SignedEncryptedSupportingTokens and EncryptBeforeSignature

Tue, 23 Feb 2010 09:22:41 -0800 

Hi,
using AsymmetricBinding, i experienced that, if i set the EncryptBeforeSigning property and, at the same time, i set a EncryptedSupportingTokens/UsernameToken or SignedEncryptedSupportingTokens/UsernameToken, STSClient always sends a RST featuring uncoded UsernameToken. STSClients behaves the same if I set a policy for EncryptedSupportingTokens/IssuedToken or SignedEncryptedSupportingTokens/IssuedToken. 


When i disable EncryptBeforeSigning, my STSClient works and the RST 
security header includes the UsernameToken encrypted.



My scenario is described in the following thread 
http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/201002.mbox/raw/%[email protected]%3e/


This is my issuer policy:

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy wsu:Id="SigEncWithSuppTokens" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>

<wsp:ExactlyOne>
<wsp:All>

<sp:AsymmetricBinding 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>

<sp:SignedEncryptedSupportingTokens 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:Policy>

<sp:UsernameToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>

<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>

<sp:Wss10 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>

<sp:SignedParts 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<sp:Body />
</sp:SignedParts>

<sp:EncryptedParts 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
                [...]
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

This is my service policy:


<wsp:Policy wsu:Id="SgnOnlyAnonymous" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:ExactlyOne>
<wsp:All>

<sp:AsymmetricBinding 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>

<sp:SignedEncryptedSupportingTokens 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<wsp:Policy>

<sp:IssuedToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>

<Issuer xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<Address 
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/STS</Address>

</Issuer>
<sp:RequestSecurityTokenTemplate>

<t:TokenType 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize>

</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>

<sp:SignedParts 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<sp:Body />
</sp:SignedParts>

<sp:EncryptedParts 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

<sp:Body />
</sp:EncryptedParts>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
                [....]
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

This is the corresponding message:

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope 
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<soapenv:Header 
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; 
soapenv:mustUnderstand="true">
<wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; 
wsu:Id="32948446BA433358D912669456183431">MIIDcDCCAtmgAwI[...]772G7QeHoc3goeBCKUyX0f48Um28SdWJ9uok+POOVJQjA9jS+7yMSlI=</wsse:BinarySecurityToken>

<xenc:EncryptedKey Id="EncKeyId-32948446BA433358D912669456183592">

<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>

<wsse:Reference URI="#32948446BA433358D912669456183431" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>N7rB+Z/GIU042TB9t1W[...]Nhj7Q8L4BMJDIdYo7yzlkmPZPWUdryTCrzBRDMTGWOCfLsi11qdEu3QyuGURzvMKpFpE1AYorS4bBRJqIqls=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>

<wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
wsu:Id="UsernameToken-2">

<wsse:Username>client</wsse:Username>

<wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>0w+NvkI/+ykW4GoEG/9t/EgEujw=</wsse:Password>
<wsse:Nonce 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>0pYxLhTBqHPP2WxvVtL4Mw==</wsse:Nonce>

<wsu:Created>2010-02-23T17:20:18.437Z</wsu:Created>
</wsse:UsernameToken>

<wsse:BinarySecurityToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; 
wsu:Id="CertId-32948446BA433358D912669456184683">MIIDdjCC[..]pifWnIY7vqRWHVYwjq1chKdMGhIU=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Id="Signature-3">

<ds:SignedInfo>

<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id-31817359">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>7ZqerSVYN7hwhzh2qHgYorH5vao=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>k3z8x258bXJDxBcQsWz0DNXfR5s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
p/iJjSWopHgIBwQlo5kmojKuqyEHhX6Zlp7bNRJPZY4xu58BM66VvPiXod+IhJGy44RS2SLice++
ijLidRNyB3rjd4/LROakDE79zLPldor0gjmXkuQmjNupmMdHI8OG52xBydAWnTxbbLEmkeukfsKH
zTmG68DRT2fKGh7UCec=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-32948446BA433358D912669456184844">

<wsse:SecurityTokenReference 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
wsu:Id="STRId-32948446BA433358D912669456184845">
<wsse:Reference URI="#CertId-32948446BA433358D912669456184683" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-1"/>
</xenc:ReferenceList>
</wsse:Security>
<wsa:To>http://172.25.0.153:8990/SecureAccessGateway/</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:826E2D0C3A33E541F41266945617049</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
</soapenv:Header>

<soapenv:Body 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
wsu:Id="Id-31817359">
<xenc:EncryptedData Id="EncDataId-1" 
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>

<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>

<wsse:Reference URI="#EncKeyId-32948446BA433358D912669456183592"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>eppTEa0XKAFwACaFuASrayKohiux[...]PFHqrlUnHlX8TYkP6x</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>

Thank you in advance, vicampan.

--


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Ing. Vincenzo Campanile

Engineering Ingegneria Informatica s.p.a.

Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli

Tel. 081 5650654 - Fax:  081 5650636
e-mail: [email protected]

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *















    











					Reply via email to