You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by Mayank Mishra <ma...@pramati.com> on 2008/09/19 15:05:18 UTC

Usage of wsu:id in EncryptedKeyProcessor

Hi All,

I have one query about the check in [1] done for revision *644264* 
</viewvc?view=rev&revision=644264>  in EncryptedKeyProcessor.

For a decrypted node which is of type Element, if that node doesn't 
belong to Signature Namespace or else wsu:id attribute is not present, 
then we are add wsu:id attribute to that decrypted node.
Let us assume, a scenario where we have,

<body> 
    <arg0>
           xyz
    </arg0>
</body>

If we have a WS-Security policy like,  Signing Body, Encrypting arg0, 
and I wish to perform Signature operation before Encryption.
Then on the sever side, Decryption of Encrypted Data of arg0 will 
happen. This will leave us with,

<body wsu:id=...>  (as body is signed)
    <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
           xyz
    </arg0>
</body>

Now the signature verification of the body fails as the original and 
decrypted text has difference (decipher arg0 includes wsu:id too).

I can very well assume that after decryption the decipher text will be 
the same as the original text. Hence, I am putting a signature over the 
parent element and verifying the same. I assume  above is a valid scenario.

I guess, the wsu:id may be needed in the case when I need to again refer 
the decrypted element, say if arg0 has been signed before encryption, 
then SignatureProcessor may search for the element using that Signature 
reference by wsu:id. But that's only in case when we need to refer the 
element once again, which is not the case in the above scenario.

Interestingly, if I sign the arg0 also, then SignatureProcessor during 
this reference processing removes the wsu:id, and hence the parent 
(Body) Signature passes.

Kindly let me know about the reason why we are adding wsu:id to the 
decrypted element, and what to expect in a scenario like above.

Thanking You,

With Regards,
Mayank Mishra

[1]. 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Usage of wsu:id in EncryptedKeyProcessor

Posted by Mayank Mishra <ma...@pramati.com>.

Any answer to my query will be appreciated a lot.

With Regards,
Mayank

Mayank Mishra wrote:
> Hi All,
>
> I have one query about the check in [1] done for revision *644264* 
> </viewvc?view=rev&revision=644264>  in EncryptedKeyProcessor.
>
> For a decrypted node which is of type Element, if that node doesn't 
> belong to Signature Namespace or else wsu:id attribute is not present, 
> then we are add wsu:id attribute to that decrypted node.
> Let us assume, a scenario where we have,
>
> <body>    <arg0>
>           xyz
>    </arg0>
> </body>
>
> If we have a WS-Security policy like,  Signing Body, Encrypting arg0, 
> and I wish to perform Signature operation before Encryption.
> Then on the sever side, Decryption of Encrypted Data of arg0 will 
> happen. This will leave us with,
>
> <body wsu:id=...>  (as body is signed)
>    <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
>           xyz
>    </arg0>
> </body>
>
> Now the signature verification of the body fails as the original and 
> decrypted text has difference (decipher arg0 includes wsu:id too).
>
> I can very well assume that after decryption the decipher text will be 
> the same as the original text. Hence, I am putting a signature over 
> the parent element and verifying the same. I assume  above is a valid 
> scenario.
>
> I guess, the wsu:id may be needed in the case when I need to again 
> refer the decrypted element, say if arg0 has been signed before 
> encryption, then SignatureProcessor may search for the element using 
> that Signature reference by wsu:id. But that's only in case when we 
> need to refer the element once again, which is not the case in the 
> above scenario.
>
> Interestingly, if I sign the arg0 also, then SignatureProcessor during 
> this reference processing removes the wsu:id, and hence the parent 
> (Body) Signature passes.
>
> Kindly let me know about the reason why we are adding wsu:id to the 
> decrypted element, and what to expect in a scenario like above.
>
> Thanking You,
>
> With Regards,
> Mayank Mishra
>
> [1]. 
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h 
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Usage of wsu:id in EncryptedKeyProcessor

Posted by Mayank Mishra <ma...@pramati.com>.

Mayank Mishra wrote:
> Hi All,
>
> I have one query about the check in [1] done for revision *644264* 
> </viewvc?view=rev&revision=644264>  in EncryptedKeyProcessor.
>
> For a decrypted node which is of type Element, if that node doesn't 
> belong to Signature Namespace or else wsu:id attribute is not present, 
> then we are add wsu:id attribute to that decrypted node.
> Let us assume, a scenario where we have,
>
> <body>    <arg0>
>           xyz
>    </arg0>
> </body>
>
> If we have a WS-Security policy like,  Signing Body, Encrypting arg0, 
> and I wish to perform Signature operation before Encryption.
> Then on the sever side, Decryption of Encrypted Data of arg0 will 
> happen. This will leave us with,
>
> <body wsu:id=...>  (as body is signed)
>    <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
>           xyz
>    </arg0>
> </body>
>
> Now the signature verification of the body fails as the original and 
> decrypted text has difference (decipher arg0 includes wsu:id too).
>
> I can very well assume that after decryption the decipher text will be 
> the same as the original text. Hence, I am putting a signature over 
> the parent element and verifying the same. I assume  above is a valid 
> scenario.
>
> I guess, the wsu:id may be needed in the case when I need to again 
> refer the decrypted element, say if arg0 has been signed before 
> encryption, then SignatureProcessor may search for the element using 
> that Signature reference by wsu:id. But that's only in case when we 
> need to refer the element once again, which is not the case in the 
> above scenario.
>
I understands that WSDataRef object is there in EncryptedKeyProcessor 
for more information about the decrypted elements, like ref Id, Qname of 
the decrypted element and wsu:id.

With Regards,
Mayank

> Interestingly, if I sign the arg0 also, then SignatureProcessor during 
> this reference processing removes the wsu:id, and hence the parent 
> (Body) Signature passes.
>
> Kindly let me know about the reason why we are adding wsu:id to the 
> decrypted element, and what to expect in a scenario like above.
>
> Thanking You,
>
> With Regards,
> Mayank Mishra
>
> [1]. 
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h 
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org