Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-397

EncryptedKey Id Validation fails

    XMLWordPrintableJSON

Details

    Description

      The issue is discussed on this page: http://apache-xml-project.6118.n7.nabble.com/EncryptedKey-Id-Validation-fails-td41424.html

      ISSUE Simulation
      run the App.java class attached to this JIRA.

      ISSUE DESCRIPTION:
      I have a flow that does encryption using xmlsec library 2.0.1 and it then sends the encrypted message to third party system. This third party is unable to validate the message if there are two or more encrypted xml elements in them and the exception they see is: validation failed with SEVERE parse event: cvc-id.2: There are multiple occurrences of ID value 'G0babc16e-4911-4cfc-93ab-0b8905afd19e'.

      org.xml.sax.SAXParseException; cvc-id.2: There are multiple occurrences of ID value 'Gd88756c9-dd2e-4db3-9180-5d129a8ad5ce'.

      This ID element is present in xenc:EncryptedKey element, and I can see that the message has the same Id twice, here is the encrypted message:

      <PurchaseOrder xmlns="urn:example:po">
      <Items>
      <Item Code="001-001-001" Quantity="1">
      spade
      </Item>
      <Item Code="001-001-002" Quantity="1">
      shovel
      </Item>
      </Items>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Gceae4fd0-c41d-4249-84f4-7edecf0f8343" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <xenc:EncryptedKey Id="Gd88756c9-dd2e-4db3-9180-5d129a8ad5ce"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>j7W67ywBNckkL1yh71aAD6AWoDlVGq2Rs75RBn0dahIcK48GsE4doQcfpg5dfuLGORa4UJ1k5JMA
      juH7ifAjJ+NZB6unxc/rwRPE6vc5YSekuM7wEymvRaABxLcodHh8bna7IsLlyvGcqnH2rhQ9PCCG
      I9cPTsxH4uLv+3CHoEY=
      </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue>TTpW2Gj0eTgOFhyfjzFosVAoIC1KbRUwCUV+hr4lATFM2cIFKVp4W+ffia7B4NXfQiqJqLVOCxUiy+oIG0dHaM97vobJZhrugvUxYH71HRBcKtT2Qr9ZAv4yV5XRM/iUnb1wiMeD+0KizyRArfRRMQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="G5ce41c2f-130e-4bc9-8c03-5c52b7c30766" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <xenc:EncryptedKey Id="Gd88756c9-dd2e-4db3-9180-5d129a8ad5ce"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>t8959RpcQ3fpQqsdryU8pE83jNR3QWLgXipjR9JH0IuZP07TB5GXmxkTEQ+Yern6Wv7ZF9EyXvA8
      s8QLVpwso5GRpdHjO9YEVMEQPSm9PDgAihTPzPijHA+28f+V45EU/BxRxUxyHvqRWpvxga6mxeGW
      Fbx1bdThiU5Y35IPw30=
      </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue>FeH0+xawqckGtuwSf2L5b69g9AqrEkfeqwpAray/mK3kxqcT92CtapeL7uGmNpfKMcj6uXHA+FihGssA+Pr6lT/WVlmny+ZulPGbaEuRCMlfuzz3XJSci42w1R5c3KSeGmr4t/qlD/ymejXzISOOAcAx1HJaM1hRtcA/+fO6RAYyG/oyqNpLhLJZYS5dI1kFq92XyVsWLnkDAcG9hDGJJe1g/Qm7mvQOkfXAnmsYo8oVfjk3fQN5uABzN4lseesDEzFXG5LFSHXtUEw3Pdz6pW3E0f6kdVGNyp4lQczLqIbP2qU+quXAKfNxPPZrIj8SaQisbIPk1jLZzIOqh4PP4lkHkmz+wgpDv9SYYbQMy2QbggHcUCgdCIJQUvKPFYU/sIIecr9FhIXlnRCoGyV7pA==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
      </PurchaseOrder>

      I did some investigation and the issue sounds very similar to https://issues.apache.org/jira/browse/WSS-242

      The issue can be simulated by adding one below line to the test case (https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-encryption/src/test/java/org/apache/coheigea/santuario/xmlencryption/EncryptionStAXTest.java) and executing it;

      namesToEncrypt.add(new QName("urn:example:po", "ShippingAddress"));

      if you System.out.println(baos.toString()); you can see that xenc:EncryptedKey Id is duplicated across the encrypted tags. I understand that this is key info but i think i am missing the correct xsd for validation.

      I have few queries:

      1. The third party is using xerces to validate the encrypted xml, Can you please let me know where I can find XSD's that I can provide third party to use so they can correctly validate the encrypted XML?
      2. if this is not because of XSD can you please guide on how we can perform the validation?
      3. Also, I think id of encryptedkey is optional element, that is because I manually removed Id from both the tags and performed the decryption, it worked fine. So, how can i configure in the code to not set Id attribute for encryptedkey element?

      Appreciate your response, thanks a lot.

      Attachments

        1. validation-issue.zip
          16 kB
          Mujahed Syed

        Activity

          People

            coheigea Colm O hEigeartaigh
            mujahedsyed Mujahed Syed
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: