You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "David Valeri (JIRA)" <ji...@apache.org> on 2010/08/02 16:15:16 UTC

[jira] Created: (CXF-2924) WS-SP support does not enforce signature algorithm or digest algorithm on server side

WS-SP support does not enforce signature algorithm or digest algorithm on server side
-------------------------------------------------------------------------------------

                 Key: CXF-2924
                 URL: https://issues.apache.org/jira/browse/CXF-2924
             Project: CXF
          Issue Type: Bug
    Affects Versions: 2.3, 2.2.10
            Reporter: David Valeri
             Fix For: 2.3


A WS-SP policy document that includes an algorithm suite assertion for a signature operation, such as the example below, does not trigger the enforcement of the algorithm suite in the inbound interceptors.
{code:xml}
    ...
      <sp:AsymmetricBinding>
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                <wsp:Policy>
                  <sp:RequireIssuerSerialReference />
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>
          <sp:RecipientToken>
            <wsp:Policy>
              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                <wsp:Policy>
                  <sp:RequireIssuerSerialReference />
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic256Sha256 />
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict />
            </wsp:Policy>
          </sp:Layout>
        </wsp:Policy>
      </sp:AsymmetricBinding>
    ...
{code}

While the message could be inspected in order to extract this information, WSS4J already possesses the information.  Unfortunately, WSS4J does not report the information in the result data (1.5.8).  This issue is blocked on the addition of this information to the WSS4J results.  See WSS-236.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (CXF-2924) WS-SP support does not enforce signature algorithm or digest algorithm on server side

Posted by "David Valeri (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Valeri reassigned CXF-2924:
---------------------------------

    Assignee: David Valeri

> WS-SP support does not enforce signature algorithm or digest algorithm on server side
> -------------------------------------------------------------------------------------
>
>                 Key: CXF-2924
>                 URL: https://issues.apache.org/jira/browse/CXF-2924
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 2.3, 2.2.10
>            Reporter: David Valeri
>            Assignee: David Valeri
>             Fix For: 2.3
>
>
> A WS-SP policy document that includes an algorithm suite assertion for a signature operation, such as the example below, does not trigger the enforcement of the algorithm suite in the inbound interceptors.
> {code:xml}
>     ...
>       <sp:AsymmetricBinding>
>         <wsp:Policy>
>           <sp:InitiatorToken>
>             <wsp:Policy>
>               <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:InitiatorToken>
>           <sp:RecipientToken>
>             <wsp:Policy>
>               <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:RecipientToken>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256 />
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>           <sp:Layout>
>             <wsp:Policy>
>               <sp:Strict />
>             </wsp:Policy>
>           </sp:Layout>
>         </wsp:Policy>
>       </sp:AsymmetricBinding>
>     ...
> {code}
> While the message could be inspected in order to extract this information, WSS4J already possesses the information.  Unfortunately, WSS4J does not report the information in the result data (1.5.8).  This issue is blocked on the addition of this information to the WSS4J results.  See WSS-236.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.