Mix up of ID and ID reference of security token in signature causes WCF service to throw Cannot resolve KeyInfo for verifying signature

Issue

CXF client causes WCF to throw the error Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier when connecting to a secured WCF service set up following the tutorial "WCF Getting Started Sample Tutorial with Message Security User Name" @ http://msdn.microsoft.com/en-us/library/ms752233.aspx. (WSDL attached on CXF ticket)

See analysis below for summary of the issue and indication of resolution.
[edit] CXF Client Test Case

$ java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)

MacOS 10.5 and Windows Vista
CXF Version 2.2

import static org.junit.Assert.assertEquals;
import groovyx.net.ws.cxf.SSLHelper;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.endpoint.EndpointImpl;
import org.apache.cxf.endpoint.dynamic.DynamicClientFactory;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.interceptor.LoggingOutInterceptor;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptor;
import org.apache.cxf.ws.policy.EffectivePolicy;
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.neethi.AbstractPolicyOperator;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.junit.Test;

public class SSLAWSWCFCalculatorIssueTestCase {
protected static Log log = LogFactory.getLog(SSLAWSWCFCalculatorIssueTestCase.class);

public static final String WCF_HOST = "host";
private static final String WSDL_URI_REMOTE = "http://" + WCF_HOST
+ "/ServiceModelSamples/service.svc?wsdl";
/**

• Filters for a default WCF_SSLA integration
  */
  public static final Class<?>[] WCF_SSLA = new Class<?>[] { SignedEncryptedParts.class }

  ;

@Test
public void testOperationsOfSSLClientWithSoapAuthentication() throws Exception {
QName service = new QName("http://tempuri.org/", "CalculatorService");
QName port = new QName("http://tempuri.org/", "SSLCalculatorA");

Client client = DynamicClientFactory.newInstance().createClient(WSDL_URI_REMOTE, service,
SSLAWSWCFCalculatorIssueTestCase.class.getClassLoader(), port);

SSLHelper sslHelper = new SSLHelper();
sslHelper.initialize();
sslHelper.enable(client);

Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
/*

• Apply default policy filter in interceptor to filter out the
• mandatory signing of body parts. Otherwise CXF policy validation
• fails since the response from WCF is not compliant with this
  */
  bus.getInInterceptors().add(new PolicyFilterOutInterceptor(WCF_SSLA));
  Map<String, Object> outProps = new HashMap<String, Object>();

outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
outProps.put(WSHandlerConstants.USER, "bart
myname");
outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordHandler("password"));

bus.getOutInterceptors().add(new JustOnceWSS4JOutInterceptor(outProps));

/*

• Add logging interceptors
  */
  bus.getInInterceptors().add(new LoggingInInterceptor());
  bus.getOutInterceptors().add(new LoggingOutInterceptor());

BindingOperationInfo add = client.getEndpoint().getEndpointInfo().getBinding()
.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Add"))
.getUnwrappedOperation();
/**

• Now call some operations
  */
  if (log.isDebugEnabled()) { log.debug("Invoking method add"); }

  Object[] answer = client.invoke(add, new Object[]

  { "1", "2" }

  );
  if (log.isDebugEnabled())

  { log.debug("1 + 2 = " + answer[0]); }

  assertEquals("Add method not correct", new Double(3.0), answer[0]);

if (log.isDebugEnabled())

{ log.debug("Invoking method multiply"); }

BindingOperationInfo multiply = client.getEndpoint().getEndpointInfo().getBinding()
.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Multiply"))
.getUnwrappedOperation();

answer = client.invoke(multiply, new Object[]

{ "3", "2" }

);
assertEquals("Multiply method not correct", new Double(6.0), answer);
if (log.isDebugEnabled())

{ log.debug("3 x 2 = " + answer); }

}

/**

• Handler to get the password
  */
  public class PasswordHandler implements CallbackHandler {
  private static final String DEFAULT_PASSWORD = "password";
  String password;

public PasswordHandler()

{ this.password = DEFAULT_PASSWORD; }

public PasswordHandler(String password)

{ this.password = password; }

public void handle(Callback[] callbacks)

{ WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; pc.setPassword(password); }

}

/**

• An WSS4J Interceptor that only includes the security header once, without
• this WCF service throws a security exception when username and password
• sent along with the SecurityContextToken in the second request
  */

public class JustOnceWSS4JOutInterceptor extends WSS4JOutInterceptor {
int count = 0;

/**

• @param outProps
  */
  public JustOnceWSS4JOutInterceptor(Map<String, Object> outProps) { super(outProps); }

@Override
public void handleMessage(SoapMessage mc) throws Fault {
if (count == 0) {
if (log.isDebugEnabled())

{ log.debug("Calling WSS4J interceptor : count = " + count); }

super.handleMessage(mc);
} else {
if (log.isDebugEnabled())

{ log.debug("Skipping WSS4J interceptor : count = " + count); }

}
count++;
}
}

public class PolicyFilterOutInterceptor extends AbstractPolicyInterceptor {

private Class<?>[] filters;

public PolicyFilterOutInterceptor(Class<?>[] filters)

{ super(Phase.PRE_STREAM); this.filters = filters; }

@Override
protected void handle(Message message) throws PolicyException {
if (log.isDebugEnabled())

{ log.debug("Filtering policies for " + this.getClass().getName()); }

Exchange exchange = message.getExchange();
BindingOperationInfo boi = exchange.get(BindingOperationInfo.class);
if (null == boi) {
if (log.isDebugEnabled())

{ log.debug("No binding operation info."); }

return;
}

Endpoint e = exchange.get(Endpoint.class);
if (null == e) {
if (log.isDebugEnabled())

{ log.debug("No endpoint."); }

return;
}
EndpointInfo ei = e.getEndpointInfo();

Bus bus = exchange.get(Bus.class);
PolicyEngine pe = bus.getExtension(PolicyEngine.class);
if (null == pe)

{ return; }

if (MessageUtils.isPartialResponse(message)) {
if (log.isDebugEnabled())

{ log.debug("Not verifying policies on inbound partial response."); }

return;
}

getTransportAssertions(message);

EffectivePolicy effectivePolicy = message.get(EffectivePolicy.class);
if (effectivePolicy == null) {
if (MessageUtils.isRequestor(message))

{ effectivePolicy = pe.getEffectiveClientResponsePolicy(ei, boi); }

else

{ effectivePolicy = pe.getEffectiveServerRequestPolicy(ei, boi); }

}

removePolicies(effectivePolicy.getPolicy(), filters);
}

public void removePolicy(AbstractPolicyOperator operator, Class<?> clazz) {
removePolicies(operator, new Class<?>[]

{ clazz }

);
}

@SuppressWarnings("unchecked")
public void removePolicies(AbstractPolicyOperator operator, Class<?>[] classes) {
List<Object> childrenForRemoval = new ArrayList<Object>();

for (Object child : operator.getPolicyComponents()) {
if (child instanceof AbstractPolicyOperator)

{ removePolicies((AbstractPolicyOperator) child, classes); }

else {
for (int i = 0; i < classes.length; i++) {
if (child.getClass() == classes[i]) {
childrenForRemoval.add(child);
if (log.isDebugEnabled())

{ log.debug("Removing policy : " + child); }

}
}
}
}

/*

• Remove all the children that have been marked for removal
  */
  operator.getPolicyComponents().removeAll(childrenForRemoval);
  }
  }
  }

