Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.4, 1.5
-
None
-
None
Description
Interop with WSIT issue: com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing target SignatureConfirmation for Encryption
Caused by the fact that Rampart doesn't handle <sp:EncryptSignature/> correctly. When EncryptSignature is specified, SignatureConfirmation must be encrypted, but isn't in all Rampart versions including 1.5.
According to WS-SecurityPolicy specification:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826550
6.4 [Signature Protection] Property
This boolean property specifies whether the signature must be encrypted. If the value is 'true', the primary signature MUST be encrypted and any signature confirmation elements MUST also be encrypted. If the value is 'false', the primary signature MUST NOT be encrypted and any signature confirmation elements MUST NOT be encrypted.
Here's a SOAP response from Rampart's policy sample 04 (rampart-samples/policy/sample04) which shows SignatureConfirmation headers are not encrypted:
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-85">
<wsu:Created>2011-03-14T14:09:32.410Z</wsu:Created>
<wsu:Expires>2011-03-14T14:14:32.410Z</wsu:Expires>
</wsu:Timestamp>
<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="derivedKeyId-90">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1">BjZtgjN6OKwzy5h0nf4y9WmsQRs=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>tmE7px+eJLYGz1dftcOQBA==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference URI="#EncDataId-91" />
<xenc:DataReference URI="#EncDataId-92" />
</xenc:ReferenceList>
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
Value="LI7peNNLVlZp5lvAtGsCtGSWFD+WdLPIAJeDL6Nfp5kdiypnhFvKA9eOXKWY6yJ4Cjf7376AcYVe1DGTHfeQS4kRSvyRgGV8Y+CPJAnD7dL59G8nf1yJD8Mf6f83oH4RDcO0pCghCpkh1xxOEeMmAC5G1RiCPA3pyhpzwl63OME="
wsu:Id="SigConf-86" />
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
Value="Gd/qMXptxoxpGLzjTi1ZFCzEC7k=" wsu:Id="SigConf-87" />
<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="derivedKeyId-88">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1">BjZtgjN6OKwzy5h0nf4y9WmsQRs=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>7Tj/+Hrw4SOhHi/p1VXQ6g==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EncDataId-92" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#derivedKeyId-90" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>xB1bfBI0PLv/VBEUrB93VH.........
ZtOBDxaxg88K/GBy+/3bDJjdKvGY3L1UAg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsa:MessageID>urn:uuid:22AD6B2F5CD166F4CC1300111772450</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</wsa:Action>
<wsa:RelatesTo>urn:uuid:58FEB2F4DD594836A11300111766887</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-25252664">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EncDataId-91" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#derivedKeyId-90" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>vWYZFT3RQDSLsQJAd11JUUgm.........
ZxV6Az5gNqk9upVlQA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>