You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Josh Hill <Jo...@finzsoft.com> on 2013/05/03 05:25:36 UTC
SymmetricBinding key exchange and signing
My understanding is that the client generates the symmetric key (as defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it using the STS's public key (configured on client using "ws-security.encryption.properties\username"). When sending this encrypted key to the STS what is it signed with? I haven't set the "ws-security.signature.properties\username" on my client but the input policy on the STS requires the sp:Body be signed.
...
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf" />
<property name="wsdlLocation" value="http://localhost:8080/STS?wsdl" />
<property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService" />
<property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />
<property name="properties">
<map>
<entry key="ws-security.username" value="bob" />
<entry key="ws-security.callback-handler" value="ClientCallbackHandler" />
<entry key="ws-security.encryption.properties" value="clientKeystore.properties" />
<entry key="ws-security.encryption.username" value="stskey" />
</map>
</property>
</bean>
</entry>
...
<wsp:Policy wsu:Id="STS-UT-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="STS-Input-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="STS-Output-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Josh Hill
Senior Java Developer
[cid:imageb565be.png@e8c8bb22.12fe482b]
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com W www.finzsoft.com<http://www.finzsoft.com>
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
Re: SymmetricBinding key exchange and signing
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Following these derived key tokens there are two xenc:EncryptedData
elements remaining in the header. I assume one of them is the
> SignedEncryptedSupportingTokens UsernameToken. What would the other be?
The message signature encrypted (the
> sp:EncryptSignature element perhaps)?
Yes, exactly. If you change logging to DEBUG you will see what is decrypted
in your logging output.
Colm.
On Tue, May 7, 2013 at 1:11 AM, Josh Hill <Jo...@finzsoft.com> wrote:
> > The client generates the Symmetric Key and then encrypts it with the
> public key of the STS. The request is signed + encrypted with the Symmetric
> Key. The
> > STS decrypts the received symmetric key, and uses it to decrypt + verify
> the signature on the request. So, you are correct in stating that the
> symmetric key
> > is not itself signed.
>
> Thanks Colm. I appreciate your time. I plan on writing a detailed blog
> post covering the flow and logic behind what is happening between the WSC,
> WSP, and STS. Something others will hopefully find useful.
>
> I see the soap message sent from client to sts contains an
> xenc:EncryptedKey element which I assume is the client generated symmetric
> key encrypted using the sts public key. Below this element there are two
> wsc:DerivedKeyToken elements, these are derived from the symmetric key
> (once the sts decrypts it) correct?
>
> Following these derived key tokens there are two xenc:EncryptedData
> elements remaining in the header. I assume one of them is the
> SignedEncryptedSupportingTokens UsernameToken. What would the other be? The
> message signature encrypted (the sp:EncryptSignature element perhaps)?
>
> Josh
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, 7 May 2013 1:30 a.m.
> To: Josh Hill
> Cc: users@cxf.apache.org
> Subject: Re: SymmetricBinding key exchange and signing
>
> > Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does
> > the STS have the generated key to verify signature and decrypt? My
> original question suggested that it is exchanged by encrypting it
> > with the STS public key but not sure how it is signed in this exchange.
> Perhaps the exchange of the generated key isn't signed?
> The client generates the Symmetric Key and then encrypts it with the
> public key of the STS. The request is signed + encrypted with the Symmetric
> Key. The STS decrypts the received symmetric key, and uses it to decrypt +
> verify the signature on the request. So, you are correct in stating that
> the symmetric key is not itself signed.
> Colm.
>
> On Sun, May 5, 2013 at 8:56 PM, Josh Hill <Jo...@finzsoft.com> wrote:
> Andrei,
>
> Yes I have the IssuedToken policy on the WSP (not shown). The below
> policies are on my STS service. The question was in regards to connecting
> to the STS service to have a token issued (or renewed, or validated). I
> authenticate using the SignedEncryptedSupportingTokens UsernameToken. What
> I'm trying to figure out is how the key generated by the client for
> symmetric binding is exchanged with the STS service so that it can
> sign/verify encrypt/decrypt messages with the client.
>
>
> Colm,
>
> Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does the STS have
> the generated key to verify signature and decrypt? My original question
> suggested that it is exchanged by encrypting it with the STS public key but
> not sure how it is signed in this exchange. Perhaps the exchange of the
> generated key isn't signed?
>
> I appreciate your time.
>
> Josh
>
> >
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
> E Josh.Hill@finzsoft.com W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may
> be privileged. If you are not the intended recipient, you must not peruse,
> use, disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
>
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
> E Josh.Hill@finzsoft.com W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may
> be privileged. If you are not the intended recipient, you must not peruse,
> use, disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
> -----Original Message-----
>
>
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Saturday, 4 May 2013 12:36 a.m.
> > To: users@cxf.apache.org
> > Subject: Re: SymmetricBinding key exchange and signing
> >
> > The Symmetric key that the client generates signs (and encrypts) the
> request
> > (SOAP Body). There is no need for a signing certificate as you are using
> the
> > Symmetric binding. Authentication is enforced via the UsernameToken
> > SupportingToken.
> >
> > Colm.
> >
> >
> > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com>
> wrote:
> >
> > > My understanding is that the client generates the symmetric key (as
> > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> > > using the STS's public key (configured on client using
> > > "ws-security.encryption.properties\username"). When sending this
> > > encrypted key to the STS what is it signed with? I haven't set the
> > > "ws-security.signature.properties\username" on my client but the input
> > > policy on the STS requires the sp:Body be signed. ****
> > >
> > > ** **
> > >
> > > ...****
> > >
> > > <entry key="ws-security.sts.client">****
> > >
> > > <bean
> > > class="org.apache.cxf.ws.security.trust.STSClient">*
> > > ***
> > >
> > > <constructor-arg ref="cxf" />****
> > >
> > > <property name="wsdlLocation" value="
> > > http://localhost:8080/STS?wsdl" />****
> > >
> > > <property name="serviceName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService
> > > " />
> > > ****
> > >
> > > <property name="endpointName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
> > >
> > > <property name="properties">****
> > >
> > > <map>****
> > >
> > > <entry
> > > key="ws-security.username" value="bob" />****
> > >
> > > <entry
> > > key="ws-security.callback-handler" value="ClientCallbackHandler"
> > > />****
> > >
> > > <entry
> > > key="ws-security.encryption.properties"
> > > value="clientKeystore.properties" />
> > > ****
> > >
> > > <entry
> > > key="ws-security.encryption.username" value="stskey" />****
> > >
> > > </map>****
> > >
> > > </property>****
> > >
> > > </bean>****
> > >
> > > </entry>****
> > >
> > > .****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-UT-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > >
> > > <sp:SymmetricBinding>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:ProtectionToken>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:X509Token sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /Never
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:RequireDerivedKeys/>****
> > >
> > >
> > > <sp:RequireThumbprintReference/>****
> > >
> > >
> > > <sp:WssX509V3Token10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:X509Token>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:ProtectionToken>****
> > >
> > >
> > > <sp:AlgorithmSuite>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Basic256/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:AlgorithmSuite>****
> > >
> > >
> > > <sp:Layout>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Lax/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:Layout>****
> > >
> > >
> > > <sp:IncludeTimestamp/>****
> > >
> > >
> > > <sp:EncryptSignature/>****
> > >
> > >
> > > <sp:OnlySignEntireHeadersAndBody/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SymmetricBinding>****
> > >
> > >
> > > <sp:SignedEncryptedSupportingTokens>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:UsernameToken sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /AlwaysToRecipient
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:HashPassword/>****
> > >
> > >
> > > <sp:WssUsernameToken10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:UsernameToken>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SignedEncryptedSupportingTokens>****
> > >
> > > <sp:Wss11>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportRefKeyIdentifier/>****
> > >
> > >
> > > <sp:MustSupportRefIssuerSerial/>****
> > >
> > >
> > > <sp:MustSupportRefThumbprint/>****
> > >
> > >
> > > <sp:MustSupportRefEncryptedKey/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Wss11>****
> > >
> > > <sp:Trust13>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportIssuedTokens/>****
> > >
> > >
> > > <sp:RequireClientEntropy/>****
> > >
> > >
> > > <sp:RequireServerEntropy/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Trust13>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Input-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Output-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > >
> > >
> > > *Josh Hill*
> > > Senior Java Developer
> > >
> > >
> > >
> > > [image: Finzsoft - Your Vision + Our Innovations]
> > >
> > >
> > >
> > > sovereign finance and banking software
> > >
> > >
> > >
> > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > > Greenlane, Auckland, New Zealand
> > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> > >
> > >
> > > *Please note*: This email contains information that is
> > > confidential and may be privileged. If you are not the intended
> > > recipient, you must not peruse, use, disseminate, distribute or copy
> this
> > email or attachments.
> > > If you have received this in error, please notify Finzsoft Solutions
> > > (New
> > > Zealand) Ltd immediately by return email and delete this email. Thank
> you.
> > >
> > >
> > >
> > __________________________________________________________
> > ____________
> > > This email has been scanned by the Symantec Email Security.cloud
> service.
> > >
> > __________________________________________________________
> > ____________
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> > __________________________________________________________
> > ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > __________________________________________________________
> > ____________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SymmetricBinding key exchange and signing
Posted by Josh Hill <Jo...@finzsoft.com>.
> The client generates the Symmetric Key and then encrypts it with the public key of the STS. The request is signed + encrypted with the Symmetric Key. The
> STS decrypts the received symmetric key, and uses it to decrypt + verify the signature on the request. So, you are correct in stating that the symmetric key
> is not itself signed.
Thanks Colm. I appreciate your time. I plan on writing a detailed blog post covering the flow and logic behind what is happening between the WSC, WSP, and STS. Something others will hopefully find useful.
I see the soap message sent from client to sts contains an xenc:EncryptedKey element which I assume is the client generated symmetric key encrypted using the sts public key. Below this element there are two wsc:DerivedKeyToken elements, these are derived from the symmetric key (once the sts decrypts it) correct?
Following these derived key tokens there are two xenc:EncryptedData elements remaining in the header. I assume one of them is the SignedEncryptedSupportingTokens UsernameToken. What would the other be? The message signature encrypted (the sp:EncryptSignature element perhaps)?
Josh
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, 7 May 2013 1:30 a.m.
To: Josh Hill
Cc: users@cxf.apache.org
Subject: Re: SymmetricBinding key exchange and signing
> Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does
> the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it
> with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed?
The client generates the Symmetric Key and then encrypts it with the public key of the STS. The request is signed + encrypted with the Symmetric Key. The STS decrypts the received symmetric key, and uses it to decrypt + verify the signature on the request. So, you are correct in stating that the symmetric key is not itself signed.
Colm.
On Sun, May 5, 2013 at 8:56 PM, Josh Hill <Jo...@finzsoft.com> wrote:
Andrei,
Yes I have the IssuedToken policy on the WSP (not shown). The below policies are on my STS service. The question was in regards to connecting to the STS service to have a token issued (or renewed, or validated). I authenticate using the SignedEncryptedSupportingTokens UsernameToken. What I'm trying to figure out is how the key generated by the client for symmetric binding is exchanged with the STS service so that it can sign/verify encrypt/decrypt messages with the client.
Colm,
Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed?
I appreciate your time.
Josh
>
Josh Hill
Senior Java Developer
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com W http://www.finzsoft.com
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
Josh Hill
Senior Java Developer
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com W http://www.finzsoft.com
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
-----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Saturday, 4 May 2013 12:36 a.m.
> To: users@cxf.apache.org
> Subject: Re: SymmetricBinding key exchange and signing
>
> The Symmetric key that the client generates signs (and encrypts) the request
> (SOAP Body). There is no need for a signing certificate as you are using the
> Symmetric binding. Authentication is enforced via the UsernameToken
> SupportingToken.
>
> Colm.
>
>
> On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com> wrote:
>
> > My understanding is that the client generates the symmetric key (as
> > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> > using the STS's public key (configured on client using
> > "ws-security.encryption.properties\username"). When sending this
> > encrypted key to the STS what is it signed with? I haven't set the
> > "ws-security.signature.properties\username" on my client but the input
> > policy on the STS requires the sp:Body be signed. ****
> >
> > ** **
> >
> > ...****
> >
> > <entry key="ws-security.sts.client">****
> >
> > <bean
> > class="org.apache.cxf.ws.security.trust.STSClient">*
> > ***
> >
> > <constructor-arg ref="cxf" />****
> >
> > <property name="wsdlLocation" value="
> > http://localhost:8080/STS?wsdl" />****
> >
> > <property name="serviceName" value="{
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService
> > " />
> > ****
> >
> > <property name="endpointName" value="{
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
> >
> > <property name="properties">****
> >
> > <map>****
> >
> > <entry
> > key="ws-security.username" value="bob" />****
> >
> > <entry
> > key="ws-security.callback-handler" value="ClientCallbackHandler"
> > />****
> >
> > <entry
> > key="ws-security.encryption.properties"
> > value="clientKeystore.properties" />
> > ****
> >
> > <entry
> > key="ws-security.encryption.username" value="stskey" />****
> >
> > </map>****
> >
> > </property>****
> >
> > </bean>****
> >
> > </entry>****
> >
> > .****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-UT-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> >
> > <sp:SymmetricBinding>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:ProtectionToken>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:X509Token sp:IncludeToken="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > /Never
> > ">****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:RequireDerivedKeys/>****
> >
> >
> > <sp:RequireThumbprintReference/>****
> >
> >
> > <sp:WssX509V3Token10/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:X509Token>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:ProtectionToken>****
> >
> >
> > <sp:AlgorithmSuite>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:Basic256/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:AlgorithmSuite>****
> >
> >
> > <sp:Layout>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:Lax/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:Layout>****
> >
> >
> > <sp:IncludeTimestamp/>****
> >
> >
> > <sp:EncryptSignature/>****
> >
> >
> > <sp:OnlySignEntireHeadersAndBody/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:SymmetricBinding>****
> >
> >
> > <sp:SignedEncryptedSupportingTokens>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:UsernameToken sp:IncludeToken="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > /AlwaysToRecipient
> > ">****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:HashPassword/>****
> >
> >
> > <sp:WssUsernameToken10/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:UsernameToken>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:SignedEncryptedSupportingTokens>****
> >
> > <sp:Wss11>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:MustSupportRefKeyIdentifier/>****
> >
> >
> > <sp:MustSupportRefIssuerSerial/>****
> >
> >
> > <sp:MustSupportRefThumbprint/>****
> >
> >
> > <sp:MustSupportRefEncryptedKey/>****
> >
> >
> > </wsp:Policy>****
> >
> > </sp:Wss11>****
> >
> > <sp:Trust13>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:MustSupportIssuedTokens/>****
> >
> >
> > <sp:RequireClientEntropy/>****
> >
> >
> > <sp:RequireServerEntropy/>****
> >
> >
> > </wsp:Policy>****
> >
> > </sp:Trust13>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-Input-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> > <sp:SignedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> > </sp:SignedParts>****
> >
> >
> > <sp:EncryptedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> >
> > </sp:EncryptedParts>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-Output-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> > <sp:SignedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> > </sp:SignedParts>****
> >
> >
> > <sp:EncryptedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> >
> > </sp:EncryptedParts>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> >
> >
> > *Josh Hill*
> > Senior Java Developer
> >
> >
> >
> > [image: Finzsoft - Your Vision + Our Innovations]
> >
> >
> >
> > sovereign finance and banking software
> >
> >
> >
> > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > Greenlane, Auckland, New Zealand
> > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> >
> >
> > *Please note*: This email contains information that is
> > confidential and may be privileged. If you are not the intended
> > recipient, you must not peruse, use, disseminate, distribute or copy this
> email or attachments.
> > If you have received this in error, please notify Finzsoft Solutions
> > (New
> > Zealand) Ltd immediately by return email and delete this email. Thank you.
> >
> >
> >
> __________________________________________________________
> ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> >
> __________________________________________________________
> ____________
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> __________________________________________________________
> ____________
> This email has been scanned by the Symantec Email Security.cloud service.
> __________________________________________________________
> ____________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
Re: SymmetricBinding key exchange and signing
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Is there not some exchange of the generated key between the client and
STS? If the client signs (and encrypts) the request how does
> the STS have the generated key to verify signature and decrypt? My
original question suggested that it is exchanged by encrypting it
> with the STS public key but not sure how it is signed in this exchange.
Perhaps the exchange of the generated key isn't signed?
The client generates the Symmetric Key and then encrypts it with the public
key of the STS. The request is signed + encrypted with the Symmetric Key.
The STS decrypts the received symmetric key, and uses it to decrypt +
verify the signature on the request. So, you are correct in stating that
the symmetric key is not itself signed.
Colm.
On Sun, May 5, 2013 at 8:56 PM, Josh Hill <Jo...@finzsoft.com> wrote:
> Andrei,
>
> Yes I have the IssuedToken policy on the WSP (not shown). The below
> policies are on my STS service. The question was in regards to connecting
> to the STS service to have a token issued (or renewed, or validated). I
> authenticate using the SignedEncryptedSupportingTokens UsernameToken. What
> I'm trying to figure out is how the key generated by the client for
> symmetric binding is exchanged with the STS service so that it can
> sign/verify encrypt/decrypt messages with the client.
>
>
> Colm,
>
> Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does the STS have
> the generated key to verify signature and decrypt? My original question
> suggested that it is exchanged by encrypting it with the STS public key but
> not sure how it is signed in this exchange. Perhaps the exchange of the
> generated key isn't signed?
>
> I appreciate your time.
>
> Josh
>
> >
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
> E Josh.Hill@finzsoft.com W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may
> be privileged. If you are not the intended recipient, you must not peruse,
> use, disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
> -----Original Message-----
>
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Saturday, 4 May 2013 12:36 a.m.
> > To: users@cxf.apache.org
> > Subject: Re: SymmetricBinding key exchange and signing
> >
> > The Symmetric key that the client generates signs (and encrypts) the
> request
> > (SOAP Body). There is no need for a signing certificate as you are using
> the
> > Symmetric binding. Authentication is enforced via the UsernameToken
> > SupportingToken.
> >
> > Colm.
> >
> >
> > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com>
> wrote:
> >
> > > My understanding is that the client generates the symmetric key (as
> > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> > > using the STS's public key (configured on client using
> > > "ws-security.encryption.properties\username"). When sending this
> > > encrypted key to the STS what is it signed with? I haven't set the
> > > "ws-security.signature.properties\username" on my client but the input
> > > policy on the STS requires the sp:Body be signed. ****
> > >
> > > ** **
> > >
> > > ...****
> > >
> > > <entry key="ws-security.sts.client">****
> > >
> > > <bean
> > > class="org.apache.cxf.ws.security.trust.STSClient">*
> > > ***
> > >
> > > <constructor-arg ref="cxf" />****
> > >
> > > <property name="wsdlLocation" value="
> > > http://localhost:8080/STS?wsdl" />****
> > >
> > > <property name="serviceName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService
> > > " />
> > > ****
> > >
> > > <property name="endpointName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
> > >
> > > <property name="properties">****
> > >
> > > <map>****
> > >
> > > <entry
> > > key="ws-security.username" value="bob" />****
> > >
> > > <entry
> > > key="ws-security.callback-handler" value="ClientCallbackHandler"
> > > />****
> > >
> > > <entry
> > > key="ws-security.encryption.properties"
> > > value="clientKeystore.properties" />
> > > ****
> > >
> > > <entry
> > > key="ws-security.encryption.username" value="stskey" />****
> > >
> > > </map>****
> > >
> > > </property>****
> > >
> > > </bean>****
> > >
> > > </entry>****
> > >
> > > .****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-UT-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > >
> > > <sp:SymmetricBinding>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:ProtectionToken>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:X509Token sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /Never
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:RequireDerivedKeys/>****
> > >
> > >
> > > <sp:RequireThumbprintReference/>****
> > >
> > >
> > > <sp:WssX509V3Token10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:X509Token>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:ProtectionToken>****
> > >
> > >
> > > <sp:AlgorithmSuite>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Basic256/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:AlgorithmSuite>****
> > >
> > >
> > > <sp:Layout>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Lax/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:Layout>****
> > >
> > >
> > > <sp:IncludeTimestamp/>****
> > >
> > >
> > > <sp:EncryptSignature/>****
> > >
> > >
> > > <sp:OnlySignEntireHeadersAndBody/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SymmetricBinding>****
> > >
> > >
> > > <sp:SignedEncryptedSupportingTokens>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:UsernameToken sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /AlwaysToRecipient
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:HashPassword/>****
> > >
> > >
> > > <sp:WssUsernameToken10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:UsernameToken>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SignedEncryptedSupportingTokens>****
> > >
> > > <sp:Wss11>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportRefKeyIdentifier/>****
> > >
> > >
> > > <sp:MustSupportRefIssuerSerial/>****
> > >
> > >
> > > <sp:MustSupportRefThumbprint/>****
> > >
> > >
> > > <sp:MustSupportRefEncryptedKey/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Wss11>****
> > >
> > > <sp:Trust13>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportIssuedTokens/>****
> > >
> > >
> > > <sp:RequireClientEntropy/>****
> > >
> > >
> > > <sp:RequireServerEntropy/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Trust13>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Input-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Output-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > >
> > >
> > > *Josh Hill*
> > > Senior Java Developer
> > >
> > >
> > >
> > > [image: Finzsoft - Your Vision + Our Innovations]
> > >
> > >
> > >
> > > sovereign finance and banking software
> > >
> > >
> > >
> > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > > Greenlane, Auckland, New Zealand
> > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> > >
> > >
> > > *Please note*: This email contains information that is
> > > confidential and may be privileged. If you are not the intended
> > > recipient, you must not peruse, use, disseminate, distribute or copy
> this
> > email or attachments.
> > > If you have received this in error, please notify Finzsoft Solutions
> > > (New
> > > Zealand) Ltd immediately by return email and delete this email. Thank
> you.
> > >
> > >
> > >
> > __________________________________________________________
> > ____________
> > > This email has been scanned by the Symantec Email Security.cloud
> service.
> > >
> > __________________________________________________________
> > ____________
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> > __________________________________________________________
> > ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > __________________________________________________________
> > ____________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SymmetricBinding key exchange and signing
Posted by Josh Hill <Jo...@finzsoft.com>.
> Ok, I get it now. I think Colm already answered your question.
> Btw: is there special reasons to use symmetric, not transport binding for
> communication with STS in your case?
Yes Colm answered it. Thanks. SSL may be used but we can't enforce it as we don't control the systems our services get deployed to.
>
Josh Hill
Senior Java Developer
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com W http://www.finzsoft.com
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
-----Original Message-----
> From: Andrei Shakirin [mailto:ashakirin@talend.com]
> Sent: Tuesday, 7 May 2013 4:40 a.m.
> To: users@cxf.apache.org
> Subject: RE: SymmetricBinding key exchange and signing
>
> Hi,
>
> > Yes I have the IssuedToken policy on the WSP (not shown). The below
> > policies are on my STS service. The question was in regards to
> > connecting to the STS service to have a token issued (or renewed, or
> > validated). I authenticate using the SignedEncryptedSupportingTokens
> UsernameToken.
> > What I'm trying to figure out is how the key generated by the client
> > for symmetric binding is exchanged with the STS service so that it can
> > sign/verify encrypt/decrypt messages with the client.
>
> Ok, I get it now. I think Colm already answered your question.
> Btw: is there special reasons to use symmetric, not transport binding for
> communication with STS in your case?
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Josh Hill [mailto:Josh.Hill@finzsoft.com]
> > Sent: Sonntag, 5. Mai 2013 21:56
> > To: users@cxf.apache.org; coheigea@apache.org
> > Subject: RE: SymmetricBinding key exchange and signing
> >
> > Andrei,
> >
> > Yes I have the IssuedToken policy on the WSP (not shown). The below
> > policies are on my STS service. The question was in regards to
> > connecting to the STS service to have a token issued (or renewed, or
> > validated). I authenticate using the SignedEncryptedSupportingTokens
> UsernameToken.
> > What I'm trying to figure out is how the key generated by the client
> > for symmetric binding is exchanged with the STS service so that it can
> > sign/verify encrypt/decrypt messages with the client.
> >
> >
> > Colm,
> >
> > Is there not some exchange of the generated key between the client and
> > STS? If the client signs (and encrypts) the request how does the STS
> > have the generated key to verify signature and decrypt? My original
> > question suggested that it is exchanged by encrypting it with the STS
> > public key but not sure how it is signed in this exchange. Perhaps the
> > exchange of the generated key isn't signed?
> >
> > I appreciate your time.
> >
> > Josh
> >
> > >
> >
> > Josh Hill
> > Senior Java Developer
> >
> >
> > sovereign finance and banking software
> >
> > A Level 1, Building C, Millennium Centre, 602 Great South Road,
> > Greenlane, Auckland, New Zealand
> > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
> > E Josh.Hill@finzsoft.com W http://www.finzsoft.com
> >
> > Please note: This email contains information that is confidential and
> > may be privileged. If you are not the intended recipient, you must not
> > peruse, use, disseminate, distribute or copy this email or
> > attachments. If you have received this in error, please notify
> > Finzsoft Solutions (New Zealand) Ltd immediately by return email and
> delete this email. Thank you.
> > -----Original Message-----
> >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Saturday, 4 May 2013 12:36 a.m.
> > > To: users@cxf.apache.org
> > > Subject: Re: SymmetricBinding key exchange and signing
> > >
> > > The Symmetric key that the client generates signs (and encrypts) the
> > > request (SOAP Body). There is no need for a signing certificate as
> > > you are using the Symmetric binding. Authentication is enforced via
> > > the UsernameToken SupportingToken.
> > >
> > > Colm.
