Multiple <xenc:EncryptedKey> from server during msg enc/signing
For some reason our service is returning multiple (2) EncryptionKey tags within the soap response where one of the DataReference URIs associates with the encrypted/signed data in the Soap body, but the second does not. This results in the client throwing a "referenced data not found." error. I'm using a fairly generic WS Security Policy in my WSDL, but perhaps fresh eyes can see what I'm missing.
<wsp:Policy wsu:Id="SOAP_Fault_Policy"/>
<wsp:Policy wsu:Id="SOAP_Input_Policy">
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
<sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy wsu:Id="SOAP_Output_Policy">
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy wsu:Id="Msg_Protection_Policy">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy />
</sp:Wss10>
</wsp:Policy>