Hi,
This relates to CXF version 2.7.11.
I am receiving a response from a server which has the following actions:
Timestamp Encrypt Signature. However when the response hits the inbound
interceptor (WSS4JInInterceptor) it is throwing the following exception:
Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
checkActions
WARNING: Security processing failed (actions mismatch)
Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:354)
I will post the response message which causes this at the bottom of the post
due to its size. The inbound configuration aspects are as follows:
//Inbound Policy Rules
inProps.put("action", "Timestamp Encrypt Signature");
inProps.put("passwordCallbackClass",
"reply.solidsoft.emvs.common.EmvsPasswordCallback");
inProps.put("decryptionPropFile", EmvsProperties.val(propPrefix +
"resp.propFile"));
inProps.put("signaturePropFile", EmvsProperties.val(propPrefix +
"enc.propFile"));
inProps.put("encryptionKeyIdentifier", "Thumbprint");
inProps.put("signatureKeyIdentifier", "DirectReference");
inProps.put("encryptionKeyTransportAlgorithm",
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
inProps.put("signatureAlgorithm",
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
inProps.put("signatureDigestAlgorithm",
"http://www.w3.org/2001/04/xmlenc#sha256");
inProps.put("encryptionSymAlgorithm",
"http://www.w3.org/2001/04/xmlenc#aes256-cbc");
client.getInInterceptors().add(new WSS4JInInterceptor(inProps));
I have debugged the code in Netbeans and the issue stems from CXF
erroneously misreading the actions on the incoming message. The
WSS4JInInterceptor (or rather the classes/methods it calls) determines that
the message has the following actions (see WSConstants.java):
hex constant/tag value
4/ENCR
2/SIGN
4/ENCR
1000/BST
20/TS
It can be seen that the security engine determines that ENCR occurs twice.
This causes WSHandler.java - checkReceiverResultsAnyOrder() to throw the
mismatch error. I have managed a temporary work around by creating my own
version of this code and ignoring the first/erroneous ENCR action. This lets
the code execute without error and all parts are decrypted perfectly. As
such I don't believe that the response message is at fault.
I believe this to be a bug in CXF and it may be required that I raise a JIRA
against this but I thought I ought to pass it by the community first. The
response message which is causing this is :
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1"
u:Id="_3">http://EMVS.EU/20131/IProductServiceMahV20131/ProcessProductMasterDataResponse</a:Action>
<a:RelatesTo
u:Id="_4">urn:uuid:4967aade-8648-4620-a1ff-c2d4cf8fbbd3</a:RelatesTo>
<ActivityId CorrelationId="97caa320-8fd5-4b94-9ce3-40803a085fcb"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000</ActivityId>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-52853116-cc72-4419-9695-66891e2e8d9e-16">
<u:Created>2014-09-01T12:43:07.704Z</u:Created>
<u:Expires>2014-09-01T12:48:07.704Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken
u:Id="uuid-e9802506-5ce8-4d56-9c23-f38d18f30843-211"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIEWDCCA0CgAwIBAgITVQAAAKxmZzmQukp3WQAAAAAArDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDEwxFTVZTQ0FERVYtQ0EwHhcNMTQwNzE0MTAzNTIzWhcNMTUwNzE0MTA0NTIzWjCBhjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUhhbXBzaGlyZTEUMBIGA1UEBxMLQmFzaW5nc3Rva2UxEjAQBgNVBAoTCVNvbGlkc29mdDENMAsGA1UECxMERU1WUzEqMCgGA1UEAxMhSHViRGV2ZWxvcG1lbnRTZXJ2ZXIuRU1WU0NBREVWLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAro5i3HzsGo1T1zBjPOLq59AsfJ0ibj+CBS719X2bo7TFIHJ8bj1X9YtHaI+RSiDe9DFpRy9/gul6yV+Fyc57MrgVrUUlrwxMF8cAnQkE/vWkAZtOMWRg4s7AfRjWw2ikUv83kGQ+dyPxJwp2ZptNWG7WUarAUvsXKwJtTP88WmY+SH2HgTxhhCWlCFfBH5D+dnF+wY5+tyI3D+oLAAs/zGC2cm74uv2nATxrKJHkzYIy/V8zMMxvM2iCbsltg1F1+dZuGrhefPCtm+SVzQqp3t2YjcSqQyzFbGTCk/8eQMqSwlnTfEDl+fkTnDSOpCSeBdWQznV9bYInwBcH/HKL6QIDAQABo4IBKzCCAScwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFBg1d2GhKwAQlmnX2wZvxiFbda54MB8GA1UdIwQYMBaAFKnbZ7KE7aKlKN4VKPETQBQB+w/jMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9lbXZzY3JsLmJsb2IuY29yZS53aW5kb3dzLm5ldC9FTVZTQ0FERVYtQ0EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBKNOWp14BQ117r53kwirAEFBPoS5GY/vw23UXJHw9+95p5iKMy0ug846+IfV0Q8Vj9OK62jOmNMt7ZC6Micg795LoI8c8s2TsDDZNeLnWla/BXydCmGQCLzsTtTpEYnXLG/DYo/fm+i/XoyyjFI2rMQigOQPBpt+AkTOeB8U+kqEEQ5YC9RmJGVRb7a5/qfFTeSMnkOYhcz1bwCvmu/zg4fAN07hd8b+HmQmcb05Xpmk+2c0siNtb+12pHYomABQsuWEydo0byhJGIe4NvBHxV32HBI9gnLgrborUrgATlbeo4etPcTu9KicNAZ1VgPfjKl90KeOhuMksFEvaJXmwK</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ZMkzeb64XxSfbnS9I9KpoXyi2uY=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>s251ylyBGQGNZTHhSUOi0pQ+9qeTMjqHC5hNqOoN7u6PFX8acSf+iY3qTzKx7fKqhlA0gEa2QOruxp4cPw5d23cjDJoYG7avkMUlDHfcsZVeSvr8jaK20fnfYxLTVUq9uufjfu8AmxcVTSaCFtGsBk8+yRVDIMWaawNIh/lEHMRi3fQN9WpQ+n/7ctSJNZojKcpUZpRXigqgXodo5zpTIVJOX0lPzYxx7oFHKXnEWigh+n3wXT76BmROGRj+3d56srnsBh8q1NEj11/UYUfP+Djd8UPQDL7si7Fg3IpR1i3y8h0akT0gTCDN25SOMXGg2TB42Qe2O5wbQNXrq16j7A==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>s0pK8/FZfc9Lj1u1DEcXJ/NyxAIVmP0ObV5sB0mmsqU=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>pNIz4ObnypncdMHrcCOe6Xk09ImjeKKRdfZUGTRfYtk=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>HL7K5FkJqile1NsYDODWMznHZ6woByDb3ccwYJER3MU=</DigestValue>
</Reference>
<Reference URI="#uuid-52853116-cc72-4419-9695-66891e2e8d9e-16">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>EVKOu76+vTcCyCJog5bRSiO2KAgfo779wH1r80g/8Wo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gpOmrGX/Qa3qMKAGKFrN8cmNQAmeZVJ0ZDY4fZXsqewmtK17tY+D5y/mXv9hh1MtoO2aUwaXaBGxVFYnsURhxNbIyXRCEQIrN48LuWYwMBTf4zB07esbyEpwlDDLm32POZQgkSE/nfCeKDWuCRYW4DNnaHRjQh5vQkUCc3h4NxgLaNt5hIpLrRe+ju4q3HbttFq7XFOZuMdRcSLnhS6eHjdw5po6RJeZBB2xq4QpJXrqc6KrUgEUfqk0E6VnQaMsZ1ovUB6RadD9sQHLDYXGrblIZWb2QHLglu12rjF20hgBXUvXWIOEv4C0Trm0lv0wWyo3MHbUhXkWFNzf0ykr+w==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
URI="#uuid-e9802506-5ce8-4d56-9c23-f38d18f30843-211"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>UZfeJK3JHywM+iKFvZ5pcBrPSne/CYR9isVZHoT3yKLEhjer8cJv7uI6HtKOjA8kZAcVMMKfRS7+5Che2Rq37n5Oueq+/ETuEOYEkMDu85E8CCwLg04vJheNKl2n3PIZiPYAPamxlQEUtYzxhHufYeGArjDLNuUJaB6Fsc+t+dTa+PMTOsnhGceGKBVU25H6Xapaf0bCLihD51kKhBh4QaOuuAuyMicBfN2e59ljc9xdz+LtkFCQ4BWRmYQFCjAz</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
This relates to CXF version 2.7.11.
I am receiving a response from a server which has the following actions:
Timestamp Encrypt Signature. However when the response hits the inbound
interceptor (WSS4JInInterceptor) it is throwing the following exception:
Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
checkActions
WARNING: Security processing failed (actions mismatch)
Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:354)
I will post the response message which causes this at the bottom of the post
due to its size. The inbound configuration aspects are as follows:
//Inbound Policy Rules
inProps.put("action", "Timestamp Encrypt Signature");
inProps.put("passwordCallbackClass",
"reply.solidsoft.emvs.common.EmvsPasswordCallback");
inProps.put("decryptionPropFile", EmvsProperties.val(propPrefix +
"resp.propFile"));
inProps.put("signaturePropFile", EmvsProperties.val(propPrefix +
"enc.propFile"));
inProps.put("encryptionKeyIdentifier", "Thumbprint");
inProps.put("signatureKeyIdentifier", "DirectReference");
inProps.put("encryptionKeyTransportAlgorithm",
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
inProps.put("signatureAlgorithm",
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
inProps.put("signatureDigestAlgorithm",
"http://www.w3.org/2001/04/xmlenc#sha256");
inProps.put("encryptionSymAlgorithm",
"http://www.w3.org/2001/04/xmlenc#aes256-cbc");
client.getInInterceptors().add(new WSS4JInInterceptor(inProps));
I have debugged the code in Netbeans and the issue stems from CXF
erroneously misreading the actions on the incoming message. The
WSS4JInInterceptor (or rather the classes/methods it calls) determines that
the message has the following actions (see WSConstants.java):
hex constant/tag value
4/ENCR
2/SIGN
4/ENCR
1000/BST
20/TS
It can be seen that the security engine determines that ENCR occurs twice.
This causes WSHandler.java - checkReceiverResultsAnyOrder() to throw the
mismatch error. I have managed a temporary work around by creating my own
version of this code and ignoring the first/erroneous ENCR action. This lets
the code execute without error and all parts are decrypted perfectly. As
such I don't believe that the response message is at fault.
I believe this to be a bug in CXF and it may be required that I raise a JIRA
against this but I thought I ought to pass it by the community first. The
response message which is causing this is :
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1"
u:Id="_3">http://EMVS.EU/20131/IProductServiceMahV20131/ProcessProductMasterDataResponse</a:Action>
<a:RelatesTo
u:Id="_4">urn:uuid:4967aade-8648-4620-a1ff-c2d4cf8fbbd3</a:RelatesTo>
<ActivityId CorrelationId="97caa320-8fd5-4b94-9ce3-40803a085fcb"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000</ActivityId>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-52853116-cc72-4419-9695-66891e2e8d9e-16">
<u:Created>2014-09-01T12:43:07.704Z</u:Created>
<u:Expires>2014-09-01T12:48:07.704Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken
u:Id="uuid-e9802506-5ce8-4d56-9c23-f38d18f30843-211"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIEWDCCA0CgAwIBAgITVQAAAKxmZzmQukp3WQAAAAAArDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDEwxFTVZTQ0FERVYtQ0EwHhcNMTQwNzE0MTAzNTIzWhcNMTUwNzE0MTA0NTIzWjCBhjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUhhbXBzaGlyZTEUMBIGA1UEBxMLQmFzaW5nc3Rva2UxEjAQBgNVBAoTCVNvbGlkc29mdDENMAsGA1UECxMERU1WUzEqMCgGA1UEAxMhSHViRGV2ZWxvcG1lbnRTZXJ2ZXIuRU1WU0NBREVWLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAro5i3HzsGo1T1zBjPOLq59AsfJ0ibj+CBS719X2bo7TFIHJ8bj1X9YtHaI+RSiDe9DFpRy9/gul6yV+Fyc57MrgVrUUlrwxMF8cAnQkE/vWkAZtOMWRg4s7AfRjWw2ikUv83kGQ+dyPxJwp2ZptNWG7WUarAUvsXKwJtTP88WmY+SH2HgTxhhCWlCFfBH5D+dnF+wY5+tyI3D+oLAAs/zGC2cm74uv2nATxrKJHkzYIy/V8zMMxvM2iCbsltg1F1+dZuGrhefPCtm+SVzQqp3t2YjcSqQyzFbGTCk/8eQMqSwlnTfEDl+fkTnDSOpCSeBdWQznV9bYInwBcH/HKL6QIDAQABo4IBKzCCAScwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFBg1d2GhKwAQlmnX2wZvxiFbda54MB8GA1UdIwQYMBaAFKnbZ7KE7aKlKN4VKPETQBQB+w/jMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9lbXZzY3JsLmJsb2IuY29yZS53aW5kb3dzLm5ldC9FTVZTQ0FERVYtQ0EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBKNOWp14BQ117r53kwirAEFBPoS5GY/vw23UXJHw9+95p5iKMy0ug846+IfV0Q8Vj9OK62jOmNMt7ZC6Micg795LoI8c8s2TsDDZNeLnWla/BXydCmGQCLzsTtTpEYnXLG/DYo/fm+i/XoyyjFI2rMQigOQPBpt+AkTOeB8U+kqEEQ5YC9RmJGVRb7a5/qfFTeSMnkOYhcz1bwCvmu/zg4fAN07hd8b+HmQmcb05Xpmk+2c0siNtb+12pHYomABQsuWEydo0byhJGIe4NvBHxV32HBI9gnLgrborUrgATlbeo4etPcTu9KicNAZ1VgPfjKl90KeOhuMksFEvaJXmwK</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ZMkzeb64XxSfbnS9I9KpoXyi2uY=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>s251ylyBGQGNZTHhSUOi0pQ+9qeTMjqHC5hNqOoN7u6PFX8acSf+iY3qTzKx7fKqhlA0gEa2QOruxp4cPw5d23cjDJoYG7avkMUlDHfcsZVeSvr8jaK20fnfYxLTVUq9uufjfu8AmxcVTSaCFtGsBk8+yRVDIMWaawNIh/lEHMRi3fQN9WpQ+n/7ctSJNZojKcpUZpRXigqgXodo5zpTIVJOX0lPzYxx7oFHKXnEWigh+n3wXT76BmROGRj+3d56srnsBh8q1NEj11/UYUfP+Djd8UPQDL7si7Fg3IpR1i3y8h0akT0gTCDN25SOMXGg2TB42Qe2O5wbQNXrq16j7A==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>s0pK8/FZfc9Lj1u1DEcXJ/NyxAIVmP0ObV5sB0mmsqU=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>pNIz4ObnypncdMHrcCOe6Xk09ImjeKKRdfZUGTRfYtk=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>HL7K5FkJqile1NsYDODWMznHZ6woByDb3ccwYJER3MU=</DigestValue>
</Reference>
<Reference URI="#uuid-52853116-cc72-4419-9695-66891e2e8d9e-16">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>EVKOu76+vTcCyCJog5bRSiO2KAgfo779wH1r80g/8Wo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gpOmrGX/Qa3qMKAGKFrN8cmNQAmeZVJ0ZDY4fZXsqewmtK17tY+D5y/mXv9hh1MtoO2aUwaXaBGxVFYnsURhxNbIyXRCEQIrN48LuWYwMBTf4zB07esbyEpwlDDLm32POZQgkSE/nfCeKDWuCRYW4DNnaHRjQh5vQkUCc3h4NxgLaNt5hIpLrRe+ju4q3HbttFq7XFOZuMdRcSLnhS6eHjdw5po6RJeZBB2xq4QpJXrqc6KrUgEUfqk0E6VnQaMsZ1ovUB6RadD9sQHLDYXGrblIZWb2QHLglu12rjF20hgBXUvXWIOEv4C0Trm0lv0wWyo3MHbUhXkWFNzf0ykr+w==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
URI="#uuid-e9802506-5ce8-4d56-9c23-f38d18f30843-211"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>UZfeJK3JHywM+iKFvZ5pcBrPSne/CYR9isVZHoT3yKLEhjer8cJv7uI6HtKOjA8kZAcVMMKfRS7+5Che2Rq37n5Oueq+/ETuEOYEkMDu85E8CCwLg04vJheNKl2n3PIZiPYAPamxlQEUtYzxhHufYeGArjDLNuUJaB6Fsc+t+dTa+PMTOsnhGceGKBVU25H6Xapaf0bCLihD51kKhBh4QaOuuAuyMicBfN2e59ljc9xdz+LtkFCQ4BWRmYQFCjAz</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>