, HRB 1585 >>>>> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau >>>>> Steuernummer 025 233 00041 >>>>> USt-ID-Nr. DE 178 554 622 >>>>> >>>>> >>>>> >>>>> >>>>> >> > -- > FERNAUSOFT GmbH > Gartenstraße 42 - 37269 Eschwege > > Telefon (0 56 51) 95 99-0 > Telefax (0 56 51) 95 99-90 > > eMail [email protected] > Internet http://www.fernausoft.de > > Handelsregister Eschwege, HRB 1585 > Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau > Steuernummer 025 233 00041 > USt-ID-Nr. DE 178 554 622 > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