> > >
> > >
> > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com> wrote:
> > >
> > > > My understanding is that the client generates the symmetric key
> > > > (as defined by the sp:ProtectionToken i.e. a sp:X509Token) and
> > > > encrypts it using the STS's public key (configured on client using
> > > > "ws-security.encryption.properties\username"). When sending this
> > > > encrypted key to the STS what is it signed with? I haven't set the
> > > > "ws-security.signature.properties\username" on my client but the
> > > > input policy on the STS requires the sp:Body be signed. ****
> > > >
> > > > ** **
> > > >
> > > > ...****
> > > >
> > > > <entry key="ws-security.sts.client">****
> > > >
> > > > <bean
> > > > class="org.apache.cxf.ws.security.trust.STSClient">*
> > > > ***
> > > >
> > > > <constructor-arg ref="cxf" />****
> > > >
> > > > <property name="wsdlLocation" value="
> > > > http://localhost:8080/STS?wsdl" />****
> > > >
> > > > <property name="serviceName"
> > > > value="{
> > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenSer
> > > > vi
> > > > ce
> > > > " />
> > > > ****
> > > >
> > > > <property name="endpointName"
> > > > value="{ http://docs.oasis-open.org/ws-sx/ws-
> trust/200512/}STS_Port"
> > > > />****
> > > >
> > > > <property name="properties">****
> > > >
> > > > <map>****
> > > >
> > > >
> > > > <entry key="ws-security.username" value="bob" />****
> > > >
> > > >
> > > > <entry key="ws-security.callback-handler"
> value="ClientCallbackHandler"
> > > > />****
> > > >
> > > >
> > > > <entry key="ws-security.encryption.properties"
> > > > value="clientKeystore.properties" />
> > > > ****
> > > >
> > > >
> > > > <entry key="ws-security.encryption.username" value="stskey" />****
> > > >
> > > > </map>****
> > > >
> > > > </property>****
> > > >
> > > > </bean>****
> > > >
> > > > </entry>****
> > > >
> > > > .****
> > > >
> > > > ** **
> > > >
> > > > <wsp:Policy wsu:Id="STS-UT-Policy">****
> > > >
> > > > <wsp:ExactlyOne>****
> > > >
> > > > <wsp:All>****
> > > >
> > > >
> > > > <sp:SymmetricBinding>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:ProtectionToken>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:X509Token sp:IncludeToken="
> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeT
> > > > ok
> > > > en
> > > > /Never
> > > > ">****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:RequireDerivedKeys/>****
> > > >
> > > >
> > > > <sp:RequireThumbprintReference/>****
> > > >
> > > >
> > > > <sp:WssX509V3Token10/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:X509Token>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:ProtectionToken>****
> > > >
> > > >
> > > > <sp:AlgorithmSuite>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:Basic256/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:AlgorithmSuite>****
> > > >
> > > >
> > > > <sp:Layout>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:Lax/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:Layout>****
> > > >
> > > >
> > > > <sp:IncludeTimestamp/>****
> > > >
> > > >
> > > > <sp:EncryptSignature/>****
> > > >
> > > >
> > > > <sp:OnlySignEntireHeadersAndBody/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:SymmetricBinding>****
> > > >
> > > >
> > > > <sp:SignedEncryptedSupportingTokens>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:UsernameToken sp:IncludeToken="
> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeT
> > > > ok
> > > > en
> > > > /AlwaysToRecipient
> > > > ">****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:HashPassword/>****
> > > >
> > > >
> > > > <sp:WssUsernameToken10/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:UsernameToken>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > > </sp:SignedEncryptedSupportingTokens>****
> > > >
> > > > <sp:Wss11>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:MustSupportRefKeyIdentifier/>****
> > > >
> > > >
> > > > <sp:MustSupportRefIssuerSerial/>****
> > > >
> > > >
> > > > <sp:MustSupportRefThumbprint/>****
> > > >
> > > >
> > > > <sp:MustSupportRefEncryptedKey/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > > </sp:Wss11>****
> > > >
> > > > <sp:Trust13>****
> > > >
> > > >
> > > > <wsp:Policy>****
> > > >
> > > >
> > > > <sp:MustSupportIssuedTokens/>****
> > > >
> > > >
> > > > <sp:RequireClientEntropy/>****
> > > >
> > > >
> > > > <sp:RequireServerEntropy/>****
> > > >
> > > >
> > > > </wsp:Policy>****
> > > >
> > > > </sp:Trust13>****
> > > >
> > > > </wsp:All>****
> > > >
> > > > </wsp:ExactlyOne>****
> > > >
> > > > </wsp:Policy>****
> > > >
> > > > ** **
> > > >
> > > > <wsp:Policy wsu:Id="STS-Input-Policy">****
> > > >
> > > > <wsp:ExactlyOne>****
> > > >
> > > > <wsp:All>****
> > > >
> > > >
> > > > <sp:SignedParts>****
> > > >
> > > >
> > > > <sp:Body/>
> > > > ****
> > > >
> > > >
> > > > </sp:SignedParts>****
> > > >
> > > >
> > > > <sp:EncryptedParts>****
> > > >
> > > >
> > > > <sp:Body/>
> > > > ****
> > > >
> > > >
> > > > </sp:EncryptedParts>****
> > > >
> > > > </wsp:All>****
> > > >
> > > > </wsp:ExactlyOne>****
> > > >
> > > > </wsp:Policy>****
> > > >
> > > > ** **
> > > >
> > > > <wsp:Policy wsu:Id="STS-Output-Policy">****
> > > >
> > > > <wsp:ExactlyOne>****
> > > >
> > > > <wsp:All>****
> > > >
> > > >
> > > > <sp:SignedParts>****
> > > >
> > > >
> > > > <sp:Body/>
> > > > ****
> > > >
> > > >
> > > > </sp:SignedParts>****
> > > >
> > > >
> > > > <sp:EncryptedParts>****
> > > >
> > > >
> > > > <sp:Body/>
> > > > ****
> > > >
> > > >
> > > > </sp:EncryptedParts>****
> > > >
> > > > </wsp:All>****
> > > >
> > > > </wsp:ExactlyOne>****
> > > >
> > > > </wsp:Policy>****
> > > >
> > > >
> > > >
> > > > *Josh Hill*
> > > > Senior Java Developer
> > > >
> > > >
> > > >
> > > > [image: Finzsoft - Your Vision + Our Innovations]
> > > >
> > > >
> > > >
> > > > sovereign finance and banking software
> > > >
> > > >
> > > >
> > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > > > Greenlane, Auckland, New Zealand
> > > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > > > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> > > >
> > > >
> > > > *Please note*: This email contains information that is
> > > > confidential and may be privileged. If you are not the intended
> > > > recipient, you must not peruse, use, disseminate, distribute or
> > > > copy this
> > > email or attachments.
> > > > If you have received this in error, please notify Finzsoft
> > > > Solutions (New
> > > > Zealand) Ltd immediately by return email and delete this email.
> > > > Thank
> > you.
> > > >
> > > >
> > > >
> > >
> >
> __________________________________________________________
> > > ____________
> > > > This email has been scanned by the Symantec Email Security.cloud
> > service.
> > > >
> > >
> >
> __________________________________________________________
> > > ____________
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> >
> __________________________________________________________
> > > ____________
> > > This email has been scanned by the Symantec Email Security.cloud
> service.
> > >
> >
> __________________________________________________________
> > > ____________
> >
> >
> __________________________________________________________
> > ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> >
> __________________________________________________________
> > ____________
>
> __________________________________________________________
> ____________
> This email has been scanned by the Symantec Email Security.cloud service.
> __________________________________________________________
> ____________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
RE: SymmetricBinding key exchange and signing
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
> Yes I have the IssuedToken policy on the WSP (not shown). The below
> policies are on my STS service. The question was in regards to connecting to
> the STS service to have a token issued (or renewed, or validated). I
> authenticate using the SignedEncryptedSupportingTokens UsernameToken.
> What I'm trying to figure out is how the key generated by the client for
> symmetric binding is exchanged with the STS service so that it can sign/verify
> encrypt/decrypt messages with the client.
Ok, I get it now. I think Colm already answered your question.
Btw: is there special reasons to use symmetric, not transport binding for communication with STS in your case?
Regards,
Andrei.
> -----Original Message-----
> From: Josh Hill [mailto:Josh.Hill@finzsoft.com]
> Sent: Sonntag, 5. Mai 2013 21:56
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: RE: SymmetricBinding key exchange and signing
>
> Andrei,
>
> Yes I have the IssuedToken policy on the WSP (not shown). The below
> policies are on my STS service. The question was in regards to connecting to
> the STS service to have a token issued (or renewed, or validated). I
> authenticate using the SignedEncryptedSupportingTokens UsernameToken.
> What I'm trying to figure out is how the key generated by the client for
> symmetric binding is exchanged with the STS service so that it can sign/verify
> encrypt/decrypt messages with the client.
>
>
> Colm,
>
> Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does the STS have the
> generated key to verify signature and decrypt? My original question
> suggested that it is exchanged by encrypting it with the STS public key but
> not sure how it is signed in this exchange. Perhaps the exchange of the
> generated key isn't signed?
>
> I appreciate your time.
>
> Josh
>
> >
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
> E Josh.Hill@finzsoft.com W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may be
> privileged. If you are not the intended recipient, you must not peruse, use,
> disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
> -----Original Message-----
>
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Saturday, 4 May 2013 12:36 a.m.
> > To: users@cxf.apache.org
> > Subject: Re: SymmetricBinding key exchange and signing
> >
> > The Symmetric key that the client generates signs (and encrypts) the
> > request (SOAP Body). There is no need for a signing certificate as you
> > are using the Symmetric binding. Authentication is enforced via the
> > UsernameToken SupportingToken.
> >
> > Colm.
> >
> >
> > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com> wrote:
> >
> > > My understanding is that the client generates the symmetric key (as
> > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts
> > > it using the STS's public key (configured on client using
> > > "ws-security.encryption.properties\username"). When sending this
> > > encrypted key to the STS what is it signed with? I haven't set the
> > > "ws-security.signature.properties\username" on my client but the
> > > input policy on the STS requires the sp:Body be signed. ****
> > >
> > > ** **
> > >
> > > ...****
> > >
> > > <entry key="ws-security.sts.client">****
> > >
> > > <bean
> > > class="org.apache.cxf.ws.security.trust.STSClient">*
> > > ***
> > >
> > > <constructor-arg ref="cxf" />****
> > >
> > > <property name="wsdlLocation" value="
> > > http://localhost:8080/STS?wsdl" />****
> > >
> > > <property name="serviceName"
> > > value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenServi
> > > ce
> > > " />
> > > ****
> > >
> > > <property name="endpointName"
> > > value="{ http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"
> > > />****
> > >
> > > <property name="properties">****
> > >
> > > <map>****
> > >
> > >
> > > <entry key="ws-security.username" value="bob" />****
> > >
> > >
> > > <entry key="ws-security.callback-handler" value="ClientCallbackHandler"
> > > />****
> > >
> > >
> > > <entry key="ws-security.encryption.properties"
> > > value="clientKeystore.properties" />
> > > ****
> > >
> > >
> > > <entry key="ws-security.encryption.username" value="stskey" />****
> > >
> > > </map>****
> > >
> > > </property>****
> > >
> > > </bean>****
> > >
> > > </entry>****
> > >
> > > .****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-UT-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > >
> > > <sp:SymmetricBinding>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:ProtectionToken>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:X509Token sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeTok
> > > en
> > > /Never
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:RequireDerivedKeys/>****
> > >
> > >
> > > <sp:RequireThumbprintReference/>****
> > >
> > >
> > > <sp:WssX509V3Token10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:X509Token>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:ProtectionToken>****
> > >
> > >
> > > <sp:AlgorithmSuite>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Basic256/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:AlgorithmSuite>****
> > >
> > >
> > > <sp:Layout>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Lax/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:Layout>****
> > >
> > >
> > > <sp:IncludeTimestamp/>****
> > >
> > >
> > > <sp:EncryptSignature/>****
> > >
> > >
> > > <sp:OnlySignEntireHeadersAndBody/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SymmetricBinding>****
> > >
> > >
> > > <sp:SignedEncryptedSupportingTokens>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:UsernameToken sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeTok
> > > en
> > > /AlwaysToRecipient
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:HashPassword/>****
> > >
> > >
> > > <sp:WssUsernameToken10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:UsernameToken>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SignedEncryptedSupportingTokens>****
> > >
> > > <sp:Wss11>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportRefKeyIdentifier/>****
> > >
> > >
> > > <sp:MustSupportRefIssuerSerial/>****
> > >
> > >
> > > <sp:MustSupportRefThumbprint/>****
> > >
> > >
> > > <sp:MustSupportRefEncryptedKey/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Wss11>****
> > >
> > > <sp:Trust13>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportIssuedTokens/>****
> > >
> > >
> > > <sp:RequireClientEntropy/>****
> > >
> > >
> > > <sp:RequireServerEntropy/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > > </sp:Trust13>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Input-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Output-Policy">****
> > >
> > > <wsp:ExactlyOne>****
> > >
> > > <wsp:All>****
> > >
> > > <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > > </wsp:All>****
> > >
> > > </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > >
> > >
> > > *Josh Hill*
> > > Senior Java Developer
> > >
> > >
> > >
> > > [image: Finzsoft - Your Vision + Our Innovations]
> > >
> > >
> > >
> > > sovereign finance and banking software
> > >
> > >
> > >
> > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > > Greenlane, Auckland, New Zealand
> > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> > >
> > >
> > > *Please note*: This email contains information that is
> > > confidential and may be privileged. If you are not the intended
> > > recipient, you must not peruse, use, disseminate, distribute or copy
> > > this
> > email or attachments.
> > > If you have received this in error, please notify Finzsoft Solutions
> > > (New
> > > Zealand) Ltd immediately by return email and delete this email. Thank
> you.
> > >
> > >
> > >
> >
> __________________________________________________________
> > ____________
> > > This email has been scanned by the Symantec Email Security.cloud
> service.
> > >
> >
> __________________________________________________________
> > ____________
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> __________________________________________________________
> > ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> >
> __________________________________________________________
> > ____________
>
> __________________________________________________________
> ____________
> This email has been scanned by the Symantec Email Security.cloud service.
> __________________________________________________________
> ____________
RE: SymmetricBinding key exchange and signing
Posted by Josh Hill <Jo...@finzsoft.com>.
