Wsse support for KeyIdentifier ThumbprintSHA1?

Mon, 09 May 2005 09:34:16 -0700 

We are on the receiving end, trying to interop with an implementation
using WSSE, and WSSecurityEngine is throwing an exception:

General security error (Unexpected number of X509Data: for decryption
(KeyId))


The relevent section of code from WSSecurityEngine is here:

else if (secRef.containsKeyIdentifier()) {
 X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
 if (certs == null || certs.length != 1 || certs[0] == null) {
  throw new WSSecurityException(WSSecurityException.FAILURE,
    "invalidX509Data", new Object[]{"for decryption (KeyId)"});
}


Tracing through to getKeyIdentifier, it seems like the key identifier
used in the other implementation (which I am trying to interop with) is
not supported - ThumbprintSHA1.

Here is the SOAP Body I'm receiving:

<s:Body u:Id="_5">
  <e:EncryptedData Id="_7"
Type="http://www.w3.org/2001/04/xmlenc#Content";
xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-
cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
          <o:SecurityTokenReference xmlns:o="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:Reference URI="#_6" />
          </o:SecurityTokenReference>
        </KeyInfo>
        <e:CipherData>
          <e:CipherValue>... (omitted) ...</e:CipherValue>
        </e:CipherData>
  </e:EncryptedData>
</s:Body>



Here's the derived key token in the SOAP Header:

        <c:DerivedKeyToken u:Id="_6"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
          <o:SecurityTokenReference>
                <o:Reference URI="#uuid-0f81598d-e254-4dba-93dc-f63295f20956-2" 
/>
          </o:SecurityTokenReference>
          <c:Generation>0</c:Generation>
          <c:Length>32</c:Length>
          <c:Nonce>417l3wDvPqBpGGIItwp0Tg==</c:Nonce>
        </c:DerivedKeyToken>


And here is the Encrypted Key in the header:

        <e:EncryptedKey Id="uuid-0f81598d-e254-4dba-93dc-f63295f20956-2"
xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-
oaep-mgf1p" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
                <o:SecurityTokenReference>
                  <o:KeyIdentifier ValueType="http://docs.oasis-
open.org/wss/2004/xx/oasis-2004xx-wss-x509-token-
profile-1.1#X509ThumbprintSHA1">7u6YK+DkkQOCyilYuOz4+rfi+
+8=</o:KeyIdentifier>
                </o:SecurityTokenReference>
          </KeyInfo>
          <e:CipherData>
                <e:CipherValue> ... (omitted) ... </e:CipherValue>
          </e:CipherData>
        </e:EncryptedKey>


Is there something I am doing wrong which is causing this failure?

Thank you,

Bryan

Reply via email to