You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Kai Rommel <kr...@googlemail.com> on 2014/01/30 19:14:57 UTC
ws policies AlgorithmSuite
Hi,
I have a WS Consumer sending a signed and encrypted message.
In the SOAP Header following algorithm is used:
-<xenc:EncryptedKey Id="EK45302750"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
In the SOAP Body:
-<xenc:EncryptedData Id="ED23590466"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
I want to consume this message by a WS-Provider configured via policies:
When I set the AlgorithmSuite in this way:
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDes />
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
I get the error:
...org.apache.ws.security.processor.X509Util...
#Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#rsa-1_5|...
org.apache.ws.security.components.crypto.AlgorithmSuiteValidator...
The Key transport method does not match the requirement...
When I set the AlgorithmSuite in this way:
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15 />
<sp:TripleDes />
</wsp:Policy>
</sp:AlgorithmSuite>
I get the error:
...org.apache.ws.security.processor.EncryptedKeyProcessor..
org.apache.ws.security.processor.X509Util...
Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#tripledes-cbc|...
#org.apache.ws.security.components.crypto.AlgorithmSuiteValidator#...
The encryption algorithm does not match the requirement|.....
Isn't it allowed to set several algorithms in the AlgorithmSuite?
Or do I misinterpret something?
Thanks.
Best regards
Kai
Re: ws policies AlgorithmSuite
Posted by Colm O hEigeartaigh <co...@apache.org>.
What is the Camel error? I tried it in a CXF system test and it worked
correctly. The problem is that CXF does not accept multiple AlgorithmSuites
as being valid, so the ExactlyOne method must be used instead.
Colm.
On Fri, Jan 31, 2014 at 12:23 PM, Kai Rommel <kr...@googlemail.com>wrote:
> Hi Colm,
> I tried it with ExactlyOnce, but the the the CamelContext did not start
> due to parsing issues of the blueprint beans.xml.
>
> Looking at:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
> in section 7.1 its says:
>
> /sp:AlgorithmSuite/wsp:Policy
> This required element contains one or more policy assertions that indicate
> the specific algorithm suite to use.
>
> So should it be possible to define several policy assertions without the
> ExactlyOne element?
>
> Kai
>
>
>
> 2014-01-31 Colm O hEigeartaigh <co...@apache.org>:
>
>> Your policy formulation is invalid, as you are saying that you want both
>> AlgorithmSuites to be enforced. Instead you need a policy alternative,
>> something like:
>>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <wsp:ExactlyOne>
>> <sp:Basic128Rsa15 />
>> <sp:TripleDes />
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>>
>> Colm.
>>
>>
>> On Thu, Jan 30, 2014 at 6:14 PM, Kai Rommel <krommel2010@googlemail.com
>> >wrote:
>>
>> > Hi,
>> >
>> > I have a WS Consumer sending a signed and encrypted message.
>> > In the SOAP Header following algorithm is used:
>> > -<xenc:EncryptedKey Id="EK45302750"
>> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>> > In the SOAP Body:
>> > -<xenc:EncryptedData Id="ED23590466"
>> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> > Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
>> > Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>> >
>> > I want to consume this message by a WS-Provider configured via policies:
>> > When I set the AlgorithmSuite in this way:
>> >
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:TripleDes />
>> > <sp:Basic128Rsa15 />
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> >
>> > I get the error:
>> > ...org.apache.ws.security.processor.X509Util...
>> > #Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#rsa-1_5|...
>> > org.apache.ws.security.components.crypto.AlgorithmSuiteValidator...
>> > The Key transport method does not match the requirement...
>> >
>> > When I set the AlgorithmSuite in this way:
>> >
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:Basic128Rsa15 />
>> > <sp:TripleDes />
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> >
>> > I get the error:
>> > ...org.apache.ws.security.processor.EncryptedKeyProcessor..
>> >
>> > org.apache.ws.security.processor.X509Util...
>> > Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#tripledes-cbc|...
>> >
>> > #org.apache.ws.security.components.crypto.AlgorithmSuiteValidator#...
>> > The encryption algorithm does not match the requirement|.....
>> >
>> > Isn't it allowed to set several algorithms in the AlgorithmSuite?
>> > Or do I misinterpret something?
>> > Thanks.
>> > Best regards
>> > Kai
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: ws policies AlgorithmSuite
Posted by Kai Rommel <kr...@googlemail.com>.
Hi Colm,
I tried it with ExactlyOnce, but the the the CamelContext did not start due
to parsing issues of the blueprint beans.xml.
Looking at:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
in section 7.1 its says:
/sp:AlgorithmSuite/wsp:Policy
This required element contains one or more policy assertions that indicate
the specific algorithm suite to use.
So should it be possible to define several policy assertions without the
ExactlyOne element?
Kai
2014-01-31 Colm O hEigeartaigh <co...@apache.org>:
> Your policy formulation is invalid, as you are saying that you want both
> AlgorithmSuites to be enforced. Instead you need a policy alternative,
> something like:
>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <wsp:ExactlyOne>
> <sp:Basic128Rsa15 />
> <sp:TripleDes />
> </wsp:ExactlyOne>
> </wsp:Policy>
> </sp:AlgorithmSuite>
>
> Colm.
>
>
> On Thu, Jan 30, 2014 at 6:14 PM, Kai Rommel <krommel2010@googlemail.com
> >wrote:
>
> > Hi,
> >
> > I have a WS Consumer sending a signed and encrypted message.
> > In the SOAP Header following algorithm is used:
> > -<xenc:EncryptedKey Id="EK45302750"
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> > In the SOAP Body:
> > -<xenc:EncryptedData Id="ED23590466"
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> > Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> >
> > I want to consume this message by a WS-Provider configured via policies:
> > When I set the AlgorithmSuite in this way:
> >
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:TripleDes />
> > <sp:Basic128Rsa15 />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> >
> > I get the error:
> > ...org.apache.ws.security.processor.X509Util...
> > #Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#rsa-1_5|...
> > org.apache.ws.security.components.crypto.AlgorithmSuiteValidator...
> > The Key transport method does not match the requirement...
> >
> > When I set the AlgorithmSuite in this way:
> >
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128Rsa15 />
> > <sp:TripleDes />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> >
> > I get the error:
> > ...org.apache.ws.security.processor.EncryptedKeyProcessor..
> >
> > org.apache.ws.security.processor.X509Util...
> > Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#tripledes-cbc|...
> >
> > #org.apache.ws.security.components.crypto.AlgorithmSuiteValidator#...
> > The encryption algorithm does not match the requirement|.....
> >
> > Isn't it allowed to set several algorithms in the AlgorithmSuite?
> > Or do I misinterpret something?
> > Thanks.
> > Best regards
> > Kai
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: ws policies AlgorithmSuite
Posted by Colm O hEigeartaigh <co...@apache.org>.
Your policy formulation is invalid, as you are saying that you want both
AlgorithmSuites to be enforced. Instead you need a policy alternative,
something like:
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic128Rsa15 />
<sp:TripleDes />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
Colm.
On Thu, Jan 30, 2014 at 6:14 PM, Kai Rommel <kr...@googlemail.com>wrote:
> Hi,
>
> I have a WS Consumer sending a signed and encrypted message.
> In the SOAP Header following algorithm is used:
> -<xenc:EncryptedKey Id="EK45302750"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> In the SOAP Body:
> -<xenc:EncryptedData Id="ED23590466"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>
> I want to consume this message by a WS-Provider configured via policies:
> When I set the AlgorithmSuite in this way:
>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDes />
> <sp:Basic128Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
>
> I get the error:
> ...org.apache.ws.security.processor.X509Util...
> #Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#rsa-1_5|...
> org.apache.ws.security.components.crypto.AlgorithmSuiteValidator...
> The Key transport method does not match the requirement...
>
> When I set the AlgorithmSuite in this way:
>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15 />
> <sp:TripleDes />
> </wsp:Policy>
> </sp:AlgorithmSuite>
>
> I get the error:
> ...org.apache.ws.security.processor.EncryptedKeyProcessor..
>
> org.apache.ws.security.processor.X509Util...
> Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#tripledes-cbc|...
>
> #org.apache.ws.security.components.crypto.AlgorithmSuiteValidator#...
> The encryption algorithm does not match the requirement|.....
>
> Isn't it allowed to set several algorithms in the AlgorithmSuite?
> Or do I misinterpret something?
> Thanks.
> Best regards
> Kai
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com