[ 
https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918778#action_12918778
 ] 

Glen Mazza commented on CXF-3041:
---------------------------------

quote: "Even though the AsymmetricBinding is set at the operation level, 
nothing is specified for signing or encrypting in the request message."

Oh, but by default then everything should be signed and encrypted in the 
request message.  So long as AsymmetricBinding is defined at the operation 
level, it should not be necessary to define message-level encryption and 
signature policy reference rules in order to activate either--deactivate maybe, 
but not activate. I don't see why the default should be nothing.

To answer your earlier question:  "As far as the standard goes, I don't see 
anything in the AsymmetricBinding description which defines it as a purely 
two-way street. What in particular are you looking at with this?"

In particular, the sentence: "The AsymmetricBinding assertion is used in 
scenarios in which message protection is provided by means defined in WSS: SOAP 
Message Security using asymmetric key (Public Key) technology."

Here, we need a definition of what "asymmetric key technology" is.  Thilna's 
non-normative definition from the blog entry is:

In asymmetric binding, message encryption and signing takes place using the 
Public Key Infrastructure(PKI), i.e. sender encrypts messages using the public 
key of the recipient and sign the messages using his private key. Then the 
recipient can decrypt the received messages using his private key and verify 
the signature of the message using the public key of the sender. This way, the 
confidentiality, integrity and the non-repudiation properties of the message 
exchanges can be assured.

The Wikipedia entry (http://en.wikipedia.org/wiki/Public-key_cryptography) says 
much the same.  That should be the default (as it's the most idiot-proof 
setting)--sign and encrypt everything in both directions.  As of this moment, I 
don't see the bug here.  

quote: "The CXF client is generating a signature for the request message, which 
was not requested."
I'm not an expert at reading policy, but I would argue it *was* requested, 
because you did not explicitly shut it off at the message level, no?


> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
>                 Key: CXF-3041
>                 URL: https://issues.apache.org/jira/browse/CXF-3041
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>         Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it 
> for the response message, the request message is sent with a signature and 
> the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
>       at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
>       at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
>       at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using 
> message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
>     xmlns:wns="http://ws.sosnoski.com/library/wsdl";
>     xmlns:tns="http://ws.sosnoski.com/library/types";
>     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
>     xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>   
>   <!-- Policy for asymmetric binding with the certificate included in the 
> message from
>    client to server but only a thumbprint on messages from the server to the 
> client. -->
>   <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:AsymmetricBinding>
>       <wsp:Policy>
>         <sp:InitiatorToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:InitiatorToken>
>         <sp:RecipientToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:RecipientToken>
>         <sp:AlgorithmSuite>
>           <wsp:Policy>
>             <sp:Basic128Rsa15/>
>           </wsp:Policy>
>         </sp:AlgorithmSuite>
>       </wsp:Policy>
>     </sp:AsymmetricBinding>
>   </wsp:Policy>
>   
>   <!-- Policy for signing the message body. -->
>   <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:SignedParts>
>       <sp:Body/>
>     </sp:SignedParts>
>   </wsp:Policy>
>   
>   ...
>   <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>     <wsdlsoap:binding style="document" 
> transport="http://schemas.xmlsoap.org/soap/http"/>
>     <wsdl:operation name="getBook">
>   
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#AsymmBinding"/>
>     
>       <wsdlsoap:operation soapAction="urn:getBook"/>
>       
>       <wsdl:input name="getBookRequest">
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
>       
>       <wsdl:output name="getBookResponse">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#SignBody"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:output>
>       
>     </wsdl:operation>
>     ...
>   </wsdl:binding>
>   ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>    <soap:Header>
>       <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soap:mustUnderstand="1">
>          <wsse:BinarySecurityToken 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
> Id="Signature-1">
>             <ds:SignedInfo>
>                <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             </ds:SignedInfo>
>             
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
>             <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
>                <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
>                   <wsse:Reference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  URI="#CertId-797FFC48A8BEF2669712863570548321" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                </wsse:SecurityTokenReference>
>             </ds:KeyInfo>
>          </ds:Signature>
>       </wsse:Security>
>    </soap:Header>
>    <soap:Body>
>       <getBook xmlns="http://ws.sosnoski.com/library/wsdl"; 
> xmlns:ns2="http://ws.sosnoski.com/library/types";>
>          <isbn>0061020052</isbn>
>       </getBook>
>    </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set 
> the home directory for you CXF installation, and build with Ant (default 
> target). This generates the .war, and you can then run the client with the 
> Ant target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to