You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/07/08 11:23:16 UTC

[jira] [Commented] (CXF-3646) Use of asymmetric key is implicit and defaults to RSA_SHA1 in the security policy implementation

    [ https://issues.apache.org/jira/browse/CXF-3646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13061863#comment-13061863 ] 

Colm O hEigeartaigh commented on CXF-3646:
------------------------------------------

Hi,

The current implementation is correct according to the spec. RSA-SHA1 is the only algorithm used for asymmetric signature, even if you specify a "Basic256Sha256..." algorithm suite:

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/cd/ws-securitypolicy-1.3-spec-cs-01.html#_Toc212617835

At least that's my reading of the spec - it's seems a bit odd that the asymmetric signature algorithm doesn't vary according to the Algorithm suite.

Colm.

> Use of asymmetric key is implicit and defaults to RSA_SHA1 in the security policy implementation
> ------------------------------------------------------------------------------------------------
>
>                 Key: CXF-3646
>                 URL: https://issues.apache.org/jira/browse/CXF-3646
>             Project: CXF
>          Issue Type: Bug
>          Components: Core, WS-* Components
>    Affects Versions: 2.3.2, 2.5
>         Environment: Linux
>            Reporter: vaidya.krishnamurthy
>              Labels: security
>
>   Since the use of SHA1 has been recently discouraged I tried to switch to using atleast SHA256 ( http://www.w3.org/TR/xmldsig-core1/#sec-MessageDigests )
>         Currently the policy is set like this in the wsdl file :
>            <sp:AlgorithmSuite>
>               <wsp:Policy>
>                 <sp:Basic256Sha256Rsa15/>
>               </wsp:Policy>
>             </sp:AlgorithmSuite>
>         From the log   I can see that a part of the message is signed with rsa-sha1
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#Timestamp-1">
>          

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira