Description: Fixes CVE-2012-4063
Author: Steve Jones <steve.jones@eucalyptus.com>

fda3e1d69b2a36197f8cff88ee542da72bdea104
diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java b/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
index 7aa6e9f..f4a914f 100644
--- a/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
+++ b/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
@@ -88,6 +88,8 @@ import org.apache.ws.security.message.token.Timestamp;
 import org.apache.ws.security.message.token.X509Security;
 import org.apache.ws.security.processor.TimestampProcessor;
 import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.c14n.Canonicalizer;
+import org.apache.xml.security.c14n.InvalidCanonicalizerException;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.keys.KeyInfo;
 import org.apache.xml.security.signature.SignedInfo;
@@ -110,14 +112,24 @@ import com.eucalyptus.ws.WebServicesException;
 public class WSSecurity {
   private static Logger             LOG = Logger.getLogger( WSSecurity.class );
   private static CertificateFactory factory;
- 
+  private static final String       SYSTEM_PROPERTY_SKIP_SECURITY_CHECK = "com.eucalyptus.crypto.util.skipWsSecurityConfigurationChecks";
+
   static {
+    System.setProperty( "org.apache.xml.security.resource.config", "/xml-security-config.xml" );
     org.apache.xml.security.Init.init( );
+    if ( !acceptXmlSecurityConfiguration() ) {
+      LOG.fatal("XML Security configuration not applied, set system property "+SYSTEM_PROPERTY_SKIP_SECURITY_CHECK+"=true to skip check");
+      throw new RuntimeException("XML Security Configuration not applied");
+    }
     WSSConfig.getDefaultWSConfig( ).addJceProvider( "BC", BouncyCastleProvider.class.getCanonicalName( ) );
     WSSConfig.getDefaultWSConfig( ).setTimeStampStrict( true );
     WSSConfig.getDefaultWSConfig( ).setEnableSignatureConfirmation( true );
   }
-   
+
+  public static void init() {
+    // currently the static initializer does the work
+  }
+
   public static CertificateFactory getCertificateFactory( ) {
     if ( factory == null ) {
       try {
@@ -389,5 +401,19 @@ public class WSSecurity {
     if ( sig.getKeyInfo( ) == null ) throw new WSSecurityException( WSSecurityException.SECURITY_TOKEN_UNAVAILABLE );
     return sig;
   }
-  
+
+  private static boolean acceptXmlSecurityConfiguration() {
+    return
+        Boolean.parseBoolean(System.getProperty(SYSTEM_PROPERTY_SKIP_SECURITY_CHECK)) ||
+        isValidXmlSecurityConfiguration();
+  }
+
+  private static boolean isValidXmlSecurityConfiguration()  {
+    try {
+      Canonicalizer.getInstance( "http://www.w3.org/2006/12/xml-c14n11" );
+      return false;
+    } catch (InvalidCanonicalizerException e) {
+      return true;
+    }
+  }
 }
diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
index c406f7f..42b4fa9 100644
--- a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
+++ b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
@@ -84,6 +84,7 @@ import org.jboss.netty.channel.MessageEvent;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import com.eucalyptus.binding.HoldMe;
+import com.eucalyptus.crypto.util.WSSecurity;
 import com.eucalyptus.http.MappingHttpMessage;
 import com.eucalyptus.ws.util.CredentialProxy;
 
@@ -92,6 +93,10 @@ public abstract class WsSecHandler extends MessageStackHandler {
   private static Logger         LOG    = Logger.getLogger( WsSecHandler.class );
   private final CredentialProxy credentials;
 
+  static {
+    WSSecurity.init();
+  }
+
   public WsSecHandler( final CredentialProxy credentials ) {
     this.credentials = credentials;
   }
diff --git a/clc/modules/msgs/src/main/resources/xml-security-config.xml b/clc/modules/msgs/src/main/resources/xml-security-config.xml
new file mode 100644
index 0000000..10cf86e
--- /dev/null
+++ b/clc/modules/msgs/src/main/resources/xml-security-config.xml
@@ -0,0 +1,414 @@
+<?xml version="1.0"?>
+<!--
+<!DOCTYPE Configuration SYSTEM "config.dtd">
+-->
+<!-- This configuration file is used for configuration of the org.apache.xml.security package -->
+<Configuration target="org.apache.xml.security" xmlns="http://www.xmlsecurity.org/NS/#configuration">
+   <CanonicalizationMethods>
+      <CanonicalizationMethod URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315OmitComments" />
+      <CanonicalizationMethod URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315WithComments" />
+
+      <CanonicalizationMethod URI="http://www.w3.org/2001/10/xml-exc-c14n#"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments"/>
+      <CanonicalizationMethod URI="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclWithComments"/>
+       <!-- Disabled as the JDK "config.xml" disables this
+      <CanonicalizationMethod URI="http://www.w3.org/2006/12/xml-c14n11"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer11_OmitComments"/> -->
+       <!-- Disabled as the JDK "config.xml" disables this
+      <CanonicalizationMethod URI="http://www.w3.org/2006/12/xml-c14n11#WithComments"
+                              JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer11_WithComments"/> -->
+   </CanonicalizationMethods>
+   <TransformAlgorithms>
+      <!-- Base64 -->
+      <!-- Disabled as it facilitates DOS attacks
+      <TransformAlgorithm URI="http://www.w3.org/2000/09/xmldsig#base64"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformBase64Decode" /> -->
+      <!-- c14n omitting comments -->
+      <TransformAlgorithm URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N" />
