You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Werner Dittmann <We...@t-online.de> on 2008/09/20 14:02:35 UTC
Extension in WSSecSignature to set the digest algorithm
All,
looking ate the latest activities in W3C XML security and other
specifications it is obvious that SHA-1 is being phased out step by
step. The replacement are SHA256 or other digest algos. Up to
now WSSecSignature was fixed to use SHA-1 as digest algorithm. To
accommodate the growing use of other algos I extended WSSecSignature
with some small functions to set and use other Digest algos.
To do so some shall use the standard URI of the digest algo, for
example:
wsSig.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
(see TestWSSecurityNew18 how it works)
Default is to use SHA-1 not to break any application. Also the Axis
handler are not updated to support this extension. Is it required
to enhance to Axis handlers? The WSS standard are not yet updated
to accept/define other digest algos.
CAVEAT:
If you use this extension and you uses different digest algos in
one application to computer the signature digests the you cannot
use xmlsec-1.4.0 jar - this version has a problem in that case.
I've tested with xmlsec-1.4.1 jar. This is the reason why I not
yet enabled the new test case in the PackageTests.java until
we updated WSS4J to xmlsec-1.4.1.
In my environment xmlsec-1.4.1 runs without problems. xmlsec-1.4.2
gives problems when running some test cases, for example the
TestWSSecurityNew2.java - it report a missing binding of the
"ds:" prefix to a namespace.
Regards,
Werner
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Extension in WSSecSignature to set the digest algorithm
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Rik,
Yup you're right, can you create a JIRA for this and I'll fix it?
Colm.
-----Original Message-----
From: Rik Gruwez [mailto:rik.gruwez@admb.be]
Sent: 23 March 2009 13:45
To: wss4j-dev@ws.apache.org
Subject: Re: Extension in WSSecSignature to set the digest algorithm
Werner Dittmann wrote:
>
> All,
>
> looking ate the latest activities in W3C XML security and other
> specifications it is obvious that SHA-1 is being phased out step by
> step. The replacement are SHA256 or other digest algos. Up to
> now WSSecSignature was fixed to use SHA-1 as digest algorithm. To
> accommodate the growing use of other algos I extended WSSecSignature
> with some small functions to set and use other Digest algos.
>
> To do so some shall use the standard URI of the digest algo, for
> example:
>
> wsSig.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
> (see TestWSSecurityNew18 how it works)
>
> Default is to use SHA-1 not to break any application. Also the Axis
> handler are not updated to support this extension. Is it required
> to enhance to Axis handlers? The WSS standard are not yet updated
> to accept/define other digest algos.
>
Werner,
Wouldn't it be necessary to also change the SignatureAction class? Right
now
it does not explicitely set the digest algorithm. As a result the
Algorithm
attribute of the Soap message's DigestMethod tag will always contain the
SHA1 URI, even though you are using RSA-SHA256 for the signature. If I
add
these lines to the execute() method of the SignatureAction, it works for
me:
if (reqData.getDigestAlgorithm()!=null)
wsSign.setDigestAlgo(reqData.getDigestAlgorithm());
Obviously, I also had to add a digestMethod field to the RequestData
class
in order to make it work.
Thanks for letting me know your thoughts. I am pretty new to WSS4J, so
perhaps I am missing something.
Regards,
Rik Gruwez
--
View this message in context:
http://www.nabble.com/Extension-in-WSSecSignature-to-set-the-digest-algo
rithm-tp19584932p22660395.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Extension in WSSecSignature to set the digest algorithm
Posted by Rik Gruwez <ri...@admb.be>.
Werner Dittmann wrote:
>
> All,
>
> looking ate the latest activities in W3C XML security and other
> specifications it is obvious that SHA-1 is being phased out step by
> step. The replacement are SHA256 or other digest algos. Up to
> now WSSecSignature was fixed to use SHA-1 as digest algorithm. To
> accommodate the growing use of other algos I extended WSSecSignature
> with some small functions to set and use other Digest algos.
>
> To do so some shall use the standard URI of the digest algo, for
> example:
>
> wsSig.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
> (see TestWSSecurityNew18 how it works)
>
> Default is to use SHA-1 not to break any application. Also the Axis
> handler are not updated to support this extension. Is it required
> to enhance to Axis handlers? The WSS standard are not yet updated
> to accept/define other digest algos.
>
Werner,
Wouldn't it be necessary to also change the SignatureAction class? Right now
it does not explicitely set the digest algorithm. As a result the Algorithm
attribute of the Soap message's DigestMethod tag will always contain the
SHA1 URI, even though you are using RSA-SHA256 for the signature. If I add
these lines to the execute() method of the SignatureAction, it works for me:
if (reqData.getDigestAlgorithm()!=null)
wsSign.setDigestAlgo(reqData.getDigestAlgorithm());
Obviously, I also had to add a digestMethod field to the RequestData class
in order to make it work.
Thanks for letting me know your thoughts. I am pretty new to WSS4J, so
perhaps I am missing something.
Regards,
Rik Gruwez
--
View this message in context: http://www.nabble.com/Extension-in-WSSecSignature-to-set-the-digest-algorithm-tp19584932p22660395.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org