Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6409

CXF web service cannot process MTOM/XOP-optimized content within a CipherValue element

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.4
    • Fix Version/s: 3.1.1, 3.0.6
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      When a CXF web service endpoint is configured to use WS-Security and MTOM, CXF cannot handle requests from .NET and Metro clients because it cannot process xop:Include elements that are children of enc:CipherValue elements, as both of these clients will optimize any large encrypted (base64-encoded binary) content by serializing it as a MIME part.

      This makes it impossible for .NET and Metro clients to communicate with CXF endpoints which have the MTOM and encryption policies specified.

      1. decrypt-xop.patch
        24 kB
        Dallas Vaughan

        Activity

        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Could you attach the complete message from either Metro or .NET as well as the full stacktrace? Also, could you disable WS-Security streaming and attach the stacktrace for the DOM implementation as well please?

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Could you attach the complete message from either Metro or .NET as well as the full stacktrace? Also, could you disable WS-Security streaming and attach the stacktrace for the DOM implementation as well please? Colm.
        Hide
        dallasvaughan Dallas Vaughan added a comment - - edited

        Here is the sanitized request (I added formatting to the XML part for readability). There is no stack trace as the original XMLSecurityException gets swallowed and rethrown as a generic WSSecurityException (which then gets sent back as a fault). I found the cause by stepping through Santuario code during the processing of the request.

        The exception thrown for the DOM-based implementation (which is also swallowed so there's no stack trace) is a java.lang.ArrayIndexOutOfBoundsException in the org.apache.xml.security.encryption.XMLCipher.decryptToByteArray() method at a System.arraycopy(encryptedBytes, 0, ivBytes, ivLen) call where encryptedBytes.length == 0, ivBytes.length == 16, and ivLen == 16. When I stepped through this I found that it happens during processing of an EncryptedData/CipherData/CipherValue element that contains an xop:Include element. Since it probably expects base64 here, it failed to initialize encryptedBytes and System.arraycopy expects a byte array of length 16.

        EDIT: I've attached the web service policy file in use for the CXF endpoint (and metro client).

        Metro Request
        POST /test/services/myService HTTP/1.1
        Accept: text/xml, multipart/related
        Content-Type: multipart/related;start="<rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>";type="application/xop+xml";boundary="uuid:950412d0-d43b-4058-bff6-0a3d54c79563";start-info="text/xml"
        SOAPAction: "http://example.com/webservice/myService/myOperation"
        User-Agent: JAX-WS RI 2.2.10 svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b
        Host: example.com:3333
        Connection: keep-alive
        Content-Length: 11154
        
        --uuid:950412d0-d43b-4058-bff6-0a3d54c79563
        Content-Id: <rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>
        Content-Type: application/xop+xml;charset=utf-8;type="text/xml"
        Content-Transfer-Encoding: binary
        
        <?xml version='1.0' encoding='UTF-8'?>
        <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <S:Header>
                <To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:3333/test/services/myService</To>
                <Action S:mustUnderstand="1" xmlns="http://www.w3.org/2005/08/addressing" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">http://example.com/webservice/myService/myOperation</Action>
                <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
                    <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
                </ReplyTo>
                <FaultTo xmlns="http://www.w3.org/2005/08/addressing">
                    <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
                </FaultTo>
                <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:52fd687a-8d92-44cb-ac24-0be1e1f4b25f</MessageID>
                <wsse:Security S:mustUnderstand="1">
                    <wsu:Timestamp wsu:Id="_3" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                        <wsu:Created>2015-05-11T03:04:16Z</wsu:Created>
                        <wsu:Expires>2015-05-11T03:09:16Z</wsu:Expires>
                    </wsu:Timestamp>
                    <xenc:EncryptedKey Id="_5003" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                        <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="KeyInfoType">
                            <wsse:SecurityTokenReference>
                                <ds:X509Data>
                                    <ds:X509IssuerSerial>
                                        <ds:X509IssuerName>CN=example.com, OU=ABC Group, O=Example, L=Washington, ST=DC, C=US</ds:X509IssuerName>
                                        <ds:X509SerialNumber>1234567890</ds:X509SerialNumber>
                                    </ds:X509IssuerSerial>
                                </ds:X509Data>
                            </wsse:SecurityTokenReference>
                        </ds:KeyInfo>
                        <xenc:CipherData>
                            <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                                <xop:Include href="cid:7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com"/>
                            </xenc:CipherValue>
                        </xenc:CipherData>
                        <xenc:ReferenceList>
                            <xenc:DataReference URI="#_5004"/>
                            <xenc:DataReference URI="#_5005"/>
                            <xenc:DataReference URI="#_5006"/>
                        </xenc:ReferenceList>
                    </xenc:EncryptedKey>
                    <xenc:EncryptedData Id="_5006" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                        <xenc:CipherData>
                            <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                                <xop:Include href="cid:934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com"/>
                            </xenc:CipherValue>
                        </xenc:CipherData>
                    </xenc:EncryptedData>
                    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="uuid_8e5eec8c-bbf4-40b4-9eea-12beecbdd981" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:d921b6b7-a534-4d85-83d3-e03f0bbdf1a4@example.jaxws.sun.com"/>
                    </wsse:BinarySecurityToken>
                    <xenc:EncryptedData Id="_5005" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                        <xenc:CipherData>
                            <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                                <xop:Include href="cid:2c0a72f7-794f-4637-8d07-8ee0e8433145@example.jaxws.sun.com"/>
                            </xenc:CipherValue>
                        </xenc:CipherData>
                    </xenc:EncryptedData>
                </wsse:Security>
            </S:Header>
            <S:Body wsu:Id="_5002">
                <xenc:EncryptedData Id="_5004" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                    <xenc:CipherData>
                        <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                            <xop:Include href="cid:81d3295e-2b64-4254-b697-67bcdb1d522e@example.jaxws.sun.com"/>
                        </xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
            </S:Body>
        </S:Envelope>
        --uuid:950412d0-d43b-4058-bff6-0a3d54c79563
        Content-Id: <7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com>
        Content-Type: application/ciphervalue
        Content-Transfer-Encoding: binary
        
