You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Milan Tomic <mi...@setcce.org> on 2005/01/22 10:27:21 UTC

RE: XSECSOAPRequestorSimple::doRequest()

	OK, I will implement XSECURIResolver for the Windows SSL stream.

Greetings,
Milan


> -----Original Message-----
> From: Berin Lautenbach [mailto:berin@wingsofhermes.org] 
> Sent: Saturday, January 22, 2005 9:58 AM
> To: Milan Tomic
> Subject: Re: XSECSOAPRequestorSimple::doRequest()
> 
> 
> That sounds reasonable.  But some random thoughts :>.
> 
> The Java library has a register of URI resolvers.  I wonder 
> if we should 
> do the same thing that are global to the library.  Thatway, the SOAP 
> class could simply call the resolver for the particular URI and get 
> returned a class that would do the connection etc.  (Currently the 
> caller needs to explicitly set the correct resolver for signature 
> checking which is a real PITA)
> 
> So rather than modify XSECBinHTTPURIInputStream, you could simply 
> re-implement XSECURIResolver for the Windows SSL stream.  We 
> can fix the 
> SOAP resolver so you can just pass a resolver to it and that way it 
> doesn't have to have anything about understanding certs - the 
> only class 
> that needs to is the resolver.
> 
> When we get fancy, we can great a reolver library class that 
> holds all 
> instantiated resolvers, and the SOAP handler simply makes a 
> call to the 
> library that hands back the correct resolver for the URI.
> 
> Does that sound reasonable?
> 
> We should probably start putting this on security-dev so others can 
> comment as well!
> 
> Cheers,
> 	Berin
> 
> Milan Tomic wrote:
> 
> > Hi,
> > 
> > 	After taking a look into XSEC code
> > (xsec/utils/winutils/XSECBinHTTPURIInputStream) I have 
> realized that 
> > WinSock API was used instead of WinINET API. I have found some SSL 
> > examples in MS Platform SDK, and I'm working on implementing it. My 
> > aproach is that XSECBinHTTPURIInputStream class should have
> > setClientCertificate(PCCERT_CONTEXT) method and this class 
> should use 
> > it for SSL in case URL starts with "https". If it doesn't start it 
> > should act as it already is for "http" addresses. 
> > XSECSOAPRequestorSimpleWin32 class should also have 
> > setClientCertificate() method to be able to transfer certificate to 
> > the XSECBinHTTPURIInputStream class. XSECSOAPRequestorSimpleWin32 
> > class user in ctor specify URL and s/he knows if it starts with 
> > "https" and should somehow find proper cert (e.g. ask user 
> to select 
> > it). I couldn't think of anything better...
> > 
> > Best regards,
> > Milan

RE: XSECSOAPRequestorSimple::doRequest()

Posted by Scott Cantor <ca...@osu.edu>.

> 	The class that I have attached is for Windows OS. It will be
> soon in CVS. Berin will do OpenSSL version. The only things you can set
> up is client certificate (PCCERT_CONTEXT), protocol (PCT, SSL2, SSL3,
> TLS1) and key exchange alg type (RSA, DH). Server certificate is
> validated by searching for it in the Windows cert store.

That last part was my concern. Static trust is, for want of a better word,
limiting. It would be much better to be able to specify the list at runtime,
but I understand if that's a Windows limitation.

Thx,
Scott

RE: XSECSOAPRequestorSimple::doRequest()

Posted by Milan Tomic <mi...@setcce.org>.

Hello Scott,

	The class that I have attached is for Windows OS. It will be
soon in CVS. Berin will do OpenSSL version. The only things you can set
up is client certificate (PCCERT_CONTEXT), protocol (PCT, SSL2, SSL3,
TLS1) and key exchange alg type (RSA, DH). Server certificate is
validated by searching for it in the Windows cert store.

	Yes, this class is for resolving URIs. I have mentioned SOAP,
because we have planed to use it in XKMS and similar.

Best regards,
Milan


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu] 
> Sent: Monday, January 24, 2005 5:05 PM
> To: security-dev@xml.apache.org
> Subject: RE: XSECSOAPRequestorSimple::doRequest()
> 
> 
> > I'm attaching Win32 SSL URI resolver class and test code.
> > I haven't still finished testing.
> 
> Are there hooks to override the SSL trust processing? That's 
> a common failing with these kinds of interfaces, and SSL is 
> useless without sufficient control over the authentication.
> 
> > I have some doubts. I have noticed that XSECURIResolver interface 
> > doesn't have send() method and resolveURI() returns BinInputStream.
> > Without send() I'm not sure how we can use it in SOAP?
> 
> Isn't this for resolving URIs? The protocol for resolving an 
> http or https URI is HTTP GET, not SOAP.
> 
> -- Scott
>

RE: XSECSOAPRequestorSimple::doRequest()

Posted by Scott Cantor <ca...@osu.edu>.

> I'm attaching Win32 SSL URI resolver class and test code.
> I haven't still finished testing.

Are there hooks to override the SSL trust processing? That's a common
failing with these kinds of interfaces, and SSL is useless without
sufficient control over the authentication.

> I have some doubts. I have noticed that XSECURIResolver
> interface doesn't have send() method and resolveURI()
> returns BinInputStream.
> Without send() I'm not sure how we can use it in SOAP?

Isn't this for resolving URIs? The protocol for resolving an http or https
URI is HTTP GET, not SOAP.

-- Scott

RE: XSECSOAPRequestorSimple::doRequest()

Posted by Milan Tomic <mi...@setcce.org>.

Berin,

I'm attaching Win32 SSL URI resolver class and test code.
I haven't still finished testing.

I have some doubts. I have noticed that XSECURIResolver
interface doesn't have send() method and resolveURI()
returns BinInputStream.
Without send() I'm not sure how we can use it in SOAP?

Best regards,
Milan


> -----Original Message-----
> From: Milan Tomic [mailto:milan@setcce.org] 
> Sent: Saturday, January 22, 2005 10:27 AM
> To: security-dev@xml.apache.org
> Subject: RE: XSECSOAPRequestorSimple::doRequest()
> 
> 
> 
> 	OK, I will implement XSECURIResolver for the Windows SSL stream.
> 
> Greetings,
> Milan
> 
> 
> > -----Original Message-----
> > From: Berin Lautenbach [mailto:berin@wingsofhermes.org]
> > Sent: Saturday, January 22, 2005 9:58 AM
> > To: Milan Tomic
> > Subject: Re: XSECSOAPRequestorSimple::doRequest()
> > 
> > 
> > That sounds reasonable.  But some random thoughts :>.
> > 
> > The Java library has a register of URI resolvers.  I wonder
> > if we should 
> > do the same thing that are global to the library.  Thatway, 
> the SOAP 
> > class could simply call the resolver for the particular URI and get 
> > returned a class that would do the connection etc.  (Currently the 
> > caller needs to explicitly set the correct resolver for signature 
> > checking which is a real PITA)
> > 
> > So rather than modify XSECBinHTTPURIInputStream, you could simply
> > re-implement XSECURIResolver for the Windows SSL stream.  We 
> > can fix the 
> > SOAP resolver so you can just pass a resolver to it and that way it 
> > doesn't have to have anything about understanding certs - the 
> > only class 
> > that needs to is the resolver.
> > 
> > When we get fancy, we can great a reolver library class that
> > holds all 
> > instantiated resolvers, and the SOAP handler simply makes a 
> > call to the 
> > library that hands back the correct resolver for the URI.
> > 
> > Does that sound reasonable?
> > 
> > We should probably start putting this on security-dev so others can
> > comment as well!
> > 
> > Cheers,
> > 	Berin
> > 
> > Milan Tomic wrote:
> > 
> > > Hi,
> > > 
> > > 	After taking a look into XSEC code
> > > (xsec/utils/winutils/XSECBinHTTPURIInputStream) I have
> > realized that
> > > WinSock API was used instead of WinINET API. I have found some SSL
> > > examples in MS Platform SDK, and I'm working on 
> implementing it. My 
> > > aproach is that XSECBinHTTPURIInputStream class should have
> > > setClientCertificate(PCCERT_CONTEXT) method and this class 
> > should use
> > > it for SSL in case URL starts with "https". If it doesn't start it
> > > should act as it already is for "http" addresses. 
> > > XSECSOAPRequestorSimpleWin32 class should also have 
> > > setClientCertificate() method to be able to transfer 
> certificate to 
> > > the XSECBinHTTPURIInputStream class. XSECSOAPRequestorSimpleWin32 
> > > class user in ctor specify URL and s/he knows if it starts with 
> > > "https" and should somehow find proper cert (e.g. ask user 
> > to select
> > > it). I couldn't think of anything better...
> > > 
> > > Best regards,
> > > Milan
>