[edit] WCF Exception

<Exception>
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
System.ServiceModel.Channels.TransportSecurityBindingElement:
DefaultAlgorithmSuite: Basic256
IncludeTimestamp: True
KeyEntropyMode: CombinedEntropy
MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
SecurityHeaderLayout: Strict
EndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
SignedEncrypted[0]
System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
No signed endorsing tokens.
OptionalEndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
No signed encrypted tokens.
No signed endorsing tokens.
OperationSupportingTokenParameters: none
OptionalOperationSupportingTokenParameters: none)
)
'.</Message>
<StackTrace>
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ResolveSignatureToken(SecurityKeyIdentifier
keyIdentifier, SecurityTokenResolver resolver, Boolean isPrimarySignature)
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget, String id)
at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml signedXml, Boolean isFromDecryptedSource)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
at System.ServiceModel.Security.AcceptorSessionSymmetricTransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ProcessRequestContext(RequestContext requestContext, TimeSpan timeout, SecurityProtocolCorrelationState& correlationState, Boolean& isSecurityProcessingFailure)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult.WaitComplete()
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult..ctor(ServerSecuritySessionChannel channel, TimeSpan timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.BeginTryReceiveRequest(TimeSpan timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ReplyChannelBinder.BeginTryReceive(TimeSpan timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ErrorHandlingReceiver.BeginTryReceive(TimeSpan timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ChannelHandler.EnsurePump()
at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke2()
at System.Security.SecurityContext.Run(SecurityContext securityContext, ContextCallback callback, Object state)
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ProcessCallbacks()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.CompletionCallback(Object state)
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace>
<ExceptionString>System.ServiceModel.Security.MessageSecurityException: Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken, Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
System.ServiceModel.Channels.TransportSecurityBindingElement:
DefaultAlgorithmSuite: Basic256
IncludeTimestamp: True
KeyEntropyMode: CombinedEntropy
MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
SecurityHeaderLayout: Strict
EndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
SignedEncrypted[0]
System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
No signed endorsing tokens.
OptionalEndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
No signed encrypted tokens.
No signed endorsing tokens.
OperationSupportingTokenParameters: none
OptionalOperationSupportingTokenParameters: none)
)
'.</ExceptionString>
</Exception>

[edit] WCF Client with WCF Server
[edit] WCF Client Request 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:MessageID>urn:uuid:8151f398-b043-485e-a443-681fb698d334</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:25:00.988Z</u:Created>
<u:Expires>2009-04-06T08:30:00.988Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-0403819d-3bc9-4fc8-be6f-0c1b01da7397-1">
<o:Username>
<!-- Removed-->
</o:Username>
<o:Password>
<!-- Removed-->
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:Entropy>
<!-- Removed-->
</t:Entropy>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>

[edit] WCF Client Response from Server 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:4f4996b9-4d71-47d8-91b8-ba75df9b3de6</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.713Z</u:Created>
<u:Expires>2009-04-06T09:04:01.713Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<!-- Removed-->
</t:Entropy>
<t:Lifetime>
<u:Created>2009-04-06T08:59:01.701Z</u:Created>
<u:Expires>2009-04-06T23:59:01.701Z</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>

[edit] WCF Client Request 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/Add</a:Action>
<a:MessageID>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.737Z</u:Created>
<u:Expires>2009-04-06T09:04:01.737Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>2VuDOwhOC2mm4YhQJEAzutsXuiU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>AZzmujJH/wkgEzq9jopInPW3exQ=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<Add xmlns="http://Microsoft.ServiceModel.Samples">
<n1>100</n1>
<n2>15.99</n2>
</Add>
</s:Body>
</s:Envelope>

[edit] WCF Client Response from Server 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/AddResponse</a:Action>
<a:RelatesTo>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.773Z</u:Created>
<u:Expires>2009-04-06T09:04:01.773Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<AddResponse xmlns="http://Microsoft.ServiceModel.Samples">
<AddResult>115.99</AddResult>
</AddResponse>
</s:Body>
</s:Envelope>