        H���k-�q��2s1  ߲r���ЭGMp~���Sc™(�M]�*���"�v�y��v�
        v��w(�C�d�?�N�������^_��<�'ƿ    o��\�D�{�"(�J7�{�Txv�kЁ�T�U�A岏3��a\���`��Wh���q �?��WRr�8t����D��[匁�S�6���'��|'����I����4JDyy��J�������{��'he��۟��F�w�Ch����t6⢾V�D:+��g�\�̜
        --uuid:950412d0-d43b-4058-bff6-0a3d54c79563
        Content-Id: <934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com>
        Content-Type: application/ciphervalue
        Content-Transfer-Encoding: binary
        
        ��������W4�ĐJǀyp��?�xʰ��g�@Cr��!���@�2�$3����
        �\���VK��}r�¿�`I  ���[Gb�R������ �=��C��Y�!h���j���ܣ�����1Xy�΋��� 2|Ճn"
        6LӖ�yy�w%��B�GqHZ�
        ����P��Jr��`E'
        
        Web Service Policy definitions
        <?xml version="1.0" encoding="UTF-8" standalone="no"?>
        <wsdl:definitions
                xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                xmlns:wsp="http://www.w3.org/ns/ws-policy"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
                xmlns:wsoma="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
                name="myWebServicePolicy" targetNamespace="http://example.com/webservice/securitypolicy">
        
            <wsp:Policy 
                    wsp:Name="http://example.com/webservice/securitypolicy/generalBindingPolicy"
                    wsu:Id="myWebServiceGeneralBindingPolicy">
                <wsp:ExactlyOne>
                    <wsp:All>
                        <wsoma:OptimizedMimeSerialization/>
                        <wsam:Addressing wsp:Optional="false"/>
                        <wssp:AsymmetricBinding>
                            <wsp:Policy>
                                <wssp:InitiatorToken>
                                    <wsp:Policy>
                                        <wssp:X509Token wssp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                            <wsp:Policy>
                                                <wssp:WssX509V3Token10/>
                                            </wsp:Policy>
                                        </wssp:X509Token>
                                    </wsp:Policy>
                                </wssp:InitiatorToken>
                                <wssp:RecipientToken>
                                    <wsp:Policy>
                                        <wssp:X509Token wssp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                            <wsp:Policy>
                                                <wssp:WssX509V3Token10/>
                                                <wssp:RequireIssuerSerialReference/>
                                            </wsp:Policy>
                                        </wssp:X509Token>
                                    </wsp:Policy>
                                </wssp:RecipientToken>
                                <wssp:IncludeTimestamp/>
                                <wssp:OnlySignEntireHeadersAndBody/>
                                <wssp:AlgorithmSuite>
                                    <wsp:Policy>
                                        <wssp:Basic256Sha256/>
                                    </wsp:Policy>
                                </wssp:AlgorithmSuite>
                                <wssp:EncryptSignature/>
                                <wssp:ProtectTokens />
                            </wsp:Policy>
                        </wssp:AsymmetricBinding>
                        <wssp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                            <wsp:Policy>
                                <sp:UsernameToken
                                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <sp:WssUsernameToken10 />
                                    </wsp:Policy>
                                </sp:UsernameToken>
                            </wsp:Policy>
                        </wssp:SignedEncryptedSupportingTokens>
                        <wssp:Wss11>
                            <wsp:Policy>
                                <wssp:MustSupportRefIssuerSerial/>
                            </wsp:Policy>
                        </wssp:Wss11>
                    </wsp:All>
                </wsp:ExactlyOne>
            </wsp:Policy>
        
            <wsp:Policy
                    wsp:Name="http://example.com/webservice/securitypolicy/bindingInputPolicy"
                    wsu:Id="myWebServiceBindingInputPolicy">
                <wsp:ExactlyOne>
                    <wsp:All>
                        <wssp:EncryptedParts>
                            <wssp:Body/>
                        </wssp:EncryptedParts>
                        <wssp:SignedParts>
                            <wssp:Body/>
                        </wssp:SignedParts>
                    </wsp:All>
                </wsp:ExactlyOne>
            </wsp:Policy>
        
            <wsp:Policy 
                    wsp:Name="http://example.com/webservice/securitypolicy/bindingOutputPolicy"
                    wsu:Id="myWebServiceBindingOutputPolicy">
                <wsp:ExactlyOne>
                    <wsp:All>
                        <wssp:EncryptedParts>
                            <wssp:Body/>
                        </wssp:EncryptedParts>
                        <wssp:SignedParts>
                            <wssp:Body/>
                        </wssp:SignedParts>
                    </wsp:All>
                </wsp:ExactlyOne>
            </wsp:Policy>
        
            <wsp:Policy 
                    wsp:Name="http://example.com/webservice/securitypolicy/bindingFaultPolicy"
                    wsu:Id="myWebServiceBindingFaultPolicy">
                <wsp:ExactlyOne>
                    <wsp:All>
                        <wssp:EncryptedParts>
                            <wssp:Body/>
                        </wssp:EncryptedParts>
                        <wssp:SignedParts>
                            <wssp:Body/>
                        </wssp:SignedParts>
                    </wsp:All>
                </wsp:ExactlyOne>
            </wsp:Policy>
        </wsdl:definitions>
        