+      <!-- c14n with comments -->
+      <TransformAlgorithm URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NWithComments" />
+      <!-- c14n 1.1 omitting comments -->
+      <!-- Disabled as the JDK "config.xml" disables this
+      <TransformAlgorithm URI="http://www.w3.org/2006/12/xml-c14n11"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N11" /> -->
+      <!-- c14n 1.1 with comments -->
+      <!-- Disabled as the JDK "config.xml" disables this
+      <TransformAlgorithm URI="http://www.w3.org/2006/12/xml-c14n11#WithComments"
+                      JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N11_WithComments" /> -->
+      <!-- exclusive c14n omitting comments -->
+      <TransformAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NExclusive" />
+      <!-- exclusive c14n with comments -->
+      <TransformAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NExclusiveWithComments" />
+      <!-- XPath transform -->
+      <!-- Disabled as it facilitates DOS attacks and obscures the signed content
+      <TransformAlgorithm URI="http://www.w3.org/TR/1999/REC-xpath-19991116"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath" />  -->
+      <!-- enveloped signature -->
+      <TransformAlgorithm URI="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature" />
+      <!-- XSLT -->
+      <!-- Disabled as it facilitates DOS attacks and obscures the signed content
+      <TransformAlgorithm URI="http://www.w3.org/TR/1999/REC-xslt-19991116"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXSLT" /> -->
+      <!-- XPath version 2 -->
+      <!-- Disabled as it facilitates DOS attacks and obscures the signed content
+      <TransformAlgorithm URI="http://www.w3.org/2002/04/xmldsig-filter2"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath2Filter" /> -->
+      <!-- XPath version 2b -->
+      <!-- Disabled as it facilitates DOS attacks and obscures the signed content
+      <TransformAlgorithm URI="http://www.w3.org/2002/06/xmldsig-filter2"
+                          JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath2Filter" /> -->
+   </TransformAlgorithms>
+   <SignatureAlgorithms>
+      <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureDSA" />
+      <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" />
+      <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#hmac-sha1"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA1" />
+
+      <!-- Disabled as MD5 should no longer be considered secure
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5" /> -->
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1" />
+
+      <!-- Disabled as MD5 should no longer be considered secure
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-md5"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacMD5" /> -->
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacRIPEMD160" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA256" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA384" />
+      <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
+                          JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA512" />
+   </SignatureAlgorithms>
+   <JCEAlgorithmMappings>
+      <Algorithms>
+         <!-- MessageDigest Algorithms -->
+         <!-- Disabled as MD5 should no longer be considered secure
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#md5"
+                    Description="MD5 message digest from RFC 1321"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="NOT RECOMMENDED"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="MD5"/> -->
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#ripemd160"
+                    Description="RIPEMD-160 message digest"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="OPTIONAL"
+                    JCEName="RIPEMD160"/>
+
+         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"
+                    Description="SHA-1 message digest"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="REQUIRED"
+                    JCEName="SHA-1"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#sha256"
+                    Description="SHA-1 message digest with 256 bit"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="RECOMMENDED"
+                    JCEName="SHA-256"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#sha384"
+                    Description="SHA message digest with 384 bit"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="SHA-384"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#sha512"
+                    Description="SHA-1 message digest with 512 bit"
+                    AlgorithmClass="MessageDigest"
+                    RequirementLevel="OPTIONAL"
+                    JCEName="SHA-512"/>
+
+         <!-- Signature Algorithms -->
+         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
+                    Description="Digital Signature Algorithm with SHA-1 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="REQUIRED"
+                    JCEName="SHA1withDSA"/>
+
+         <!-- Disabled as MD5 should no longer be considered secure
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"
+                    Description="RSA Signature with MD5 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="NOT RECOMMENDED"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="MD5withRSA"/> -->
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
+                    Description="RSA Signature with RIPEMD-160 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="RIPEMD160withRSA"/>
