Correlation between EncryptedKey element (soap message) and keystore in decryption

[Oliver Wulff <ol...@zurich.ch>]

Hi there

Let's assume, I've got the following code for decryption of a soap message:

WSSecurityEngine secEngine = new WSSecurityEngine();
Crypto crypto = CryptoFactory.getInstance("TestService.properties");
secEngine.processSecurityHeader(doc, null, new MyCallbackHandler(),
crypto);

How does WSS4J know which private key it must use to decrypt the message?
Does it use the serial number only? This is the only piece which is passed
as part of the soap message to identify the certificate.

Is it best practise or part of the WS-Security spec to encrypt the
symmetric key with the public key of the target service and encrypt the
message context with the symmetric key which is sent as part of the
message?

Thanks
Oliver







******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Correlation between EncryptedKey element (soap message) and keystore in decryption

[Werner Dittmann <We...@t-online.de>]

That depends on the set-up of the sender ad how it composes
the Security header, how to send the key identification, etc.

Using a generated symmetric key to encrypt the message context
is part of the OASIS Web Service Security Specifications which
in turn use the W3C XML signature and XML Encryption specification.
These spec describe how to setup security header, which encryption
alogrithms are mandators, which are oprional etc etc.

Regards,
Werner


Oliver Wulff schrieb:
> Hi there
> 
> Let's assume, I've got the following code for decryption of a soap message:
> 
> WSSecurityEngine secEngine = new WSSecurityEngine();
> Crypto crypto = CryptoFactory.getInstance("TestService.properties");
> secEngine.processSecurityHeader(doc, null, new MyCallbackHandler(),
> crypto);
> 
> How does WSS4J know which private key it must use to decrypt the message?
> Does it use the serial number only? This is the only piece which is passed
> as part of the soap message to identify the certificate.
> 
> Is it best practise or part of the WS-Security spec to encrypt the
> symmetric key with the public key of the target service and encrypt the
> message context with the symmetric key which is sent as part of the
> message?
> 
> Thanks
> Oliver
> 
> 
> 
> 
> 
> 
> 
> ******************* BITTE BEACHTEN *******************
> Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
> möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
> Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
> genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
> irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
> Ausschluss jeder Reproduktion zu zerstören und die absendende Person
> umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org