        Show
        dallasvaughan Dallas Vaughan added a comment - - edited Here is the sanitized request (I added formatting to the XML part for readability). There is no stack trace as the original XMLSecurityException gets swallowed and rethrown as a generic WSSecurityException (which then gets sent back as a fault). I found the cause by stepping through Santuario code during the processing of the request. The exception thrown for the DOM-based implementation (which is also swallowed so there's no stack trace) is a java.lang.ArrayIndexOutOfBoundsException in the org.apache.xml.security.encryption.XMLCipher.decryptToByteArray() method at a System.arraycopy(encryptedBytes, 0, ivBytes, ivLen) call where encryptedBytes.length == 0 , ivBytes.length == 16 , and ivLen == 16 . When I stepped through this I found that it happens during processing of an EncryptedData/CipherData/CipherValue element that contains an xop:Include element. Since it probably expects base64 here, it failed to initialize encryptedBytes and System.arraycopy expects a byte array of length 16. EDIT : I've attached the web service policy file in use for the CXF endpoint (and metro client). Metro Request POST /test/services/myService HTTP/1.1 Accept: text/xml, multipart/related Content-Type: multipart/related;start= " <rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com> " ;type= "application/xop+xml" ;boundary= "uuid:950412d0-d43b-4058-bff6-0a3d54c79563" ;start-info= "text/xml" SOAPAction: "http://example.com/webservice/myService/myOperation" User-Agent: JAX-WS RI 2.2.10 svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b Host: example.com:3333 Connection: keep-alive Content-Length: 11154 --uuid:950412d0-d43b-4058-bff6-0a3d54c79563 Content-Id: <rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com> Content-Type: application/xop+xml;charset=utf-8;type= "text/xml" Content-Transfer-Encoding: binary <?xml version='1.0' encoding='UTF-8'?> <S:Envelope xmlns:S = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds = "http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n = "http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11 = "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc = "http://www.w3.org/2001/04/xmlenc#" xmlns:xs = "http://www.w3.org/2001/XMLSchema" > <S:Header> <To xmlns= "http://www.w3.org/2005/08/addressing" > http://localhost:3333/test/services/myService </To> <Action S:mustUnderstand= "1" xmlns= "http://www.w3.org/2005/08/addressing" xmlns:S = "http://schemas.xmlsoap.org/soap/envelope/" > http://example.com/webservice/myService/myOperation </Action> <ReplyTo xmlns= "http://www.w3.org/2005/08/addressing" > <Address> http://www.w3.org/2005/08/addressing/anonymous </Address> </ReplyTo> <FaultTo xmlns= "http://www.w3.org/2005/08/addressing" > <Address> http://www.w3.org/2005/08/addressing/anonymous </Address> </FaultTo> <MessageID xmlns= "http://www.w3.org/2005/08/addressing" > uuid:52fd687a-8d92-44cb-ac24-0be1e1f4b25f </MessageID> <wsse:Security S:mustUnderstand= "1" > <wsu:Timestamp wsu:Id= "_3" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > <wsu:Created> 2015-05-11T03:04:16Z </wsu:Created> <wsu:Expires> 2015-05-11T03:09:16Z </wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey Id= "_5003" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <ds:KeyInfo xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:type= "KeyInfoType" > <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName> CN=example.com, OU=ABC Group, O=Example, L=Washington, ST=DC, C=US </ds:X509IssuerName> <ds:X509SerialNumber> 1234567890 </ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue xmlns:xop = "http://www.w3.org/2004/08/xop/include" > <xop:Include href= "cid:7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com" /> </xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI= "#_5004" /> <xenc:DataReference URI= "#_5005" /> <xenc:DataReference URI= "#_5006" /> </xenc:ReferenceList> </xenc:EncryptedKey> <xenc:EncryptedData Id= "_5006" Type= "http://www.w3.org/2001/04/xmlenc#Element" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> <xenc:CipherData> <xenc:CipherValue xmlns:xop = "http://www.w3.org/2004/08/xop/include" > <xop:Include href= "cid:934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com" /> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <wsse:BinarySecurityToken EncodingType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id= "uuid_8e5eec8c-bbf4-40b4-9eea-12beecbdd981" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:xop = "http://www.w3.org/2004/08/xop/include" > <xop:Include href= "cid:d921b6b7-a534-4d85-83d3-e03f0bbdf1a4@example.jaxws.sun.com" /> </wsse:BinarySecurityToken> <xenc:EncryptedData Id= "_5005" Type= "http://www.w3.org/2001/04/xmlenc#Element" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> <xenc:CipherData> <xenc:CipherValue xmlns:xop = "http://www.w3.org/2004/08/xop/include" > <xop:Include href= "cid:2c0a72f7-794f-4637-8d07-8ee0e8433145@example.jaxws.sun.com" /> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security> </S:Header> <S:Body wsu:Id= "_5002" > <xenc:EncryptedData Id= "_5004" Type= "http://www.w3.org/2001/04/xmlenc#Content" xmlns:ns17 = "http://www.w3.org/2003/05/soap-envelope" xmlns:ns18 = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> <xenc:CipherData> <xenc:CipherValue xmlns:xop = "http://www.w3.org/2004/08/xop/include" > <xop:Include href= "cid:81d3295e-2b64-4254-b697-67bcdb1d522e@example.jaxws.sun.com" /> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> </S:Envelope> --uuid:950412d0-d43b-4058-bff6-0a3d54c79563 Content-Id: <7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com> Content-Type: application/ciphervalue Content-Transfer-Encoding: binary H���k-�q��2s1 ߲r���ЭGMp~���Sc™(�M]�*���"�v�y��v� v��w(�C�d�?�N���� ���^_��<�'ƿ o��\�D�{�"(�J7�{�Txv�kЁ�T�U�A岏3��a\���`��Wh���q �?��WRr�8t����D��[匁�S� 6���'��|'����I����4JDyy��J�������{��'he��۟��F�w�Ch����t6⢾V�D:+��g�\�̜ --uuid:950412d0-d43b-4058-bff6-0a3d54c79563 Content-Id: <934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com> Content-Type: application/ciphervalue Content-Transfer-Encoding: binary ��������W4�ĐJǀyp��?�xʰ��g�@Cr��!���@�2�$3���� �\���VK��}r�¿�`I ���[Gb�R������ �=��C��Y�!h���j���ܣ�����1Xy�΋��� 2| Ճn " 6LӖ�yy�w%��B�GqHZ� ����P��Jr��`E' Web Service Policy definitions <?xml version= "1.0" encoding= "UTF-8" standalone= "no" ?> <wsdl:definitions xmlns:wsdl = "http://schemas.xmlsoap.org/wsdl/" xmlns:wssp = "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:wsp = "http://www.w3.org/ns/ws-policy" xmlns:wsu = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsam = "http://www.w3.org/2007/05/addressing/metadata" xmlns:wsoma = "http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" name= "myWebServicePolicy" targetNamespace= "http://example.com/webservice/securitypolicy" > <wsp:Policy wsp:Name= "http://example.com/webservice/securitypolicy/generalBindingPolicy" wsu:Id= "myWebServiceGeneralBindingPolicy" > <wsp:ExactlyOne> <wsp:All> <wsoma:OptimizedMimeSerialization/> <wsam:Addressing wsp:Optional= "false" /> <wssp:AsymmetricBinding> <wsp:Policy> <wssp:InitiatorToken> <wsp:Policy> <wssp:X509Token wssp:IncludeToken= "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" > <wsp:Policy> <wssp:WssX509V3Token10/> </wsp:Policy> </wssp:X509Token> </wsp:Policy> </wssp:InitiatorToken> <wssp:RecipientToken> <wsp:Policy> <wssp:X509Token wssp:IncludeToken= "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never" > <wsp:Policy> <wssp:WssX509V3Token10/> <wssp:RequireIssuerSerialReference/> </wsp:Policy> </wssp:X509Token> </wsp:Policy> </wssp:RecipientToken> <wssp:IncludeTimestamp/> <wssp:OnlySignEntireHeadersAndBody/> <wssp:AlgorithmSuite> <wsp:Policy> <wssp:Basic256Sha256/> </wsp:Policy> </wssp:AlgorithmSuite> <wssp:EncryptSignature/> <wssp:ProtectTokens /> </wsp:Policy> </wssp:AsymmetricBinding> <wssp:SignedEncryptedSupportingTokens xmlns:sp = "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" > <wsp:Policy> <sp:UsernameToken sp:IncludeToken= "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" > <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </wssp:SignedEncryptedSupportingTokens> <wssp:Wss11> <wsp:Policy> <wssp:MustSupportRefIssuerSerial/> </wsp:Policy> </wssp:Wss11> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsp:Name= "http://example.com/webservice/securitypolicy/bindingInputPolicy" wsu:Id= "myWebServiceBindingInputPolicy" > <wsp:ExactlyOne> <wsp:All> <wssp:EncryptedParts> <wssp:Body/> </wssp:EncryptedParts> <wssp:SignedParts> <wssp:Body/> </wssp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsp:Name= "http://example.com/webservice/securitypolicy/bindingOutputPolicy" wsu:Id= "myWebServiceBindingOutputPolicy" > <wsp:ExactlyOne> <wsp:All> <wssp:EncryptedParts> <wssp:Body/> </wssp:EncryptedParts> <wssp:SignedParts> <wssp:Body/> </wssp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsp:Name= "http://example.com/webservice/securitypolicy/bindingFaultPolicy" wsu:Id= "myWebServiceBindingFaultPolicy" > <wsp:ExactlyOne> <wsp:All> <wssp:EncryptedParts> <wssp:Body/> </wssp:EncryptedParts> <wssp:SignedParts> <wssp:Body/> </wssp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </wsdl:definitions>
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        Also, the statement about .NET clients not being compatible is an assumption based on Metro/WSIT's own assertions about this compatibility.

