[jira] Created: (RAMPARTC-127) RampartC does not properly implement wss security - enforces ReferenceList child of EncryptedKey when specification says it's optional

[Leon Gent (JIRA)]

RampartC does not properly implement wss security - enforces ReferenceList 
child of EncryptedKey when specification says it's optional
--------------------------------------------------------------------------------------------------------------------------------------

                 Key: RAMPARTC-127
                 URL: https://issues.apache.org/jira/browse/RAMPARTC-127
             Project: Rampart/C
          Issue Type: Bug
          Components: OMXMLSecurity
    Affects Versions: Current
         Environment: WinXP, Glassfish V2UR2 Metro web service provider, WSO2 
PHP 2.0.0 web service consumer, using Mutual Certificates asymmetric encryption 
of message body and to address information.
            Reporter: Leon Gent
            Assignee: Malinda Kaushalye Kapuruge


The request message:
==== Received Message Start ====
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:To 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
wsu:Id="SigID-aab03673-791d-4e79">http://localhost:8889/administration-ws/MemberMaintenanceService</wsa:To>
<wsa:Action 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
wsu:Id="SigID-7f3dda52-7594-40d9">http://ws.admin.schoolpay.sws.com/AddMember</wsa:Action>
<wsa:MessageID 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
wsu:Id="SigID-b2f483fa-b398-4f03">urn:uuid:80f2fd46-ffe6-4389-b23f-cca9f3268c68</wsa:MessageID>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="CertID-8429e4d7-8b45-4a54">MIIEFjCCA3+gAwIBAgIJAM02ltvIKJhMMA0GCSqGSIb3DQEBBAUAMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXQwHhcNMDgwOTI0MDEwMTE2WhcNMDkwOTI0MDEwMTE2WjCByjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEzARBgNVBAcTCkJ1cmxpbmd0b24xKDAmBgNVBAoTH0Zsb3dpbmcgVGVhcnMgRWxlbWVudGFyeSBTY2hvb2wxJDAiBgNVBAsTG1NjaG9vbHBheSBlQ29tbWVyY2UgV2Vic2l0ZTEVMBMGA1UEAxMMQ28tb3JkaW5hdG9yMS0wKwYJKoZIhvcNAQkBFh5zY2hvb2xwYXlAZmxvd2luZ190ZWFycy5lZHUuY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4mfLND8rvcHBQU8hWZFwj0rb74SfZ1i1em7LdfMG1NS3+4qZfz+y+a/sKApa1SIyjKsuA6WrFg1TcjHZAIDyoNTS+/I7kzIH14DY1XmZWgQQcEiJXRtEf4T04VBOQp3XBlJIIw93Sd74NCXPB/l1Eq2syUPa5MiwG81gGVWVBLAgMBAAGjggEvMIIBKzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUaG8+fhvYb/NCuTjA007iPTS++gMwgdAGA1UdIwSByDCBxYAUzAfYyiwFUtQBd9++VfBhyxoQp+WhgaGkgZ4wgZsxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMSQwIgYDVQQKExs2ODU3OTQ5IENhbmFkYSBJbmNvcnBvcmF0ZWQxFDASBgNVBAsTC0RldmVsb3BtZW50MRUwEwYDVQQDEwxOb2VsIEtlbmRhbGwxJzAlBgkqhkiG9w0BCQEWGG5vZWwua2VuZGFsbEBrZW5kYWxsLm5ldIIJAM02ltvIKJhGMA0GCSqGSIb3DQEBBAUAA4GBAHaiBPY5ndtQ02VZUHDOqgquPXqcxbTtO8gRUeKONyZ/KmMcxSBU0E8aST5fpMJcOd+3aUAF9gzgsttjGSn7NgTrzQisyvzRCRR8lTYRYAcZ8SFThqvpmVqCCyhShTMKosmkuKNgXANhtyeExXNfZRa5DKAlvyTGtyu5C8CT0b47</wsse:BinarySecurityToken>
<wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="SigID-af1760a8-fb18-40d2">
<wsu:Created>2008-10-07T22:38:09.330Z</wsu:Created>
<wsu:Expires>2008-10-07T22:43:09.330Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>iG0dOTayW7Icgy3yeDleEcvkhtc=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>dBaenElp7va8ZNkroRVmN/xH0cmGUHSvobyMI+Lmff1wAIPGb7VvrOVbKHZGCTn0zpTanYCqorS22LHZ0UpyiTOidhHo6WuiRtYG0D1EcyfuK0yGyBxwS+OOWXwQmPeZC1lxkuI248KLPZp9H+XaFuSVhuEeP5ViXoKVzW4w528=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataID-f97f579f-4344-4c1f"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Id="SigID-3a8b1632-b467-45e9">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#SigID-aab03673-791d-4e79">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Z6XgcEwBLnLAivrzRT7s2YYPGJM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigID-7f3dda52-7594-40d9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>QpDlT8BeE3qkAVgMgOYlWa8RXVs=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigID-b2f483fa-b398-4f03">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qM61OxpWpgTxpJpOdvjmbi2vdbQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigID-3c659bfb-a756-4da0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>GHwAzsPMknNxpEnFuxvRSlm+OG0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigID-af1760a8-fb18-40d2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>81CpfjbFtDiuHOZA2erU8BECr74=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>lyIyJ3QPwd7cvhxXbzeNL6+M/+DLfWDd2qMskjEycmcW76o7rz71QRRjBra1g7iCd0KO1wu+hRQ1b8WU7XX+mHiBljLUMSMNev7nJN8phgXjDcmG2EJNRyhxCcLUfHNr5/hRU1IiQGIlFYM4nz6jLHIXL7H4Y2amTks4LAGFBvI=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#CertID-8429e4d7-8b45-4a54" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="SigID-3c659bfb-a756-4da0">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Id="EncDataID-f97f579f-4344-4c1f" 
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>nqz23oh3f81pQdQ2750lLfyCE1gr8jolGfreH2XZC6x9EIKrsf6a34AnQKIeJqVbEqUN1j52jKGpMSQLOtIvGS0ALGNseeKwM9nq60XfM88SGFenzXfUWRaLdvBntt+oyWEf2znGOlA1fIiLmXgPTU77pTX0epotlj1ACQerUItOmGDhlHUX6cEjdDF8Dh0FNjExcGeQpFbGxwShMuZwOdXPiUDN+AZowhaPhaXeJgScfnfK/fonm9VOWAgKQJTc/NPC4r3Mg4zjyvaxsRbCyr1V597aqgkJQeBrFuzM2RSCai5FIxSgniMqwAEPGV+ov+R9bC28oK670WAqPvfkgnNYSl6hH3t5+uKN6LBmNkGeRYT5mBM+n7yHEDLdM43vMdoGSg0RsXTiVWjT2xlHn0IjSAZITsb/8FUc5NI1DGQeGPDniut4juVQUWKk+Sh9kHEo1JzG5iWghKlVY8khmXYz9xQDDWbR98Kdq0XsbcdUC5slHKDWY6GJfVrcU4F0RvwvSS/fmD+GzOYdwpqPCPOwlsbdefcl0VZo/R2+8+wQcaRwNc5zdbkRMM99CE5TPQNs9tSjw+ctUoSZLzK1rrdvw/CB1CYZS5eJxF+8+5r3v7lDgkq1t/v9zhOmPuNyqcIgAVyXanAE+Hrp0OnzHzbYXoMdeqbfVpKlvpX0kmU=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
==== Received Message End  ====

The response message, after the service method executes correctly:

