You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Giriraj Bhojak <gi...@gmail.com> on 2016/03/07 19:20:10 UTC
Using RSA with SHA256 algorithm for WS-Security policy
Hello,
WS-SP 1.3 doesn't support RSA with SHA256 as asymmetric algorithm.
I am using a policy file and there is a need to use this algorithm.
Is there a way to override WS policy behavior and specify this algorithm
somehow?
We are using CXF 2.7.11 and WSS4J v 1.6.x.
Thanks,
Giriraj
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by dom <th...@gmail.com>.
Thank you so much !!
That was it ! This covers my needs !
I suppose the counter part of this configuration is that you can only accept
one kind of digest method's.
So if you have several client partner's they must agree on the algorithm to
use.
Thanks again,
Regards,
--
View this message in context: http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770863.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
You need to remove the <sp:Basic256/> policy. Just have
<sp:Basic256Sha256Rsa15/> instead.
Colm.
On Thu, Jul 28, 2016 at 9:44 AM, dom <th...@gmail.com> wrote:
> Thank you for your answer.
>
> I have tried adding :
>
> /
> <wsp:Policy wsu:Id="my_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> [...]
> <sp:AsymmetricBinding >
> <wsp:Policy>
> [...]
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> *<sp:Basic256Sha256Rsa15/>*
> </wsp:Policy>
> </sp:AlgorithmSuite>
> [...]
> </wsp:Policy>
> </sp:AsymmetricBinding>
> [...]
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Input_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> [...]
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Output_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> [...]
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> /
>
> When receiving a request from my partner I can debug the call and in the
> method :
>
> "/org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSignatureAlgorithms(XMLSignature
> xmlSignature)/"
> I can see that the call to "/algorithmSuite.getDigestAlgorithms()/" only
> contains SHA1 and so the request fails.
> Yet when I make a request myself, the SAML token's signature, made by the
> STS, can have a "sha256" digest method but the message's signature made
> afterwards by the client has a "sha1" digest.
> For this reason I'm suspecting "/<sp:Basic256Sha256Rsa15/>/" configuration
> in the WS-Policy only concerns the SAML Token's signature. Am I wrong ?
>
> I have looked at the WS-SecurityPolicy to see how to add the
> "/<sp:AlgorithmSuite>/" specificaly to the "/<sp:SignedParts>/" of my
> "/<wsp:Policy wsu:Id="Input_policy">/"
> but the schema doesn't seem to support this configuration.
>
> Do you know what I am missing to do ?
> Thank you very much.
> Regards,
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770853.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by dom <th...@gmail.com>.
Thank you for your answer.
I have tried adding :
/
<wsp:Policy wsu:Id="my_policy">
<wsp:ExactlyOne>
<wsp:All>
[...]
<sp:AsymmetricBinding >
<wsp:Policy>
[...]
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
*<sp:Basic256Sha256Rsa15/>*
</wsp:Policy>
</sp:AlgorithmSuite>
[...]
</wsp:Policy>
</sp:AsymmetricBinding>
[...]
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
[...]
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Output_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
[...]
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
/
When receiving a request from my partner I can debug the call and in the
method :
"/org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSignatureAlgorithms(XMLSignature
xmlSignature)/"
I can see that the call to "/algorithmSuite.getDigestAlgorithms()/" only
contains SHA1 and so the request fails.
Yet when I make a request myself, the SAML token's signature, made by the
STS, can have a "sha256" digest method but the message's signature made
afterwards by the client has a "sha1" digest.
For this reason I'm suspecting "/<sp:Basic256Sha256Rsa15/>/" configuration
in the WS-Policy only concerns the SAML Token's signature. Am I wrong ?
I have looked at the WS-SecurityPolicy to see how to add the
"/<sp:AlgorithmSuite>/" specificaly to the "/<sp:SignedParts>/" of my
"/<wsp:Policy wsu:Id="Input_policy">/"
but the schema doesn't seem to support this configuration.
Do you know what I am missing to do ?
Thank you very much.
Regards,
--
View this message in context: http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770853.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
The digest method should just be set by the WS-SecurityPolicy
AlgorithmSuite. For example "Basic256Sha256" uses SHA-256 for message
digests. There is no custom way of specifying the digest in CXF right now,
as typically SHA-256 is sufficient for users.
Colm.
On Wed, Jul 27, 2016 at 2:47 PM, dom <th...@gmail.com> wrote:
> Hello,
>
> In the same kind of way is it possible to use WS-SecurityPolicy
> configuration and define a specific digest method ?
>
> E.G. : <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> (i'm not speaking of the assertion's signature but rather the signature
> made
> on the message level)
>
>
> WSS4J seems to offer the "WSHandlerConstants.SIG_DIGEST_ALGO" but I don't
> know how to set it while using the ws-policy based configuration.
>
> Thanks,
> Regards,
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770841.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by dom <th...@gmail.com>.
Hello,
In the same kind of way is it possible to use WS-SecurityPolicy
configuration and define a specific digest method ?
E.G. : <ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
(i'm not speaking of the assertion's signature but rather the signature made
on the message level)
WSS4J seems to offer the "WSHandlerConstants.SIG_DIGEST_ALGO" but I don't
know how to set it while using the ws-policy based configuration.
Thanks,
Regards,
--
View this message in context: http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770841.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by dom <th...@gmail.com>.
Hello,
In the same kind of way is it possible to use WS-SecurityPolicy
configuration and define a specific digest method ?
E.G. : <ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
(i'm not speaking of the assertion's signature but rather the signature made
on the message level)
WSS4J seems to offer the "WSHandlerConstants.SIG_DIGEST_ALGO" but I don't
know how to set it while using the ws-policy based configuration.
Thanks,
Regards,
--
View this message in context: http://cxf.547215.n5.nabble.com/Using-RSA-with-SHA256-algorithm-for-WS-Security-policy-tp5766680p5770837.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you Colm.
Thanks,
Giriraj
On Mar 8, 2016 7:13 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
> Yes, there is a special JAX-WS configuration property to change the
> asymmetric signature algorithm -
> "ws-security.asymmetric.signature.algorithm". See here:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> Colm.
>
> On Mon, Mar 7, 2016 at 6:20 PM, Giriraj Bhojak <gi...@gmail.com>
> wrote:
>
> > Hello,
> >
> > WS-SP 1.3 doesn't support RSA with SHA256 as asymmetric algorithm.
> > I am using a policy file and there is a need to use this algorithm.
> > Is there a way to override WS policy behavior and specify this algorithm
> > somehow?
> > We are using CXF 2.7.11 and WSS4J v 1.6.x.
> >
> > Thanks,
> > Giriraj
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Using RSA with SHA256 algorithm for WS-Security policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes, there is a special JAX-WS configuration property to change the
asymmetric signature algorithm -
"ws-security.asymmetric.signature.algorithm". See here:
http://cxf.apache.org/docs/ws-securitypolicy.html
Colm.
On Mon, Mar 7, 2016 at 6:20 PM, Giriraj Bhojak <gi...@gmail.com> wrote:
> Hello,
>
> WS-SP 1.3 doesn't support RSA with SHA256 as asymmetric algorithm.
> I am using a policy file and there is a need to use this algorithm.
> Is there a way to override WS policy behavior and specify this algorithm
> somehow?
> We are using CXF 2.7.11 and WSS4J v 1.6.x.
>
> Thanks,
> Giriraj
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com