WSS4J with WSE3.0 interoperability problem

From: vgindin <vgindin@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 9 Jan 2007 04:39:00 -0800

Hello, discussion group.

I have following problem. I’m trying to use Java server with XFire soap
framework 1.2.4 (It uses wss4j 1.5.0 to implement ws-security) with .Net 2.0
with WSE 3.0 web services client. So, I have configured Net client to use
UsernameToken and message signing and encryption using WSE policy wizard.
wse3policyCache.config:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="usernameForCertificateSecurity"
type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="MyPolicy">
<usernameForCertificateSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="CurrentUser" storeName="My"
findValue="CN="Naumen ou=DMS o=Naumen c=Russia""
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
</policies>

When I run Net client WSSecurityEngine throws following Exception:

org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for decryption (KeyId))

Tracing error on the server, it seems like the value type of key identifier
is not supported. Namely, incoming value type of key identifer is:

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

But expected value type is:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 or
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier or
http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.0#ThumbprintSHA1

So, as you can see, incoming value type is not corresponds any of expected
value types.

Here is output (from Net client) soap message:

я╗┐<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="09.01.2007 12:10:45"
messageId="urn:uuid:53cc97ca-95e4-4bf9-a671-533a6f5234ee">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<findBook xmlns="http://xfserver.ru";>
<isbn>0123456789</isbn>
</findBook>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ClientOutputFilter" />
<processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ClientOutputFilter" />
<processingStep description="Processed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<soap:Header>
<wsa:Action wsu:Id="Id-421ca7f9-79a3-45de-a5eb-30ec72c0adbf">
</wsa:Action>
<wsa:MessageID
wsu:Id="Id-c4207a09-8ec1-4cf4-a0b4-9c610395bdc9">urn:uuid:53cc97ca-95e4-4bf9-a671-533a6f5234ee</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-a3c4eecd-378e-4779-b733-e5201c61054d">

<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To
wsu:Id="Id-cad4bd56-dc74-4d88-9e89-3a4aa7d111ba">http://localhost:8080/fx/services/BookService</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-c33e6cd0-a980-4e5b-8bfa-c0031975707d">
<wsu:Created>2007-01-09T12:10:44Z</wsu:Created>
<wsu:Expires>2007-01-09T12:15:44Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
Id="SecurityToken-ef7cb5fa-5778-485c-a0fd-1f7e109c1adf"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<ds:DigestMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
</xenc:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>qu+E4Dw2nPejS8+7LLwfrErnIgk=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>

<xenc:CipherValue>TfUcpnUL+MqEnRKIcSf8G3Bdsme8NkvGMZwOzSjUfIv3/aBLNtOfQNurnJvraRf+7nKwRKPExOl668aJFCbLjmxuIgNJLthizEcBo28sBHTlnOx6ZpaoO/aLR1kvteSDYfuhmyS6J2GyOyGZuyiULZ4op1sRziau1h+zfhth5P8=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference
URI="#Enc-b43f22a8-0f04-4306-a114-b9338d964be2" />
<xenc:DataReference
URI="#Enc-25e50e5e-f491-4c54-ac8d-0b99c3b95da7" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData
Id="Enc-b43f22a8-0f04-4306-a114-b9338d964be2"
Type="http://www.w3.org/2001/04/xmlenc#Element";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<xenc:CipherData>

<xenc:CipherValue>m/yTxrFEnCe+EVCI25NGKSTZPpKmjkeFq6F/LPSIADTPwuHPSSkkeVYv6F3B/cQaIEo6kFC94SsR6DkNHNfailo3ZvqJ0SMN24lxZEqbQDRAk47Rqc3rCBqH7aRSOlthMVhfaWj3MBPekYLziYOIZrm7BJNXywW2i336wINvssPvIAguzHbNo6vLtCvjTR6sD6129k8W8kAUl+XsZPvraEAeDISrCC9BGU76NyTJxMM6nq8YQhW0C/anlS4Ip9pYSPqmdVqgXgA7SEWPV85WsqiaVvGo+FD2yvmdKqDdzLWbPmNyJIf0H0VwFkgPuGpUDSFEQ5Sq3Gg81OUnBXweRn94+SQz0Xmyhb1jXgzG+RV5vudDWLGNk1jZx3MBPRJalMwdoIAYSfWlhuMx2nH4A5bV+O2N0B0SKRZUcdmBJ8z4/6v/veCQVIAIiRVKjnw6OSctkOwwHKCL7tRXzFheIh6eq/8Vu2IwR85aPm7ILL8iTMHgZvjB0QHX0ZiogfXVOC4RUybZUef9Fjio6LetFANuh0uDejKKM7M6s03D7gr2dJwzO3e7ne2n+JkC6aerYaAf5kuXmc1CngPgvPk07DVPRFu8NhoRh4WyUREq1C000UaMmejKNT1NuYrLT6XYhF2a7mpk78NXVjrUOWDqVLTeyNmpyJjkSaV7uaSsbUjMCuW8LOT8tKrF8YNcCFr5fTf6mduaht/FaSUGskmr5cz7hk8QIOEeWkaaWNMrTbfVHIpr4hX+GpmS7UTCgTLtkpDCrngjgklSfRV9IWiLNA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
<Reference
URI="#SecurityToken-52cb8a68-d78d-4aa6-baa1-b930913e360a">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>muqN5c5yUp1UT6Qe/ff8C2zOjds=</DigestValue>
</Reference>
<Reference URI="#Id-421ca7f9-79a3-45de-a5eb-30ec72c0adbf">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>HmgRHToER5myZu//ujRQC1nufGA=</DigestValue>
</Reference>
<Reference URI="#Id-c4207a09-8ec1-4cf4-a0b4-9c610395bdc9">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>ViyXgTOcztcUdxhkdcat4PHlsiw=</DigestValue>
</Reference>
<Reference URI="#Id-a3c4eecd-378e-4779-b733-e5201c61054d">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>DbcveImfo76JLF0aCdQjilXcuXw=</DigestValue>
</Reference>
<Reference URI="#Id-cad4bd56-dc74-4d88-9e89-3a4aa7d111ba">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>tTWWBR/+pSqq4W5e2LZImLixnTA=</DigestValue>
</Reference>
<Reference
URI="#Timestamp-c33e6cd0-a980-4e5b-8bfa-c0031975707d">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>pmOdN8/qVaErI884oIiR3QRWZ98=</DigestValue>
</Reference>
<Reference URI="#Id-076ab7d3-d828-4c0c-985b-dcbbe7ab36e1">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>Q1rKM/2QZ54q71U9dGUtGT8TGc8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Sqmmv0+MKvhtbUDUljbLPCeva5Y=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-ef7cb5fa-5778-485c-a0fd-1f7e109c1adf"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-076ab7d3-d828-4c0c-985b-dcbbe7ab36e1">
<xenc:EncryptedData Id="Enc-25e50e5e-f491-4c54-ac8d-0b99c3b95da7"
Type="http://www.w3.org/2001/04/xmlenc#Content";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<xenc:CipherData>

<xenc:CipherValue>Jgg14sNtn30M3fBqx4wd99DYHdvGhZs4mBeU0FSdDVoXy7QQxDJHqoYDPKABry6vmaPO0YhE3SaAMePV2iGlaYMl2jn72Ht9JIfKJ3lX4E/PNDfJjk1EXPqHv/mdL2mZ</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
</processingStep>
</outputMessage>
</log>

I hope for your help. Thank’s
Sincerely, Vadim Gindin

.

Prev by Date: Re: Odd problem with WSE
Next by Date: Re: WSE 3.0 and 2.0 interoperability
Previous by thread: Somtimes I get "Mutable Security Token..." exception
Next by thread: Re: WSE 3.0 and 2.0 interoperability
Index(es):
- Date
- Thread

Relevant Pages

Re: Serious problem with NET client and Axis web service
... The SOAP request contains the following: ... public WorkRequestStatusTO getWorkRequestStatus{ ... Winform) calling an Axis web service. ... The .NET client can authenticate, ...
(microsoft.public.dotnet.xml)
Re: Tracing soap requests
... And the .Net client establishes connection through an avaliable port and ... then how am I supposed to track the SOAP messages sent ... Is there an easy way we could enable some sort of tracing ...
(microsoft.public.dotnet.framework.webservices)