        In the past I have worked with .NET clients attempting to connect to an MTOM+WSS-enabled web service, and as far as I remember, they encoded and attached the encrypted data in a similar way (though I'm not sure they use the content-type of "application/ciphervalue" for the MIME parts).

        Show
        dallasvaughan Dallas Vaughan added a comment - Also, the statement about .NET clients not being compatible is an assumption based on Metro/WSIT's own assertions about this compatibility. In the past I have worked with .NET clients attempting to connect to an MTOM+WSS-enabled web service, and as far as I remember, they encoded and attached the encrypted data in a similar way (though I'm not sure they use the content-type of "application/ciphervalue" for the MIME parts).
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        Okay, instead of stack traces, here are the partial thread-dumps:

        DOM-based
        at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1872)
        	  at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1743)
        	  at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1781)
        	  at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:1031)
        	  at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:437)
        	  at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:545)
        	  at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:480)
        	  at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:230)
        	  at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:69)
        	  at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
        	  at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278)
        	  at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
        	  at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:133)
        	  at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:116)
        	  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
        	  - locked <0x5231> (a org.apache.cxf.phase.PhaseInterceptorChain)
        	  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        	  at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
        	  at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        	  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        	  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        	  at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
        	  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
        	  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
        	  at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        
        StAX-based (decryption-thread)
        	  at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor$DecryptionThread.run(AbstractDecryptInputProcessor.java:814)
        	  at java.lang.Thread.run(Thread.java:745)
        
        StAX-based (calling thread - waiting on decryption thread, I suppose)
        	  at java.lang.Object.wait(Object.java:-1)
        	  at java.io.PipedInputStream.read(PipedInputStream.java:327)
        	  at java.io.PipedInputStream.read(PipedInputStream.java:378)
        	  at org.apache.xml.security.stax.impl.util.MultiInputStream.read(MultiInputStream.java:59)
        	  at com.ctc.wstx.io.BaseReader.readBytes(BaseReader.java:155)
        	  at com.ctc.wstx.io.UTF8Reader.loadMore(UTF8Reader.java:369)
        	  at com.ctc.wstx.io.UTF8Reader.read(UTF8Reader.java:112)
        	  at com.ctc.wstx.io.MergedReader.read(MergedReader.java:104)
        	  at com.ctc.wstx.io.ReaderSource.readInto(ReaderSource.java:89)
        	  at com.ctc.wstx.io.BranchingReaderSource.readInto(BranchingReaderSource.java:57)
        	  at com.ctc.wstx.sr.StreamScanner.loadMore(StreamScanner.java:1006)
        	  at com.ctc.wstx.sr.StreamScanner.getNext(StreamScanner.java:765)
        	  at com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2786)
        	  at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1115)
        	  at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.forwardToWrapperElement(AbstractDecryptInputProcessor.java:371)
        	  at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.processEvent(AbstractDecryptInputProcessor.java:291)
        	  at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.processNextHeaderEvent(AbstractDecryptInputProcessor.java:141)
        	  at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188)
        	  at org.apache.wss4j.stax.impl.processor.input.OperationInputProcessor.processNextHeaderEvent(OperationInputProcessor.java:51)
        	  at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188)
        	  at org.apache.wss4j.policy.stax.PolicyInputProcessor.processNextHeaderEvent(PolicyInputProcessor.java:64)
        	  at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188)
        	  at org.apache.wss4j.stax.impl.processor.input.SecurityHeaderInputProcessor$InternalSecurityHeaderBufferProcessor.processNextHeaderEvent(SecurityHeaderInputProcessor.java:244)
        	  at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188)
        	  at org.apache.wss4j.stax.impl.processor.input.SecurityHeaderInputProcessor.processNextEvent(SecurityHeaderInputProcessor.java:86)
        	  at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:193)
        	  at org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:78)
        	  at org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45)
        	  at org.apache.xml.security.stax.impl.XMLSecurityStreamReader.getEventType(XMLSecurityStreamReader.java:395)
        	  at org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:161)
        	  at org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:65)
        	  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
        	  - locked <0x66e2> (a org.apache.cxf.phase.PhaseInterceptorChain)
        	  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        	  at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
        	  at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        	  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        	  at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        	  at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
        	  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
        	  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
        	  at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        
        Show
        dallasvaughan Dallas Vaughan added a comment - Okay, instead of stack traces, here are the partial thread-dumps: DOM-based at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1872) at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1743) at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1781) at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:1031) at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:437) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:545) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:480) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:230) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:69) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:133) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:116) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) - locked <0x5231> (a org.apache.cxf.phase.PhaseInterceptorChain) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) StAX-based (decryption-thread) at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor$DecryptionThread.run(AbstractDecryptInputProcessor.java:814) at java.lang. Thread .run( Thread .java:745) StAX-based (calling thread - waiting on decryption thread, I suppose) at java.lang. Object .wait( Object .java:-1) at java.io.PipedInputStream.read(PipedInputStream.java:327) at java.io.PipedInputStream.read(PipedInputStream.java:378) at org.apache.xml.security.stax.impl.util.MultiInputStream.read(MultiInputStream.java:59) at com.ctc.wstx.io.BaseReader.readBytes(BaseReader.java:155) at com.ctc.wstx.io.UTF8Reader.loadMore(UTF8Reader.java:369) at com.ctc.wstx.io.UTF8Reader.read(UTF8Reader.java:112) at com.ctc.wstx.io.MergedReader.read(MergedReader.java:104) at com.ctc.wstx.io.ReaderSource.readInto(ReaderSource.java:89) at com.ctc.wstx.io.BranchingReaderSource.readInto(BranchingReaderSource.java:57) at com.ctc.wstx.sr.StreamScanner.loadMore(StreamScanner.java:1006) at com.ctc.wstx.sr.StreamScanner.getNext(StreamScanner.java:765) at com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2786) at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1115) at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.forwardToWrapperElement(AbstractDecryptInputProcessor.java:371) at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.processEvent(AbstractDecryptInputProcessor.java:291) at org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.processNextHeaderEvent(AbstractDecryptInputProcessor.java:141) at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188) at org.apache.wss4j.stax.impl.processor.input.OperationInputProcessor.processNextHeaderEvent(OperationInputProcessor.java:51) at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188) at org.apache.wss4j.policy.stax.PolicyInputProcessor.processNextHeaderEvent(PolicyInputProcessor.java:64) at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188) at org.apache.wss4j.stax.impl.processor.input.SecurityHeaderInputProcessor$InternalSecurityHeaderBufferProcessor.processNextHeaderEvent(SecurityHeaderInputProcessor.java:244) at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processHeaderEvent(InputProcessorChainImpl.java:188) at org.apache.wss4j.stax.impl.processor.input.SecurityHeaderInputProcessor.processNextEvent(SecurityHeaderInputProcessor.java:86) at org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:193) at org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:78) at org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45) at org.apache.xml.security.stax.impl.XMLSecurityStreamReader.getEventType(XMLSecurityStreamReader.java:395) at org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:161) at org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:65) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) - locked <0x66e2> (a org.apache.cxf.phase.PhaseInterceptorChain) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Thanks for information. Ok I've added some initial support for processing CipherValue Elements containing xop:Include in the DOM code only in WSS4J 2.1.1-SNAPSHOT and 2.0.5-SNAPSHOT. Could you grab the latest code (easiest to build the relevant branch yourself), and run the test again? I expect it to fail as I haven't added support for it in BinarySecurityToken Elements yet. I'm not entirely sure if I'm doing the right thing in terms of decryption, so it'd be helpful to know where the processing fails.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Thanks for information. Ok I've added some initial support for processing CipherValue Elements containing xop:Include in the DOM code only in WSS4J 2.1.1-SNAPSHOT and 2.0.5-SNAPSHOT. Could you grab the latest code (easiest to build the relevant branch yourself), and run the test again? I expect it to fail as I haven't added support for it in BinarySecurityToken Elements yet. I'm not entirely sure if I'm doing the right thing in terms of decryption, so it'd be helpful to know where the processing fails. Colm.
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Support added for BinarySecurityTokens as well (DOM code only). Please let me know how the latest code holds up.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Support added for BinarySecurityTokens as well (DOM code only). Please let me know how the latest code holds up. Colm.
        Hide
        dallasvaughan Dallas Vaughan added a comment - - edited