[edit] CXF Client with WCF Server
[edit] CXF Client Request 1

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">
urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">
https://host/ServiceModelSamples/service.svc/SSLA</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous
</Address>
</ReplyTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1763636894">
<wsu:Created>2009-04-06T10:00:47.466Z
</wsu:Created>
<wsu:Expires>2009-04-06T10:05:47.466Z
</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-2095036283">
<wsse:Username>bart\myuser</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://host/ServiceModelSamples/service.svc/SSLA
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:00:46.692Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:05:46.692Z
</wsu:Expires>
</wst:Lifetime>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</wst:TokenType>
<wst:Entropy>
<wst:BinarySecret
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">7pPJRu/vrIfSeAzoq48kAd+55khFFbU/sLw0PeYkIKA=
</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</wst:ComputedKeyAlgorithm>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>

[edit] CXF Client Response from Server 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5
</a:RelatesTo>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T10:00:28.212Z
</u:Created>
<u:Expires>2009-04-06T10:05:28.212Z
</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken
u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>
https://host/ServiceModelSamples/service.svc/SSLA
</Address>
</EndpointReference>
</wsp:AppliesTo>
<t:RequestedAttachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<t:BinarySecret u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-4"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">f6m4wEJy9gPMttOxzM+7yf1i5biWxbNaBfbx1sWvVPw=
</t:BinarySecret>
</t:Entropy>
<t:Lifetime>
<u:Created>2009-04-06T10:00:28.208Z
</u:Created>
<u:Expires>2009-04-07T01:00:28.208Z
</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>

[edit] CXF Client Request 2

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">
http://Microsoft.ServiceModel.Samples/ICalculator/Add</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">
urn:uuid:b879526c-68c1-4713-8912-6ee23264715f</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">
https://host/ServiceModelSamples/service.svc/SSLA</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous
</Address>
</ReplyTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-937741416">
<wsu:Created>2009-04-06T10:00:48.903Z
</wsu:Created>
<wsu:Expires>2009-04-06T10:05:48.903Z
</wsu:Expires>
</wsu:Timestamp>
<c:SecurityContextToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
</c:Identifier>
</c:SecurityContextToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-1670444352">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<ds:Reference URI="#Timestamp-937741416">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>/gRfeAVaxWCey/0KWfXh4VDIdGA=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rhEDDQNJHxAKgsBz5ZVPma1TkeY=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-451036744">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-187592160">
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns1:Add xmlns:ns1="http://Microsoft.ServiceModel.Samples">
<ns1:n1 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">1</ns1:n1>
<ns1:n2 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">2</ns1:n2>
</ns1:Add>
</soap:Body>
</soap:Envelope>

[edit] CXF Client Response from Server 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>urn:uuid:c20c8ac5-3e6d-4189-8db8-97dda22f7cdc
</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value
xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-GB">An error occurred when verifying security
for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>

[edit] Analysis

CXF client sends the following on request 2 with the URI attribute of the Reference element equal to the element content of the Identifier element.

<c:SecurityContextToken u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20</c:Identifier>
</c:SecurityContextToken>
...
<ds:KeyInfo Id="KeyId-451036744">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>

however, the WCF client sends the following for its second request with the URI element of the Reference element equal to the Id attribute of the SecurityContextToken element

<c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
...
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>

If the following change is made in the org.apache.cxf.ws.security.wss4j.policyhandler.TransportBindingHandler:

CXF trunk 2.2 version

sig.setCustomTokenId(secTok.getId());

changed to

Node firstChild = securityToken.getAttachedReference().getFirstChild();
Attr referenceUriAttribute = (Attr) firstChild.getAttributes().getNamedItem("URI");
String referenceUri = referenceUriAttribute.getValue().substring(1);
sig.setCustomTokenId(referenceUri)

then the CXF client communicates with the WCF server successfully. It is not expected that this is the correct place for the fix, since there are other places in the CXF source which set the custom token id on the signature. It is more likely that a correction is required earlier in the logic such that security token allows the id reference (i.e. the Reference URI) to be set correctly and made available for configuring in the signature.