[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-dev
Subject: [jira] [Created] (WSS-475) Issue with multiple processing of ReferenceList in EncryptedKey element
From: "Alessio Soldano (JIRA)" <jira () apache ! org>
Date: 2013-08-13 16:35:48
Message-ID: JIRA.12663451.1376411699406.56374.1376411748129 () arcas
[Download RAW message or body]
Alessio Soldano created WSS-475:
-----------------------------------
Summary: Issue with multiple processing of ReferenceList in EncryptedKey \
element Key: WSS-475
URL: https://issues.apache.org/jira/browse/WSS-475
Project: WSS4J
Issue Type: Bug
Affects Versions: 1.6.9
Reporter: Alessio Soldano
Assignee: Colm O hEigeartaigh
I have an incoming request message looking as follows:
{code:xml}
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
soap:mustUnderstand="1">
...
<wsse:BinarySecurityToken \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" \
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" \
wsu:Id="BST-23456">...</wsse:BinarySecurityToken>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="XSIG-7896">
...
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EK-ABCDE" \
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
...
</dsig:Signature>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" \
Id="EK-ABCDE">
<xenc:EncryptionMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" \
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </xenc:EncryptionMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="STR-8901"> <wsse:KeyIdentifier \
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" \
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" \
xmime:contentType="application/octet-stream">...</xenc:CipherValue> \
</xenc:CipherData> <xenc:ReferenceList>
<xenc:DataReference URI="#_REF123"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="Body-5678"> <xenc:EncryptedData \
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" \
Type="http://www.w3.org/2001/04/xmlenc#Content" Id="_REF123">
<xenc:EncryptionMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <dsig:KeyInfo \
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EK-ABCDE" \
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime" \
xmime:contentType="application/octet-stream">...</xenc:CipherValue> \
</xenc:CipherData> </xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
{code}
WSS4J fails on processing this as the ReferenceList within the EncryptedKey is \
processed twice (the first time when dealing with XSIG-7896 Signature element and the \
second time when actually dealing with the EncryptedKey element). The second time the \
ReferenceList is processed, the reference to Id="_REF123" can't be resolved, as the \
EncryptedData has likely been decrypted in the previous pass.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic