Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7605

RequireDerivedKeys policy is read, but not executed when using streaming WS-Security



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.1.14, 3.2.2, 3.1.15
    • None
    • Unknown


      CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac signature, while ws-policy states that derived keys are required (<ws:RequireDerivedKeys/> in effective Policy).

      The Actions cxf determines are also "TIMESTAMP" and "SAMLTOKENSIGNED", which is not stated in the policy - it calls for TIMESTAMP and SIGNATURE (with a derived symetric key)

      The Policy is embedded in the wsdl that is passed to the wsdl2java gradle task.

      Inspecting the SoapMessage passed to the WSStaxOutInterceptor the contents of org.apache.cxf.ws.policy.EffectivePolicy.choosenAlternative[1] (SupportEndorsingTokens) contain a nested Policy setting RequireDerivedKeys.

      This reflects the structure and contents of the attached policy (see policy_fragment.xml).

      CXF correctly embeds a SAML Token as requested by the policy and signs using a symmetric key (got by WS-Secureconversation / WS-Trust previously) - both steps are defined in the attached policy.

      CXF should however, sign with a key derived from said symmetric key, specified by <wsp:RequestDerivedKeys />, this step is ignored, thus resulting an a request that does not adhere to the policy.

      The PolicyVerificationOutInterceptor also recieves a Soapmessage Object with the RequestDerivedKeys Assertion set to asserted=true.

      WSS4JStaxOutInterceptor, line 159
      OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);

      outboundWSSec.securityProperties.isUseDerivedKeyForMAC() produces true (which is default)

      outboundWSSec.securityProperties.getSignatureAlgorithm() produces http://www.w3.org/2000/09/xmldsig#hmac-sha1

      all other properties related to derived keys are null / 0 / their defaults.

      Code works if cxf version 3.2.2-SNAPSHOT AND cxf Bundle 2.7.18 are on the classpath simulataneously - so i assume key derivation happened in the version packed in the bundle.

      build.gradle.working results in a soap envelope with an hmac signature on the timestamp, produced by derivating a key from the ws-secureconversationkey, containing this element:
      <wsc:DerivedKeyToken xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="DK-3A4FD7F484F29F6BF215154251877012"><wsse:SecurityTokenReference xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">nstsaa9fb8cc-ccb4-4dba-b7db-aa335d216bb3</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsc:Offset>0</wsc:Offset><wsc:Length>24</wsc:Length><wsc:Nonce>QktGO31p79qn7dhom83QNQ==</wsc:Nonce></wsc:DerivedKeyToken>

      build.gradle.failing results in a soap envelope with an hmac signature produced with the ws-secureconversation key. The Derived key element is missing, as no key is derived.

      Attached are:

      • full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped of irrelevant endpoints and domain names)
      • code.java - code snippet demonstrating the use-case
      • policy_fragment.xml - the policy to save looking for it in the wsdl


        1. policy_fragment.xml
          3 kB
        2. code.java
          3 kB
        3. full_wsdl.wsdl
          8 kB
        4. build.gradle.working
          4 kB
        5. build.gralde.failing
          2 kB



            Unassigned Unassigned
            LukasN Lukas
            0 Vote for this issue
            2 Start watching this issue