        Thanks, Colm!

        EDIT: Nevermind about the below question, found it in branches/2.0.x! Duh...
        Can you tell me how to check out this snapshot? I don't see instructions on the site (the trunk is 2.1.1-SNAPSHOT but we have built on top of 2.0.x).

        Show
        dallasvaughan Dallas Vaughan added a comment - - edited Thanks, Colm! EDIT: Nevermind about the below question, found it in branches/2.0.x! Duh... Can you tell me how to check out this snapshot? I don't see instructions on the site (the trunk is 2.1.1-SNAPSHOT but we have built on top of 2.0.x).
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        One problem is that there is a minor change in WSS4J 2.0.5-SNAPSHOT which will break CXF 3.0.5. I've just merged a fix to CXF's 3.0.x-fixes branch. So you can just checkout the CXF 3.0.x-fixes branch + build this locally and use this instead, and it should pick up the WSS4J SNAPSHOT changes as part of this.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - One problem is that there is a minor change in WSS4J 2.0.5-SNAPSHOT which will break CXF 3.0.5. I've just merged a fix to CXF's 3.0.x-fixes branch. So you can just checkout the CXF 3.0.x-fixes branch + build this locally and use this instead, and it should pick up the WSS4J SNAPSHOT changes as part of this. Colm.
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        Hi Colm,
        I checked out the 3.0.x-fixes branch and installed locally, and, while it looks like it's using the new BinarySecurity class, it is failing in the setToken method. It's throwing a NullPointerException on node.setData(...) (line 214) because of the following (in comments):

        BinarySecurity.class
            public void setToken(byte[] data) {
                if(data == null) {
                    throw new IllegalArgumentException("data == null");
                } else {
                    Text node = this.getFirstNode(); //returns null
                    node.setData(Base64.encode(data)); //throws NPE
                }
            }
        
            protected Text getFirstNode() {
                Node node = this.element.getFirstChild(); //node = <xop:Include>
                return node != null && 3 == node.getNodeType()?(Text)node:null; //node.getNodeType() = 1, so this returns null
            }
        