+
+         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+                    Description="RSA Signature with SHA-1 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="RECOMMENDED"
+                    JCEName="SHA1withRSA"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+                    Description="RSA Signature with SHA-256 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="SHA256withRSA"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+                    Description="RSA Signature with SHA-384 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="SHA384withRSA"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+                    Description="RSA Signature with SHA-512 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="SHA512withRSA"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
+                    Description="ECDSA Signature with SHA-1 message digest"
+                    AlgorithmClass="Signature"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="ECDSAwithSHA1"/>
+
+         <!-- MAC Algorithms -->
+         <!-- Disabled as MD5 should no longer be considered secure
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-md5"
+                    Description="Message Authentication code using MD5"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="NOT RECOMMENDED"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="HmacMD5"/> -->
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160"
+                    Description="Message Authentication code using RIPEMD-160"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="HMACRIPEMD160"/>
+
+         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#hmac-sha1"
+                    Description="Message Authentication code using SHA1"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="REQUIRED"
+                    JCEName="HmacSHA1"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
+                    Description="Message Authentication code using SHA-256"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="HmacSHA256"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
+                    Description="Message Authentication code using SHA-384"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="HmacSHA384"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
+                    Description="Message Authentication code using SHA-512"
+                    AlgorithmClass="Mac"
+                    RequirementLevel="OPTIONAL"
+                    SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
+                    JCEName="HmacSHA512"/>
+
+         <!-- Block encryption Algorithms -->
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
+                    Description="Block encryption using Triple-DES"
+                    AlgorithmClass="BlockEncryption"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="192"
+                    RequiredKey="DESede"
+                    JCEName="DESede/CBC/ISO10126Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
+                    Description="Block encryption using AES with a key length of 128 bit"
+                    AlgorithmClass="BlockEncryption"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="128"
+                    RequiredKey="AES"
+                    JCEName="AES/CBC/ISO10126Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes192-cbc"
+                    Description="Block encryption using AES with a key length of 192 bit"
+                    AlgorithmClass="BlockEncryption"
+                    RequirementLevel="OPTIONAL"
+                    KeyLength="192"
+                    RequiredKey="AES"
+                    JCEName="AES/CBC/ISO10126Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+                    Description="Block encryption using AES with a key length of 256 bit"
+                    AlgorithmClass="BlockEncryption"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="256"
+                    RequiredKey="AES"
+                    JCEName="AES/CBC/ISO10126Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
+                    Description="Key Transport RSA-v1.5"
+                    AlgorithmClass="KeyTransport"
+                    RequirementLevel="REQUIRED"
+                    RequiredKey="RSA"
+                    JCEName="RSA/ECB/PKCS1Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
+                    Description="Key Transport RSA-OAEP"
+                    AlgorithmClass="KeyTransport"
+                    RequirementLevel="REQUIRED"
+                    RequiredKey="RSA"
+                    JCEName="RSA/ECB/OAEPWithSHA1AndMGF1Padding"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#dh"
+                    Description="Key Agreement Diffie-Hellman"
+                    AlgorithmClass="KeyAgreement"
+                    RequirementLevel="OPTIONAL"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-tripledes"
+                    Description="Symmetric Key Wrap using Triple DES"
+                    AlgorithmClass="SymmetricKeyWrap"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="192"
+                    RequiredKey="DESede"
+                    JCEName="DESedeWrap"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes128"
+                    Description="Symmetric Key Wrap using AES with a key length of 128 bit"
+                    AlgorithmClass="SymmetricKeyWrap"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="128"
+                    RequiredKey="AES"
