Hello, in our application we do send messages with and without SwA attachments. Both messages use the same WSS-Policy file:
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"; wsu:Id="testpolicy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=".../AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=".../Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> <sp:AlgorithmSuite> <wsp:Policy> <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf="http://example.com/custom/security-policy"/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> <sp:Header Namespace="..." Name="Messaging"/> <sp:Attachments> <sp13:ContentSignatureTransform/> </sp:Attachments> </sp:SignedParts> <sp:EncryptedParts> <sp:Attachments/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> When sending a message without attachment it looks as follows: <soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:eb3="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; xmlns:ebbp="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"; xmlns:ebint="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"; xmlns:soap="http://www.w3.org/2003/05/soap-envelope"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <S12:Header xmlns:S12="http://www.w3.org/2003/05/soap-envelope";> <eb3:Messaging S12:mustUnderstand="true" id="_ebmessaging_N65624" wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c"> .... </eb3:Messaging> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soap:mustUnderstand="true"> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"; >wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> ---> <xenc:ReferenceList/> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#N65670"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds eb3 ebbp ebint wsa wsse"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbp ebint soap wsa wsse"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"; >WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S12:Header> <soap:Body wsu:Id="N65670"/> </soap:Envelope> An empty xenc:ReferenceList node is written which is not allowed according to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList. This causes issues with products from other vendors who reject such a message. Any help is greatly appreciated. Cheers Christian