==== Sending Message Start ====
<?xml version="1.0" encoding="UTF-8"?><S:Envelope 
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";>
<S:Header>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 S:mustUnderstand="1">
<wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="XWSSGID-1223419098273-2033246227">MIID7TCCA1agAwIBAgIJAM02ltvIKJhNMA0GCSqGSIb3DQEBBAUAMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXQwHhcNMDgwOTI0MDEwMzU1WhcNMDkwOTI0MDEwMzU1WjCBoTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEzARBgNVBAcTCkJ1cmxpbmd0b24xIjAgBgNVBAoTGVNlY3VyZSBXZWIgU29sdXRpb25zIEluYy4xEjAQBgNVBAsTCVNjaG9vbHBheTEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMRwwGgYJKoZIhvcNAQkBFg1ub2Vsa0Bzd3MuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCknxc33zD2Az2efksNj/+Ot4BhbFkaPptwjR40WnyPOo6pJ+puP8bMtg79CmeJayRXBGk6ckHyhE40QeWMkqsDgH3AstW0DFBjDB7qrCW5B2z/91/hh0kegfeXlzzwccGibayBx+xZ3Tn6Qsh7hfpWMjE5bbNGxBIXbilm7KDz9wIDAQABo4IBLzCCASswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIhtHTk2sluyHIMt8ng5XhHL5IbXMIHQBgNVHSMEgcgwgcWAFMwH2MosBVLUAXffvlXwYcsaEKfloYGhpIGeMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXSCCQDNNpbbyCiYRjANBgkqhkiG9w0BAQQFAAOBgQDDMMby7cSDM/C0C3+gW3kQXLm10OoiBYvwEZ4XwsUD5tSiD+JXGyAEAh1ABYLNBU1b/O4hHuKii1AlRBQT/150MxZH5UdTFszOdy2/X7gBzmKu8+St0kd8ENwu9jmOZL0p8TBhPB5Ccqmzi8c22G/Cc43AmdBLBQRrhr3TM4e4dQ==</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Id="XWSSGID-1223419098694327849449">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#XWSSGID-1223419098273-2033246227" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>X5QJtgsJaUkhtTRTjDizUvPZdYejFArkb8gUNMtW9aM3vWfgzmoDaf1lxqYgarHB1LOjloOLR2/E
khPWc9f5+YQHf+fvo4ZAJfVayddZk1q6qatMBYIjmgoWPZCiW2621MZ/yzX9t47hO/JsqWyekKYF
9pBXEdh5xIPmmb6yeAM=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:DataReference URI="#XWSSGID-1223419098704-291332241"/>
</xenc:ReferenceList>
</wsse:Security>
</S:Header>
<S:Body>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Id="XWSSGID-1223419098704-291332241" 
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference URI="#XWSSGID-1223419098694327849449"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>WiW+y7KKcmeVW8SWr2jXZ7hzBqVEepMB3OoNWW50uGwK94lHvXoijR2OgiYWjQSN78SFDLUEsi9F
n7kPWyvBt122EiN4g2jsTzb5hW/riLtHPbRK1DqAD47/BE6XW4vYdDQFvL2sm7k2zjgFQm3uxeeE
gNYCkgAcAzJ6H3WAfz/jDbJfmQEsjMynhtPNNBKr9yzD0JKpBp94qx+Pj/j7893SnsMDCN0NtI4j
QdbVVdHbLU0WNyY/k6bSD+Ndj8L0ODWcgSRs+J5BhMqQ+Pd66+ygBZ2OUdqNGedOpuSXctOt9HZb
sx62TfOUfnqCgm0m24+wBmXpbsk=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
==== Sending Message End  ====

The rampart log at the client end, upon receiving response message:

