[jira] Resolved: (RAMPARTC-127) RampartC does not properly implement wss security - enforces ReferenceList child of EncryptedKey when specification says it's optional

[S.Uthaiyashankar (JIRA)]

     [ 
https://issues.apache.org/jira/browse/RAMPARTC-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

S.Uthaiyashankar resolved RAMPARTC-127.
---------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.3.0
         Assignee: S.Uthaiyashankar  (was: Malinda Kaushalye Kapuruge)

Rampart/C does not enforce to have ReferenceList element in EncryptedKey. 
However, it is giving an error message in the log file and continue to process 
the message. Removed the unwanted error message and committed the code.

This failure was due to incorrect private key. Please check whether the private 
key is configured property.

> RampartC does not properly implement wss security - enforces ReferenceList 
> child of EncryptedKey when specification says it's optional
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPARTC-127
>                 URL: https://issues.apache.org/jira/browse/RAMPARTC-127
>             Project: Rampart/C
>          Issue Type: Bug
>          Components: OMXMLSecurity
>    Affects Versions: Current
>         Environment: WinXP, Glassfish V2UR2 Metro web service provider, WSO2 
> PHP 2.0.0 web service consumer, using Mutual Certificates asymmetric 
> encryption of message body and to address information.
>            Reporter: Leon Gent
>            Assignee: S.Uthaiyashankar
>             Fix For: 1.3.0
>
>
> The request message:
> ==== Received Message Start ====
> <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope 
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";>
> <wsa:To 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="SigID-aab03673-791d-4e79">http://localhost:8889/administration-ws/MemberMaintenanceService</wsa:To>
> <wsa:Action 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="SigID-7f3dda52-7594-40d9">http://ws.admin.schoolpay.sws.com/AddMember</wsa:Action>
> <wsa:MessageID 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="SigID-b2f483fa-b398-4f03">urn:uuid:80f2fd46-ffe6-4389-b23f-cca9f3268c68</wsa:MessageID>
> <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soapenv:mustUnderstand="1">
> <wsse:BinarySecurityToken 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="CertID-8429e4d7-8b45-4a54">MIIEFjCCA3+gAwIBAgIJAM02ltvIKJhMMA0GCSqGSIb3DQEBBAUAMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXQwHhcNMDgwOTI0MDEwMTE2WhcNMDkwOTI0MDEwMTE2WjCByjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEzARBgNVBAcTCkJ1cmxpbmd0b24xKDAmBgNVBAoTH0Zsb3dpbmcgVGVhcnMgRWxlbWVudGFyeSBTY2hvb2wxJDAiBgNVBAsTG1NjaG9vbHBheSBlQ29tbWVyY2UgV2Vic2l0ZTEVMBMGA1UEAxMMQ28tb3JkaW5hdG9yMS0wKwYJKoZIhvcNAQkBFh5zY2hvb2xwYXlAZmxvd2luZ190ZWFycy5lZHUuY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4mfLND8rvcHBQU8hWZFwj0rb74SfZ1i1em7LdfMG1NS3+4qZfz+y+a/sKApa1SIyjKsuA6WrFg1TcjHZAIDyoNTS+/I7kzIH14DY1XmZWgQQcEiJXRtEf4T04VBOQp3XBlJIIw93Sd74NCXPB/l1Eq2syUPa5MiwG81gGVWVBLAgMBAAGjggEvMIIBKzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUaG8+fhvYb/NCuTjA007iPTS++gMwgdAGA1UdIwSByDCBxYAUzAfYyiwFUtQBd9++VfBhyxoQp+WhgaGkgZ4wgZsxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMSQwIgYDVQQKExs2ODU3OTQ5IENhbmFkYSBJbmNvcnBvcmF0ZWQxFDASBgNVBAsTC0RldmVsb3BtZW50MRUwEwYDVQQDEwxOb2VsIEtlbmRhbGwxJzAlBgkqhkiG9w0BCQEWGG5vZWwua2VuZGFsbEBrZW5kYWxsLm5ldIIJAM02ltvIKJhGMA0GCSqGSIb3DQEBBAUAA4GBAHaiBPY5ndtQ02VZUHDOqgquPXqcxbTtO8gRUeKONyZ/KmMcxSBU0E8aST5fpMJcOd+3aUAF9gzgsttjGSn7NgTrzQisyvzRCRR8lTYRYAcZ8SFThqvpmVqCCyhShTMKosmkuKNgXANhtyeExXNfZRa5DKAlvyTGtyu5C8CT0b47</wsse:BinarySecurityToken>
> <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="SigID-af1760a8-fb18-40d2">
> <wsu:Created>2008-10-07T22:38:09.330Z</wsu:Created>
> <wsu:Expires>2008-10-07T22:43:09.330Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>iG0dOTayW7Icgy3yeDleEcvkhtc=
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>dBaenElp7va8ZNkroRVmN/xH0cmGUHSvobyMI+Lmff1wAIPGb7VvrOVbKHZGCTn0zpTanYCqorS22LHZ0UpyiTOidhHo6WuiRtYG0D1EcyfuK0yGyBxwS+OOWXwQmPeZC1lxkuI248KLPZp9H+XaFuSVhuEeP5ViXoKVzW4w528=</xenc:CipherValue>
> </xenc:CipherData>
> <xenc:ReferenceList>
> <xenc:DataReference URI="#EncDataID-f97f579f-4344-4c1f"/>
> </xenc:ReferenceList>
> </xenc:EncryptedKey>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
> Id="SigID-3a8b1632-b467-45e9">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#SigID-aab03673-791d-4e79">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>Z6XgcEwBLnLAivrzRT7s2YYPGJM=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#SigID-7f3dda52-7594-40d9">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>QpDlT8BeE3qkAVgMgOYlWa8RXVs=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#SigID-b2f483fa-b398-4f03">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>qM61OxpWpgTxpJpOdvjmbi2vdbQ=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#SigID-3c659bfb-a756-4da0">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>GHwAzsPMknNxpEnFuxvRSlm+OG0=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#SigID-af1760a8-fb18-40d2">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>81CpfjbFtDiuHOZA2erU8BECr74=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>lyIyJ3QPwd7cvhxXbzeNL6+M/+DLfWDd2qMskjEycmcW76o7rz71QRRjBra1g7iCd0KO1wu+hRQ1b8WU7XX+mHiBljLUMSMNev7nJN8phgXjDcmG2EJNRyhxCcLUfHNr5/hRU1IiQGIlFYM4nz6jLHIXL7H4Y2amTks4LAGFBvI=</ds:SignatureValue>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#CertID-8429e4d7-8b45-4a54" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="SigID-3c659bfb-a756-4da0">
> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
> Id="EncDataID-f97f579f-4344-4c1f" 
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <xenc:CipherData>
> <xenc:CipherValue>nqz23oh3f81pQdQ2750lLfyCE1gr8jolGfreH2XZC6x9EIKrsf6a34AnQKIeJqVbEqUN1j52jKGpMSQLOtIvGS0ALGNseeKwM9nq60XfM88SGFenzXfUWRaLdvBntt+oyWEf2znGOlA1fIiLmXgPTU77pTX0epotlj1ACQerUItOmGDhlHUX6cEjdDF8Dh0FNjExcGeQpFbGxwShMuZwOdXPiUDN+AZowhaPhaXeJgScfnfK/fonm9VOWAgKQJTc/NPC4r3Mg4zjyvaxsRbCyr1V597aqgkJQeBrFuzM2RSCai5FIxSgniMqwAEPGV+ov+R9bC28oK670WAqPvfkgnNYSl6hH3t5+uKN6LBmNkGeRYT5mBM+n7yHEDLdM43vMdoGSg0RsXTiVWjT2xlHn0IjSAZITsb/8FUc5NI1DGQeGPDniut4juVQUWKk+Sh9kHEo1JzG5iWghKlVY8khmXYz9xQDDWbR98Kdq0XsbcdUC5slHKDWY6GJfVrcU4F0RvwvSS/fmD+GzOYdwpqPCPOwlsbdefcl0VZo/R2+8+wQcaRwNc5zdbkRMM99CE5TPQNs9tSjw+ctUoSZLzK1rrdvw/CB1CYZS5eJxF+8+5r3v7lDgkq1t/v9zhOmPuNyqcIgAVyXanAE+Hrp0OnzHzbYXoMdeqbfVpKlvpX0kmU=</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </soapenv:Body>
> </soapenv:Envelope>
> ==== Received Message End  ====
> The response message, after the service method executes correctly:
> ==== Sending Message Start ====
> <?xml version="1.0" encoding="UTF-8"?><S:Envelope 
> xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";>
> <S:Header>
> <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  S:mustUnderstand="1">
> <wsse:BinarySecurityToken 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="XWSSGID-1223419098273-2033246227">MIID7TCCA1agAwIBAgIJAM02ltvIKJhNMA0GCSqGSIb3DQEBBAUAMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXQwHhcNMDgwOTI0MDEwMzU1WhcNMDkwOTI0MDEwMzU1WjCBoTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEzARBgNVBAcTCkJ1cmxpbmd0b24xIjAgBgNVBAoTGVNlY3VyZSBXZWIgU29sdXRpb25zIEluYy4xEjAQBgNVBAsTCVNjaG9vbHBheTEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMRwwGgYJKoZIhvcNAQkBFg1ub2Vsa0Bzd3MuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCknxc33zD2Az2efksNj/+Ot4BhbFkaPptwjR40WnyPOo6pJ+puP8bMtg79CmeJayRXBGk6ckHyhE40QeWMkqsDgH3AstW0DFBjDB7qrCW5B2z/91/hh0kegfeXlzzwccGibayBx+xZ3Tn6Qsh7hfpWMjE5bbNGxBIXbilm7KDz9wIDAQABo4IBLzCCASswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIhtHTk2sluyHIMt8ng5XhHL5IbXMIHQBgNVHSMEgcgwgcWAFMwH2MosBVLUAXffvlXwYcsaEKfloYGhpIGeMIGbMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEkMCIGA1UEChMbNjg1Nzk0OSBDYW5hZGEgSW5jb3Jwb3JhdGVkMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMTm9lbCBLZW5kYWxsMScwJQYJKoZIhvcNAQkBFhhub2VsLmtlbmRhbGxAa2VuZGFsbC5uZXSCCQDNNpbbyCiYRjANBgkqhkiG9w0BAQQFAAOBgQDDMMby7cSDM/C0C3+gW3kQXLm10OoiBYvwEZ4XwsUD5tSiD+JXGyAEAh1ABYLNBU1b/O4hHuKii1AlRBQT/150MxZH5UdTFszOdy2/X7gBzmKu8+St0kd8ENwu9jmOZL0p8TBhPB5Ccqmzi8c22G/Cc43AmdBLBQRrhr3TM4e4dQ==</wsse:BinarySecurityToken>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
> Id="XWSSGID-1223419098694327849449">
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#XWSSGID-1223419098273-2033246227" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>X5QJtgsJaUkhtTRTjDizUvPZdYejFArkb8gUNMtW9aM3vWfgzmoDaf1lxqYgarHB1LOjloOLR2/E
> khPWc9f5+YQHf+fvo4ZAJfVayddZk1q6qatMBYIjmgoWPZCiW2621MZ/yzX9t47hO/JsqWyekKYF
> 9pBXEdh5xIPmmb6yeAM=</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:DataReference URI="#XWSSGID-1223419098704-291332241"/>
> </xenc:ReferenceList>
> </wsse:Security>
> </S:Header>
> <S:Body>
> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
> Id="XWSSGID-1223419098704-291332241" 
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <wsse:Reference URI="#XWSSGID-1223419098694327849449"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>WiW+y7KKcmeVW8SWr2jXZ7hzBqVEepMB3OoNWW50uGwK94lHvXoijR2OgiYWjQSN78SFDLUEsi9F
> n7kPWyvBt122EiN4g2jsTzb5hW/riLtHPbRK1DqAD47/BE6XW4vYdDQFvL2sm7k2zjgFQm3uxeeE
> gNYCkgAcAzJ6H3WAfz/jDbJfmQEsjMynhtPNNBKr9yzD0JKpBp94qx+Pj/j7893SnsMDCN0NtI4j
> QdbVVdHbLU0WNyY/k6bSD+Ndj8L0ODWcgSRs+J5BhMqQ+Pd66+ygBZ2OUdqNGedOpuSXctOt9HZb
> sx62TfOUfnqCgm0m24+wBmXpbsk=</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </S:Body>
> </S:Envelope>
> ==== Sending Message End  ====
> The rampart log at the client end, upon receiving response message:
> [Tue Oct 07 18:38:19 2008] [info]  Starting addressing in handler
> [Tue Oct 07 18:38:19 2008] [info]  
> ..\..\src\modules\mod_addr\addr_in_handler.c
> [Tue Oct 07 18:38:19 2008] [error] ..\..\src\omxmlsec\error.c(94) OXS ERROR 
> [..\..\src\omxmlsec\axiom.c:301 in oxs_axiom_get_first_child_node_by_name] 
> invalid data , Cannot find child ReferenceList of <xenc:EncryptedKey 
> Id="XWSSGID-1223419098694327849449" 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <wsse:Reference URI="#XWSSGID-1223419098273-2033246227" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>X5QJtgsJaUkhtTRTjDizUvPZdYejFArkb8gUNMtW9aM3vWfgzmoDaf1lxqYgarHB1LOjloOLR2/E
> khPWc9f5+YQHf+fvo4ZAJfVayddZk1q6qatMBYIjmgoWPZCiW2621MZ/yzX9t47hO/JsqWyekKYF
> 9pBXEdh5xIPmmb6yeAM=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey>
> [Tue Oct 07 18:38:19 2008] [error] 
> ..\..\src\omxmlsec\tokens\token_reference_list.c(104) [rampart]reference list 
> node is NULL.
> [Tue Oct 07 18:38:19 2008] [error] ..\..\src\omxmlsec\error.c(94) OXS ERROR 
> [..\..\src\omxmlsec\openssl\rsa.c:156 in openssl_rsa_prv_decrypt] (null) , 
> RSA decryption failed
> [Tue Oct 07 18:38:19 2008] [error] 
> ..\..\src\util\rampart_sec_header_processor.c(855) [rampart][shp] Cannot 
> decrypt the EncryptedKey
> [Tue Oct 07 18:38:20 2008] [error] 
> ..\..\src\util\rampart_sec_header_processor.c(1930) [rampart][shp] 
> EncryptedKey processing failed
> [Tue Oct 07 18:38:20 2008] [error] 
> ..\..\src\handlers\rampart_in_handler.c(143) [rampart][rampart_in_handler] 
> Security Header processing failed.
> [Tue Oct 07 18:38:20 2008] [error] ..\..\src\core\engine\phase.c(233) Handler 
> RampartInHandler invoke failed within phase PreDispatch
> [Tue Oct 07 18:38:20 2008] [error] ..\..\src\core\engine\engine.c(696) 
> Invoking phase PreDispatch failed
> [Tue Oct 07 18:38:22 2008] [info]  [rampart][rampart_mod] rampart_mod shutdown
> -----------------------------------------------------------------------------------
> The WS-Security specification seems to indicate that the response message is 
> correctly composed, and should be decryptable:
> according to wss-v1.1-spec-os-SOAPMessageSecurity:
> 9.2 xenc:EncryptedKey
> 1615 When the encryption step involves encrypting elements or element 
> contents within a SOAP
> 1616 envelope with a symmetric key, which is in turn to be encrypted by the 
> recipient's key and
> 1617 embedded in the message, <xenc:EncryptedKey> MAY be used for carrying 
> such an
> 1618 encrypted key. This sub-element MAY contain a manifest, that is, an 
> <xenc:ReferenceList>
> 1619 element, that lists the portions to be decrypted with this key. The 
> manifest MAY appear outside
> 1620 the <xenc:EncryptedKey> provided that the corresponding 
> xenc:EncryptedData
> 1621 elements contain <xenc:KeyInfo> elements that reference the 
> <xenc:EncryptedKey>
> 1622 element.. An element or element content to be encrypted by this 
> encryption step MUST be
> 1623 replaced by a corresponding <xenc:EncryptedData> according to XML 
> Encryption. All the
> 1624 <xenc:EncryptedData> elements created by this encryption step SHOULD be 
> listed in the
> 1625 <xenc:ReferenceList> element inside this sub-element.
> Note that the EncryptedKey element MAY contain a manifest ... it does not say 
> MUST.
> Note that the manifest MAY appear outside the EncryptedKey element IF an 
> KeyInfo element references the EncryptedKey,
> which in this case, it does.
> Rampart appears to require the ReferenceList within the EncryptedKey element, 
> and is not supporting the use case
> of ReferenceList and KeyInfo as per specification above.
> The effect of this bug is that a secure web service using WSO2 PHP 2.0.0 
> (with rampartc beneath), nearly, almost, interoperates with
> Glassfish Metro using Mutual Certificate security, but not quite.
> Glassfish Metro appears to be operating within the specification, RampartC, 
> in this use case, is not.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.