Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Unknown
Description
When using a policy as follows:
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityServiceSignThenEncryptPolicy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> <wsp:Policy> <sp:WssX509V1Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> <wsp:Policy> <sp:WssX509V1Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDes/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <!-- <sp:IncludeTimestamp/> --> <!-- <sp:EncryptSignature/> --> <sp:OnlySignEntireHeadersAndBody/> <!-- <sp:SignBeforeEncrypting/> --> <!-- <sp:EncryptBeforeSigning/> --> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
a message like this is generated
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-CFCC32406441E262D414056082408016"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#CFCC32406441E262D414056082408017" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>EU9cFqu6lqJ6iq1ZqHGVoidA0iT6MHIwimvNuQQP2WU/kUbldgLlS7CP1h8OPE7uJMpBztciQ27H/fOZqGsQntqsUIOFLyDjalHjYBiGGzmHG1k/4Yd4ibsN+NacJYbTPaHclkO81H06eImW+yNIxFvb2bw9HJht9ehWGVUoy4k=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-CFCC32406441E262D414056082408118"/> </xenc:ReferenceList> </xenc:EncryptedKey> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CFCC32406441E262D414056082408017">MIICNzCCAaCgAwIBAgIEURPj3TANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxEDAOBgNVBAcTB1JhbGVpZ2gxEDAOBgNVBAoTB1JlZCBIYXQxDDAKBgNVBAsTA0dTUzES...+vR2eMo4a45eWPj2hAqvBNpmB5mcuQGuOo/aRjoQS86vX6wIsy/UeaAlG9shvZSIwL0kwZBNuubkbikMdNIsBHROSp5v/gbMHa9O9qDOzQQnMn6cgeJePdYnq1oTuDK+g5M1znja31HtbQTo9NiaXjuQfL05v5dA==</wsse:BinarySecurityToken> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-CFCC32406441E262D414056082407262">MIICNzCCAaCgAwIBAgIEURPj9jANBgkqhkiG9w0BAQUFADBgMQswCQY...MFwS4DphvWgHfyDxLBtsJ45ZLdE+s0fXjjn+W8KCDYR0ayuUjO/KeKiLBo24U44ULy4mJOQ==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-CFCC32406441E262D414056082407385"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_CFCC32406441E262D414056082407081"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>6lB8Vv8WAxUPs19VJwUcPETjz5M=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>pm9eB0Qe8zb0O+5kf4i6MPFfn9t8TGt/m1Y8dwy2wHo0b1KvD1JrR/h7Qr7Jj4czGETsIRgLYJFNrTtTAGpgSFru8IVca+11kJL78nQiSwWnZZt6FvzwAoTxbbn4DQ+RqX01a1Y2GXB1CXJvUs5+K/0aL0lDQ3w4qOtvQ8nk7vM=</ds:SignatureValue> <ds:KeyInfo Id="KI-CFCC32406441E262D414056082407283"> <wsse:SecurityTokenReference wsu:Id="STR-CFCC32406441E262D414056082407294"> <wsse:Reference URI="#X509-CFCC32406441E262D414056082407262" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </SOAP-ENV:Header> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_CFCC32406441E262D414056082407081"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-CFCC32406441E262D414056082408118" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"> <wsse:Reference URI="#EK-CFCC32406441E262D414056082408016"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>mRsetHTV4FexRWIY1Qk2qZy/zbsRgweqcCzeyDzBViVfLW7TqK8KXKRxSP2lMkBBn0e+yg15tlTFuFOwGcRf9AY20MnjoUqxSx6vjdHe6Jb4nPzHbinDQTXj+mvU1Osy</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body> </soap:Envelope>
... notice the EncryptedKey element is referencing a BST that's after the EncryptedKey. This can cause problems to different vendors parsing the message.