        Show
        dallasvaughan Dallas Vaughan added a comment - Hi Colm, I checked out the 3.0.x-fixes branch and installed locally, and, while it looks like it's using the new BinarySecurity class, it is failing in the setToken method. It's throwing a NullPointerException on node.setData(...) (line 214) because of the following (in comments): BinarySecurity.class public void setToken( byte [] data) { if (data == null ) { throw new IllegalArgumentException( "data == null " ); } else { Text node = this .getFirstNode(); //returns null node.setData(Base64.encode(data)); // throws NPE } } protected Text getFirstNode() { Node node = this .element.getFirstChild(); //node = <xop:Include> return node != null && 3 == node.getNodeType()?(Text)node: null ; //node.getNodeType() = 1, so this returns null }
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Ok I've fixed this in WSS4J + deployed a new SNAPSHOT. Can you try again?

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Ok I've fixed this in WSS4J + deployed a new SNAPSHOT. Can you try again? Colm.
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        I tested it but it didn't work (was getting exceptions because the WSDataRef objects weren't populated fully after decrypting the XOP attachments).

        I actually got it to work by making changes to the WSS4J EncryptionUtils class (patch is attached).

        The XOP handling behavior could probably be implemented more cleanly, though, so please take a look.

        Show
        dallasvaughan Dallas Vaughan added a comment - I tested it but it didn't work (was getting exceptions because the WSDataRef objects weren't populated fully after decrypting the XOP attachments). I actually got it to work by making changes to the WSS4J EncryptionUtils class (patch is attached). The XOP handling behavior could probably be implemented more cleanly, though, so please take a look.
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Thanks for the patch. I have applied it to WSS4J. Could you try again with the latest WSS4J 2.0.x-SNAPSHOT? I made a change to the BinarySecurityToken handling stuff to avoid BASE-64 encoding + decoding the raw bytes.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Thanks for the patch. I have applied it to WSS4J. Could you try again with the latest WSS4J 2.0.x-SNAPSHOT? I made a change to the BinarySecurityToken handling stuff to avoid BASE-64 encoding + decoding the raw bytes. Colm.
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        The changes to BinarySecurity and BinarySecurityTokenProcessor seem to break it :-/

        I'll have to debug it tomorrow to see exactly why.

        Show
        dallasvaughan Dallas Vaughan added a comment - The changes to BinarySecurity and BinarySecurityTokenProcessor seem to break it :-/ I'll have to debug it tomorrow to see exactly why.
        Hide
        dallasvaughan Dallas Vaughan added a comment -

        I have stepped through the Binary Security Token processing code and found the following:

        The signature validation doesn't work with the BinarySecurity changes because, unlike with the previous implementation, the xop:Include element is still present in the BinarySecurityToken element. This is because the setToken(byte[]) method is never called which replaces the "include" element with the base64-encoded value. The setToken call was replaced by setRawToken in the BinarySecurityTokenProcessor class (line 178).

        When the digest is calculated for the BinarySecurityToken in signature verification, (I believe) it uses the element's child value and because it's still an xop:Include element, it doesn't match and it fails.

        Show
        dallasvaughan Dallas Vaughan added a comment - I have stepped through the Binary Security Token processing code and found the following: The signature validation doesn't work with the BinarySecurity changes because, unlike with the previous implementation, the xop:Include element is still present in the BinarySecurityToken element. This is because the setToken(byte[]) method is never called which replaces the "include" element with the base64-encoded value. The setToken call was replaced by setRawToken in the BinarySecurityTokenProcessor class (line 178). When the digest is calculated for the BinarySecurityToken in signature verification, (I believe) it uses the element's child value and because it's still an xop:Include element, it doesn't match and it fails.
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Thanks again for testing. I'd forgotten about the possibility that the BinarySecurityToken could be signed. Could you try again with the latest WSS4J SNAPSHOT? I merged some code to "expand" the xop:Include node if the BinarySecurityToken is signed.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Thanks again for testing. I'd forgotten about the possibility that the BinarySecurityToken could be signed. Could you try again with the latest WSS4J SNAPSHOT? I merged some code to "expand" the xop:Include node if the BinarySecurityToken is signed. Colm.
        Hide
        coheigea Colm O hEigeartaigh added a comment -


        Marking this as fixed, as I managed to test it with a Metro MTOM-enabled response.

        Show
        coheigea Colm O hEigeartaigh added a comment - Marking this as fixed, as I managed to test it with a Metro MTOM-enabled response.

          People

          • Assignee:
            coheigea Colm O hEigeartaigh
            Reporter:
            dallasvaughan Dallas Vaughan
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development