Hi, Ok this is now fixed in WSS4J: https://issues.apache.org/jira/browse/WSS-549
I also merged some related fixes to CXF. Colm. On Mon, Aug 3, 2015 at 10:18 AM, <[email protected]> wrote: > Hello, > > in our application we do send messages with and without SwA attachments. > Both messages use the same WSS-Policy file: > > <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:sp13=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"; > wsu:Id="testpolicy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > > sp:IncludeToken=".../AlwaysToRecipient"> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=".../Never"> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:OnlySignEntireHeadersAndBody/> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp-cxf:Basic128GCMSha256 xmlns:sp-cxf=" > http://example.com/custom/security-policy"/> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts> > <sp:Body/> > <sp:Header Namespace="..." > Name="Messaging"/> > <sp:Attachments> > <sp13:ContentSignatureTransform/> > </sp:Attachments> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Attachments/> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > When sending a message without attachment it looks as follows: > > <soap:Envelope xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > xmlns:eb3=" > http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > xmlns:ebbp=" > http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0"; > xmlns:ebint=" > http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/multihop/200902/"; > xmlns:soap="http://www.w3.org/2003/05/soap-envelope"; > xmlns:wsa="http://www.w3.org/2005/08/addressing"; > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <S12:Header xmlns:S12=" > http://www.w3.org/2003/05/soap-envelope";> > <eb3:Messaging S12:mustUnderstand="true" > id="_ebmessaging_N65624" > > wsu:Id="_59094c40-d1af-4581-8ccf-90bd947fc39c"> > .... > </eb3:Messaging> > <wsse:Security > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > soap:mustUnderstand="true"> > <xenc:EncryptedKey xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#"; > > Id="EK-7d3d74f2-3878-4b5d-b914-9b89e82b3492"> > <xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> > <ds:KeyInfo xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier > > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > " > > >wZEtT/mkif2cptFu8rKpnZQZ5c8=</wsse:KeyIdentifier> > > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > > <xenc:CipherValue>...</xenc:CipherValue> > </xenc:CipherData> > > ---> <xenc:ReferenceList/> > > </xenc:EncryptedKey> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"; > > Id="SIG-26b580d0-a983-4747-aa66-f4e3cd368fed"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; > > PrefixList="ds eb3 ebbp ebint soap wsa wsse wsu"/> > > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference > URI="#N65670"> > <ds:Transforms> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; > > PrefixList="ds eb3 ebbp ebint wsa wsse"/> > > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>KyTg3U5b4a+5nipkyOkETPtH6enj6NSDnANBwAic0rQ=</ds:DigestValue> > </ds:Reference> > <ds:Reference > URI="#_59094c40-d1af-4581-8ccf-90bd947fc39c"> > <ds:Transforms> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; > > PrefixList="ds ebbp ebint soap wsa wsse"/> > > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>ygkz9MsmZPkyJM65egawLXTnOB3LXyCa1Ohw2uMqVpA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>...</ds:SignatureValue> > <ds:KeyInfo > Id="KI-2e2e9bcb-3027-4c38-ac35-2fa61de64858"> > > <wsse:SecurityTokenReference > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > wsu:Id="STR-0d7c4659-dafb-4175-92ed-05392eb578f8"> > <wsse:KeyIdentifier > > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > " > > >WTMLwgT6lKgHrgsJx/YEtEnuD94=</wsse:KeyIdentifier> > > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > </S12:Header> > <soap:Body wsu:Id="N65670"/> > </soap:Envelope> > > > An empty xenc:ReferenceList node is written which is not allowed according > to http://www.w3.org/TR/xmlenc-core1/#sec-ReferenceList. This causes > issues with products from other vendors who reject such a message. Any help > is greatly appreciated. > > Cheers > Christian > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