[Tue Oct 07 18:38:19 2008] [info]  Starting addressing in handler
[Tue Oct 07 18:38:19 2008] [info]  ..\..\src\modules\mod_addr\addr_in_handler.c
[Tue Oct 07 18:38:19 2008] [error] ..\..\src\omxmlsec\error.c(94) OXS ERROR 
[..\..\src\omxmlsec\axiom.c:301 in oxs_axiom_get_first_child_node_by_name] 
invalid data , Cannot find child ReferenceList of <xenc:EncryptedKey 
Id="XWSSGID-1223419098694327849449" 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference URI="#XWSSGID-1223419098273-2033246227" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>X5QJtgsJaUkhtTRTjDizUvPZdYejFArkb8gUNMtW9aM3vWfgzmoDaf1lxqYgarHB1LOjloOLR2/E
khPWc9f5+YQHf+fvo4ZAJfVayddZk1q6qatMBYIjmgoWPZCiW2621MZ/yzX9t47hO/JsqWyekKYF
9pBXEdh5xIPmmb6yeAM=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey>
[Tue Oct 07 18:38:19 2008] [error] 
..\..\src\omxmlsec\tokens\token_reference_list.c(104) [rampart]reference list 
node is NULL.
[Tue Oct 07 18:38:19 2008] [error] ..\..\src\omxmlsec\error.c(94) OXS ERROR 
[..\..\src\omxmlsec\openssl\rsa.c:156 in openssl_rsa_prv_decrypt] (null) , RSA 
decryption failed
[Tue Oct 07 18:38:19 2008] [error] 
..\..\src\util\rampart_sec_header_processor.c(855) [rampart][shp] Cannot 
decrypt the EncryptedKey
[Tue Oct 07 18:38:20 2008] [error] 
..\..\src\util\rampart_sec_header_processor.c(1930) [rampart][shp] EncryptedKey 
processing failed
[Tue Oct 07 18:38:20 2008] [error] ..\..\src\handlers\rampart_in_handler.c(143) 
[rampart][rampart_in_handler] Security Header processing failed.
[Tue Oct 07 18:38:20 2008] [error] ..\..\src\core\engine\phase.c(233) Handler 
RampartInHandler invoke failed within phase PreDispatch
[Tue Oct 07 18:38:20 2008] [error] ..\..\src\core\engine\engine.c(696) Invoking 
phase PreDispatch failed
[Tue Oct 07 18:38:22 2008] [info]  [rampart][rampart_mod] rampart_mod shutdown

-----------------------------------------------------------------------------------

The WS-Security specification seems to indicate that the response message is 
correctly composed, and should be decryptable:
according to wss-v1.1-spec-os-SOAPMessageSecurity:

9.2 xenc:EncryptedKey
1615 When the encryption step involves encrypting elements or element contents 
within a SOAP
1616 envelope with a symmetric key, which is in turn to be encrypted by the 
recipient's key and
1617 embedded in the message, <xenc:EncryptedKey> MAY be used for carrying such 
an
1618 encrypted key. This sub-element MAY contain a manifest, that is, an 
<xenc:ReferenceList>
1619 element, that lists the portions to be decrypted with this key. The 
manifest MAY appear outside
1620 the <xenc:EncryptedKey> provided that the corresponding xenc:EncryptedData
1621 elements contain <xenc:KeyInfo> elements that reference the 
<xenc:EncryptedKey>
1622 element.. An element or element content to be encrypted by this encryption 
step MUST be
1623 replaced by a corresponding <xenc:EncryptedData> according to XML 
Encryption. All the
1624 <xenc:EncryptedData> elements created by this encryption step SHOULD be 
listed in the
1625 <xenc:ReferenceList> element inside this sub-element.

Note that the EncryptedKey element MAY contain a manifest ... it does not say 
MUST.
Note that the manifest MAY appear outside the EncryptedKey element IF an 
KeyInfo element references the EncryptedKey,
which in this case, it does.

Rampart appears to require the ReferenceList within the EncryptedKey element, 
and is not supporting the use case
of ReferenceList and KeyInfo as per specification above.

The effect of this bug is that a secure web service using WSO2 PHP 2.0.0 (with 
rampartc beneath), nearly, almost, interoperates with
Glassfish Metro using Mutual Certificate security, but not quite.

Glassfish Metro appears to be operating within the specification, RampartC, in 
this use case, is not.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.