Andrei,
Yes I have the IssuedToken policy on the WSP (not shown). The below policies are on my STS service. The question was in regards to connecting to the STS service to have a token issued (or renewed, or validated). I authenticate using the SignedEncryptedSupportingTokens UsernameToken. What I'm trying to figure out is how the key generated by the client for symmetric binding is exchanged with the STS service so that it can sign/verify encrypt/decrypt messages with the client.
Colm,
Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed?
I appreciate your time.
Josh
>
Josh Hill
Senior Java Developer
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com W http://www.finzsoft.com
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
-----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Saturday, 4 May 2013 12:36 a.m.
> To: users@cxf.apache.org
> Subject: Re: SymmetricBinding key exchange and signing
>
> The Symmetric key that the client generates signs (and encrypts) the request
> (SOAP Body). There is no need for a signing certificate as you are using the
> Symmetric binding. Authentication is enforced via the UsernameToken
> SupportingToken.
>
> Colm.
>
>
> On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com> wrote:
>
> > My understanding is that the client generates the symmetric key (as
> > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> > using the STS's public key (configured on client using
> > "ws-security.encryption.properties\username"). When sending this
> > encrypted key to the STS what is it signed with? I haven't set the
> > "ws-security.signature.properties\username" on my client but the input
> > policy on the STS requires the sp:Body be signed. ****
> >
> > ** **
> >
> > ...****
> >
> > <entry key="ws-security.sts.client">****
> >
> > <bean
> > class="org.apache.cxf.ws.security.trust.STSClient">*
> > ***
> >
> > <constructor-arg ref="cxf" />****
> >
> > <property name="wsdlLocation" value="
> > http://localhost:8080/STS?wsdl" />****
> >
> > <property name="serviceName" value="{
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService
> > " />
> > ****
> >
> > <property name="endpointName" value="{
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
> >
> > <property name="properties">****
> >
> > <map>****
> >
> > <entry
> > key="ws-security.username" value="bob" />****
> >
> > <entry
> > key="ws-security.callback-handler" value="ClientCallbackHandler"
> > />****
> >
> > <entry
> > key="ws-security.encryption.properties"
> > value="clientKeystore.properties" />
> > ****
> >
> > <entry
> > key="ws-security.encryption.username" value="stskey" />****
> >
> > </map>****
> >
> > </property>****
> >
> > </bean>****
> >
> > </entry>****
> >
> > .****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-UT-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> >
> > <sp:SymmetricBinding>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:ProtectionToken>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:X509Token sp:IncludeToken="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > /Never
> > ">****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:RequireDerivedKeys/>****
> >
> >
> > <sp:RequireThumbprintReference/>****
> >
> >
> > <sp:WssX509V3Token10/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:X509Token>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:ProtectionToken>****
> >
> >
> > <sp:AlgorithmSuite>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:Basic256/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:AlgorithmSuite>****
> >
> >
> > <sp:Layout>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:Lax/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:Layout>****
> >
> >
> > <sp:IncludeTimestamp/>****
> >
> >
> > <sp:EncryptSignature/>****
> >
> >
> > <sp:OnlySignEntireHeadersAndBody/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:SymmetricBinding>****
> >
> >
> > <sp:SignedEncryptedSupportingTokens>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:UsernameToken sp:IncludeToken="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > /AlwaysToRecipient
> > ">****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:HashPassword/>****
> >
> >
> > <sp:WssUsernameToken10/>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:UsernameToken>****
> >
> >
> > </wsp:Policy>****
> >
> >
> > </sp:SignedEncryptedSupportingTokens>****
> >
> > <sp:Wss11>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:MustSupportRefKeyIdentifier/>****
> >
> >
> > <sp:MustSupportRefIssuerSerial/>****
> >
> >
> > <sp:MustSupportRefThumbprint/>****
> >
> >
> > <sp:MustSupportRefEncryptedKey/>****
> >
> >
> > </wsp:Policy>****
> >
> > </sp:Wss11>****
> >
> > <sp:Trust13>****
> >
> >
> > <wsp:Policy>****
> >
> >
> > <sp:MustSupportIssuedTokens/>****
> >
> >
> > <sp:RequireClientEntropy/>****
> >
> >
> > <sp:RequireServerEntropy/>****
> >
> >
> > </wsp:Policy>****
> >
> > </sp:Trust13>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-Input-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> > <sp:SignedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> > </sp:SignedParts>****
> >
> >
> > <sp:EncryptedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> >
> > </sp:EncryptedParts>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> > ** **
> >
> > <wsp:Policy wsu:Id="STS-Output-Policy">****
> >
> > <wsp:ExactlyOne>****
> >
> > <wsp:All>****
> >
> > <sp:SignedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> > </sp:SignedParts>****
> >
> >
> > <sp:EncryptedParts>****
> >
> >
> > <sp:Body/>
> > ****
> >
> >
> > </sp:EncryptedParts>****
> >
> > </wsp:All>****
> >
> > </wsp:ExactlyOne>****
> >
> > </wsp:Policy>****
> >
> >
> >
> > *Josh Hill*
> > Senior Java Developer
> >
> >
> >
> > [image: Finzsoft - Your Vision + Our Innovations]
> >
> >
> >
> > sovereign finance and banking software
> >
> >
> >
> > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > Greenlane, Auckland, New Zealand
> > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> > *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
> >
> >
> > *Please note*: This email contains information that is
> > confidential and may be privileged. If you are not the intended
> > recipient, you must not peruse, use, disseminate, distribute or copy this
> email or attachments.
> > If you have received this in error, please notify Finzsoft Solutions
> > (New
> > Zealand) Ltd immediately by return email and delete this email. Thank you.
> >
> >
> >
> __________________________________________________________
> ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> >
> __________________________________________________________
> ____________
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> __________________________________________________________
> ____________
> This email has been scanned by the Symantec Email Security.cloud service.
> __________________________________________________________
> ____________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________
Re: SymmetricBinding key exchange and signing
Posted by Colm O hEigeartaigh <co...@apache.org>.
The Symmetric key that the client generates signs (and encrypts) the
request (SOAP Body). There is no need for a signing certificate as you are
using the Symmetric binding. Authentication is enforced via the
UsernameToken SupportingToken.
Colm.
On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Jo...@finzsoft.com> wrote:
> My understanding is that the client generates the symmetric key (as
> defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> using the STS’s public key (configured on client using
> “ws-security.encryption.properties\username”). When sending this encrypted
> key to the STS what is it signed with? I haven’t set the
> “ws-security.signature.properties\username” on my client but the input
> policy on the STS requires the sp:Body be signed. ****
>
> ** **
>
> ...****
>
> <entry key="ws-security.sts.client">****
>
> <bean class="org.apache.cxf.ws.security.trust.STSClient">*
> ***
>
> <constructor-arg ref="cxf" />****
>
> <property name="wsdlLocation" value="
> http://localhost:8080/STS?wsdl" />****
>
> <property name="serviceName" value="{
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService" />
> ****
>
> <property name="endpointName" value="{
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
>
> <property name="properties">****
>
> <map>****
>
> <entry
> key="ws-security.username" value="bob" />****
>
> <entry
> key="ws-security.callback-handler" value="ClientCallbackHandler" />****
>
> <entry
> key="ws-security.encryption.properties" value="clientKeystore.properties" />
> ****
>
> <entry
> key="ws-security.encryption.username" value="stskey" />****
>
> </map>****
>
> </property>****
>
> </bean>****
>
> </entry>****
>
> …****
>
> ** **
>
> <wsp:Policy wsu:Id="STS-UT-Policy">****
>
> <wsp:ExactlyOne>****
>
> <wsp:All>****
>
> <sp:SymmetricBinding>****
>
>
> <wsp:Policy>****
>
>
> <sp:ProtectionToken>****
>
>
> <wsp:Policy>****
>
>
> <sp:X509Token sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">****
>
>
> <wsp:Policy>****
>
>
> <sp:RequireDerivedKeys/>****
>
>
> <sp:RequireThumbprintReference/>****
>
>
> <sp:WssX509V3Token10/>****
>
>
> </wsp:Policy>****
>
>
> </sp:X509Token>****
>
>
> </wsp:Policy>****
>
>
> </sp:ProtectionToken>****
>
>
> <sp:AlgorithmSuite>****
>
>
> <wsp:Policy>****
>
>
> <sp:Basic256/>****
>
>
> </wsp:Policy>****
>
>
> </sp:AlgorithmSuite>****
>
>
> <sp:Layout>****
>
>
> <wsp:Policy>****
>
>
> <sp:Lax/>****
>
>
> </wsp:Policy>****
>
>
> </sp:Layout>****
>
>
> <sp:IncludeTimestamp/>****
>
>
> <sp:EncryptSignature/>****
>
>
> <sp:OnlySignEntireHeadersAndBody/>****
>
>
> </wsp:Policy>****
>
> </sp:SymmetricBinding>****
>
>
> <sp:SignedEncryptedSupportingTokens>****
>
>
> <wsp:Policy>****
>
>
> <sp:UsernameToken sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">****
>
>
> <wsp:Policy>****
>
>
> <sp:HashPassword/>****
>
>
> <sp:WssUsernameToken10/>****
>
>
> </wsp:Policy>****
>
>
> </sp:UsernameToken>****
>
>
> </wsp:Policy>****
>
>
> </sp:SignedEncryptedSupportingTokens>****
>
> <sp:Wss11>****
>
>
> <wsp:Policy>****
>
>
> <sp:MustSupportRefKeyIdentifier/>****
>
>
> <sp:MustSupportRefIssuerSerial/>****
>
>
> <sp:MustSupportRefThumbprint/>****
>
>
> <sp:MustSupportRefEncryptedKey/>****
>
>
> </wsp:Policy>****
>
> </sp:Wss11>****
>
> <sp:Trust13>****
>
>
> <wsp:Policy>****
>
>
> <sp:MustSupportIssuedTokens/>****
>
>
> <sp:RequireClientEntropy/>****
>
>
> <sp:RequireServerEntropy/>****
>
>
> </wsp:Policy>****
>
> </sp:Trust13>****
>
> </wsp:All>****
>
> </wsp:ExactlyOne>****
>
> </wsp:Policy>****
>
> ** **
>
> <wsp:Policy wsu:Id="STS-Input-Policy">****
>
> <wsp:ExactlyOne>****
>
> <wsp:All>****
>
> <sp:SignedParts>****
>
> <sp:Body/>
> ****
>
> </sp:SignedParts>****
>
> <sp:EncryptedParts>****
>
> <sp:Body/>
> ****
>
> </sp:EncryptedParts>****
>
> </wsp:All>****
>
> </wsp:ExactlyOne>****
>
> </wsp:Policy>****
>
> ** **
>
> <wsp:Policy wsu:Id="STS-Output-Policy">****
>
> <wsp:ExactlyOne>****
>
> <wsp:All>****
>
> <sp:SignedParts>****
>
> <sp:Body/>
> ****
>
> </sp:SignedParts>****
>
> <sp:EncryptedParts>****
>
> <sp:Body/>
> ****
>
> </sp:EncryptedParts>****
>
> </wsp:All>****
>
> </wsp:ExactlyOne>****
>
> </wsp:Policy>****
>
>
>
> *Josh Hill*
> Senior Java Developer
>
>
>
> [image: Finzsoft - Your Vision + Our Innovations]
>
>
>
> sovereign finance and banking software
>
>
>
> *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> Greenlane, Auckland, New Zealand
> *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899
> *E* Josh.Hill@finzsoft.com *W* www.finzsoft.com
>
>
> *Please note*: This email contains information that is confidential
> and may be privileged. If you are not the intended recipient, you must
> not peruse, use, disseminate, distribute or copy this email or attachments.
> If you have received this in error, please notify Finzsoft Solutions (New
> Zealand) Ltd immediately by return email and delete this email. Thank you.
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SymmetricBinding key exchange and signing
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
If I am not mistaken, STS communication is triggered by policy IssuedToken assertion.
Your policy specifies SymmetricBinding using X509 protection token and UsernameToken as SignedEncryptedSupportingTokens.
I do not think that your policy will initiate communication with STS service at all.
You can find similar sample with STS communication into
http://svn.apache.org/repos/asf/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java
Regards,
Andrei.
From: Josh Hill [mailto:Josh.Hill@finzsoft.com]
Sent: Freitag, 3. Mai 2013 05:26
To: users@cxf.apache.org
Subject: SymmetricBinding key exchange and signing
My understanding is that the client generates the symmetric key (as defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it using the STS's public key (configured on client using "ws-security.encryption.properties\username"). When sending this encrypted key to the STS what is it signed with? I haven't set the "ws-security.signature.properties\username" on my client but the input policy on the STS requires the sp:Body be signed.
...
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf" />
<property name="wsdlLocation" value="http://localhost:8080/STS?wsdl" />
<property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService" />
<property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />
<property name="properties">
<map>
<entry key="ws-security.username" value="bob" />
<entry key="ws-security.callback-handler" value="ClientCallbackHandler" />
<entry key="ws-security.encryption.properties" value="clientKeystore.properties" />
<entry key="ws-security.encryption.username" value="stskey" />
</map>
</property>
</bean>
</entry>
...
<wsp:Policy wsu:Id="STS-UT-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="STS-Input-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="STS-Output-Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Josh Hill
Senior Java Developer
[Finzsoft - Your Vision + Our Innovations]
sovereign finance and banking software
A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand
D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899
E Josh.Hill@finzsoft.com<ma...@finzsoft.com> W www.finzsoft.com<http://www.finzsoft.com>
Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________