Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6398

AlgorithmSuitePolicyValidator rejects enveloped-signature Transform

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Pending Closed
          • Affects Version/s: 3.0.5
          • Fix Version/s: 3.1.1, 3.0.6
          • Component/s: WS-* Components
          • Labels:
            None
          • Estimated Complexity:
            Unknown

            Description

            I'm receiving a response from a (.NET) webservice, where the security requirements are set by a WS-SecurityPolicy section in the WSDL.

            The response contains a set of Reference elements, thave have both the enveloped-signature transform and the c14n transform, example below

            	<Reference URI="#action">
		<Transforms>
			<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
			<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
		</Transforms>
		<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
		<DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
	</Reference>

            Unfortunately, the AlgorithmSuitePolicyValidator does not like the enveloped-signature transform, and the response is rejected, exception shown below

            Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
	at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
	at client.WSClient.hello(WSClient.java:19)
	at client.WSClient.main(WSClient.java:12)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
	at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
	at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
	at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)

            I took a look at the AlgorithmSuitePolicyValidator that does the actual validation, and it scans through all the Transforms, and reject the Reference if ANY of the Transform elements are not on an approved list.

            Should it not just validate that the list of Transforms contains at least one transform that is c14n (or similar), and allow the eveloped-signature transform?

              Attachments

                Activity

                  People

                  • Assignee:
                    coheigea Colm O hEigeartaigh
                    Reporter:
                    BSGraversen Brian Storm Graversen
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: