Hi all,
currently I am trying some tests with Asymmetric binding. I am using the
stable Rampart 1.3 release not the SNAPSHOT version.
What I am trying to do is to have an encrypted body. Here is the
services.xml used:
<serviceGroup>
<service name="HelloPojo">
<description>Web Service HelloPojo</description>
<parameter name="ServiceClass">com.mycompany.wsstack.pojo.HelloPojo
</parameter>
<messageReceivers>
<messageReceiver class="
org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep="
http://www.w3.org/2004/08/wsdl/in-out"/>
</messageReceivers>
<operation name="sayHello"/>
<wsp:Policy wsu:Id="User defined" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</sp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy/>
</sp:SignedSupportingTokens>
<sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy";>
<ramp:user>service</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.mycompany.wsstack.pwcb.PasswordCallbackHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<module ref="addressing"/>
<module ref="rampart"/>
</service>
</serviceGroup>
The SOAP request created is:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:wsa="
http://www.w3.org/2005/08/addressing";>
<soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-5035392">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">9kbwRNyMypNWhulx0JkHVOFvRB8=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>z4Usp6rv3z1ACOKFTYF62kNREaz6cmVRfof3JU9IN/Lu1xAGsN+Usyha7hCUnxnmrwU2IBAZ+FBbrppcHFJVnRaR5YUd8Yj/75Dy+/Ojg3epIjRzG7nQGyO6b94vtRsJY/4xmpROcuSuX5N/GBeYAungMnMtt62bhpm17immrtI=</xenc:CipherValue>
</xenc:CipherData>
*<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-30969271"/>
</xenc:ReferenceList>*
</xenc:EncryptedKey>
</wsse:Security>
<wsa:To>http://localhost:8082/wsstack/services/HelloPojo</wsa:To>
<wsa:MessageID>urn:uuid:6C75F95147A7A10DF61196781869287</wsa:MessageID>
<wsa:Action>urn:sayHello</wsa:Action>
</soapenv:Header>
<soapenv:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-30969271">
<xenc:EncryptedData Id="EncDataId-30969271" Type="
http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<wsse:Reference URI="#EncKeyId-5035392"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>nR0cXuHz/tvFplLYu7DF1gC8km7KlHiUM455xTBj0ShPeKBG57qCY0/5YrhE2f0pUecG5TYZuUhD
B/nYzCTYbfybD9gqG+cM1F0uSpKL8ZkaklMCAXsEfXwSo/ab1PYI8uHtt1xbUPVwyxCQ8HIkanT2
GLJsCLX5wHjxlxWWb//LoXs2wWic5XVKy9HD5mbQbVePbfE6sfF7p485MK1+Uj9zeZ6B18eHRQBV
qsfaNDmyQYLLGVbaKcQd4EYx49ARDDKe/my7CaHHl1J/0hSZmB9Ju9OehawKiG5p7rNN/U1SnmMm
SqU/yfFGBGVQKu6Z+rb7bN3ldZDdON3yg1kW7UuZB6SbFE0KDfXLp6u2IUM8g6mBVLxarLSsBu/P
g1WlHcOFIQ0ZkZyZFJFTkXlx90dhtmQvsyGYjvexeD9qjfq6FqDtNmovEdzw6ni+iKWwe+071DjW
OTBqLJ0SNqAnyEX8Ed+IEtf6</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
The first problem was that in <xenc:EncryptedKey> there was missing the
<xenc:ReferenceList> node. The problem that I found (and available into the
Rampart trunk, too) was that into the AsymmetricBindingBuilder's
doSignBeforeEncrypt(RampartMessageData) method there was the following code:
Element encryptedKeyElement =
encr.getEncryptedKeyElement();
this.setInsertionLocation(RampartUtil
.insertSiblingAfterOrPrepend(rmd,
this.getInsertionLocation(),
encryptedKeyElement));
//Encrypt, get hold of the ref list and add it
refList = encr.encryptForInternalRef(null, encrParts);
//Add internal refs
encryptedKeyElement.appendChild(refList);
My fix was to move this.setInsertionLocation(...) method after
encryptedKeyElement.appendChild(refList);
This fixed the problem and *<xenc:ReferenceList> *nod was properly set as
seen in the above SOAP req example.
Anyway, now I am receiving the "Cannot find Reference in Manifest"
Exception. I should test this with trunk version to be sure if this is
fixed, but it is a little bit more complicated, so if someone has the same
problem solved/observed with trunk version he is welcomed to share his
knowledge.
Please note that this is related to
https://issues.apache.org/jira/browse/RAMPART-110. The diff is that this
JIRA is related to symm binding.
Regards,
Dobri