+                    JCEName="AESWrap"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes192"
+                    Description="Symmetric Key Wrap using AES with a key length of 192 bit"
+                    AlgorithmClass="SymmetricKeyWrap"
+                    RequirementLevel="OPTIONAL"
+                    KeyLength="192"
+                    RequiredKey="AES"
+                    JCEName="AESWrap"/>
+
+         <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes256"
+                    Description="Symmetric Key Wrap using AES with a key length of 256 bit"
+                    AlgorithmClass="SymmetricKeyWrap"
+                    RequirementLevel="REQUIRED"
+                    KeyLength="256"
+                    RequiredKey="AES"
+                    JCEName="AESWrap"/>
+
+      </Algorithms>
+   </JCEAlgorithmMappings>
+   <ResourceBundles defaultLanguageCode="en" defaultCountryCode="US">
+      <ResourceBundle LanguageCode="en"
+                      CountryCode="US"
+                      LOCATION="org.apache.xml.security/resource/xmlsecurity_en.properties" />
+      <ResourceBundle LanguageCode="de"
+                      CountryCode="DE"
+                      LOCATION="org.apache.xml.security/resource/xmlsecurity_de.properties" />
+   </ResourceBundles>
+   <ResourceResolvers>
+      <!-- Disabled to prevent HTTP references
+      <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP"
+                DESCRIPTION="A simple resolver for requests to HTTP space" /> -->
+      <!-- Disabled to prevent filesystem references
+      <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem"
+                DESCRIPTION="A simple resolver for requests to the local file system" /> -->
+      <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverFragment"
+                DESCRIPTION="A simple resolver for requests of same-document URIs" />
+      <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverXPointer"
+                DESCRIPTION="A simple resolver for requests of XPointer fragents" />
+</ResourceResolvers>
+<!-- <defaultLocale languageCode="en" countryCode="US" /> -->
+   <KeyInfo>
+      <ContentHandler LOCALNAME="KeyName"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.KeyName" />
+      <ContentHandler LOCALNAME="KeyValue"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.KeyValue" />
+      <ContentHandler LOCALNAME="RetrievalMethod"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.RetrievalMethod" />
+      <ContentHandler LOCALNAME="X509Data"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.X509Data" />
+      <ContentHandler LOCALNAME="PGPData"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.PGPData" />
+      <ContentHandler LOCALNAME="SPKIData"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.SPKIData" />
+      <ContentHandler LOCALNAME="MgmtData"
+                      NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
+                      JAVACLASS="org.apache.xml.security.keys.content.MgmtData" />
+   </KeyInfo>
+   <KeyResolver>
+      <!-- This section contains a list of KeyResolvers that are available in
+           every KeyInfo object -->
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver"
+                DESCRIPTION="Can extract RSA public keys" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.DSAKeyValueResolver"
+                DESCRIPTION="Can extract DSA public keys" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver"
+                DESCRIPTION="Can extract public keys from X509 certificates" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver"
+                DESCRIPTION="Uses an X509v3 SubjectKeyIdentifier extension to retrieve a certificate from the storages" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.RetrievalMethodResolver"
+                DESCRIPTION="Resolves keys and certificates using ResourceResolvers" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver"
+                DESCRIPTION="Uses an X509 SubjectName to retrieve a certificate from the storages" />
+      <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver"
+                DESCRIPTION="Uses an X509 IssuerName and IssuerSerial to retrieve a certificate from the storages" />
+   </KeyResolver>
+
+   <PrefixMappings>
+      <!-- Many classes create Elements which are in a specific namespace;
+           here, the prefixes for these namespaces are defined. But this
+           can also be overwritten using the ElementProxy#setDefaultPrefix()
+           method. You can even set all prefixes to "" so that the corresponding
+           elements are created using the default namespace -->
+      <PrefixMapping namespace="http://www.w3.org/2000/09/xmldsig#"
+                     prefix="ds" />
+      <PrefixMapping namespace="http://www.w3.org/2001/04/xmlenc#"
+                     prefix="xenc" />
+      <PrefixMapping namespace="http://www.xmlsecurity.org/experimental#"
+                     prefix="experimental" />
+      <PrefixMapping namespace="http://www.w3.org/2002/04/xmldsig-filter2"
+                     prefix="dsig-xpath-old" />
+      <PrefixMapping namespace="http://www.w3.org/2002/06/xmldsig-filter2"
+                     prefix="dsig-xpath" />
+      <PrefixMapping namespace="http://www.w3.org/2001/10/xml-exc-c14n#"
+                     prefix="ec" />
+      <PrefixMapping namespace="http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter"
+                     prefix="xx" />
+   </PrefixMappings>
+</Configuration>
