You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Mayank Mishra <ma...@pramati.com> on 2008/09/19 15:05:18 UTC
Usage of wsu:id in EncryptedKeyProcessor
Hi All,
I have one query about the check in [1] done for revision *644264*
</viewvc?view=rev&revision=644264> in EncryptedKeyProcessor.
For a decrypted node which is of type Element, if that node doesn't
belong to Signature Namespace or else wsu:id attribute is not present,
then we are add wsu:id attribute to that decrypted node.
Let us assume, a scenario where we have,
<body>
<arg0>
xyz
</arg0>
</body>
If we have a WS-Security policy like, Signing Body, Encrypting arg0,
and I wish to perform Signature operation before Encryption.
Then on the sever side, Decryption of Encrypted Data of arg0 will
happen. This will leave us with,
<body wsu:id=...> (as body is signed)
<arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
xyz
</arg0>
</body>
Now the signature verification of the body fails as the original and
decrypted text has difference (decipher arg0 includes wsu:id too).
I can very well assume that after decryption the decipher text will be
the same as the original text. Hence, I am putting a signature over the
parent element and verifying the same. I assume above is a valid scenario.
I guess, the wsu:id may be needed in the case when I need to again refer
the decrypted element, say if arg0 has been signed before encryption,
then SignatureProcessor may search for the element using that Signature
reference by wsu:id. But that's only in case when we need to refer the
element once again, which is not the case in the above scenario.
Interestingly, if I sign the arg0 also, then SignatureProcessor during
this reference processing removes the wsu:id, and hence the parent
(Body) Signature passes.
Kindly let me know about the reason why we are adding wsu:id to the
decrypted element, and what to expect in a scenario like above.
Thanking You,
With Regards,
Mayank Mishra
[1].
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Usage of wsu:id in EncryptedKeyProcessor
Posted by Mayank Mishra <ma...@pramati.com>.
Any answer to my query will be appreciated a lot.
With Regards,
Mayank
Mayank Mishra wrote:
> Hi All,
>
> I have one query about the check in [1] done for revision *644264*
> </viewvc?view=rev&revision=644264> in EncryptedKeyProcessor.
>
> For a decrypted node which is of type Element, if that node doesn't
> belong to Signature Namespace or else wsu:id attribute is not present,
> then we are add wsu:id attribute to that decrypted node.
> Let us assume, a scenario where we have,
>
> <body> <arg0>
> xyz
> </arg0>
> </body>
>
> If we have a WS-Security policy like, Signing Body, Encrypting arg0,
> and I wish to perform Signature operation before Encryption.
> Then on the sever side, Decryption of Encrypted Data of arg0 will
> happen. This will leave us with,
>
> <body wsu:id=...> (as body is signed)
> <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
> xyz
> </arg0>
> </body>
>
> Now the signature verification of the body fails as the original and
> decrypted text has difference (decipher arg0 includes wsu:id too).
>
> I can very well assume that after decryption the decipher text will be
> the same as the original text. Hence, I am putting a signature over
> the parent element and verifying the same. I assume above is a valid
> scenario.
>
> I guess, the wsu:id may be needed in the case when I need to again
> refer the decrypted element, say if arg0 has been signed before
> encryption, then SignatureProcessor may search for the element using
> that Signature reference by wsu:id. But that's only in case when we
> need to refer the element once again, which is not the case in the
> above scenario.
>
> Interestingly, if I sign the arg0 also, then SignatureProcessor during
> this reference processing removes the wsu:id, and hence the parent
> (Body) Signature passes.
>
> Kindly let me know about the reason why we are adding wsu:id to the
> decrypted element, and what to expect in a scenario like above.
>
> Thanking You,
>
> With Regards,
> Mayank Mishra
>
> [1].
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Usage of wsu:id in EncryptedKeyProcessor
Posted by Mayank Mishra <ma...@pramati.com>.
Mayank Mishra wrote:
> Hi All,
>
> I have one query about the check in [1] done for revision *644264*
> </viewvc?view=rev&revision=644264> in EncryptedKeyProcessor.
>
> For a decrypted node which is of type Element, if that node doesn't
> belong to Signature Namespace or else wsu:id attribute is not present,
> then we are add wsu:id attribute to that decrypted node.
> Let us assume, a scenario where we have,
>
> <body> <arg0>
> xyz
> </arg0>
> </body>
>
> If we have a WS-Security policy like, Signing Body, Encrypting arg0,
> and I wish to perform Signature operation before Encryption.
> Then on the sever side, Decryption of Encrypted Data of arg0 will
> happen. This will leave us with,
>
> <body wsu:id=...> (as body is signed)
> <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
> xyz
> </arg0>
> </body>
>
> Now the signature verification of the body fails as the original and
> decrypted text has difference (decipher arg0 includes wsu:id too).
>
> I can very well assume that after decryption the decipher text will be
> the same as the original text. Hence, I am putting a signature over
> the parent element and verifying the same. I assume above is a valid
> scenario.
>
> I guess, the wsu:id may be needed in the case when I need to again
> refer the decrypted element, say if arg0 has been signed before
> encryption, then SignatureProcessor may search for the element using
> that Signature reference by wsu:id. But that's only in case when we
> need to refer the element once again, which is not the case in the
> above scenario.
>
I understands that WSDataRef object is there in EncryptedKeyProcessor
for more information about the decrypted elements, like ref Id, Qname of
the decrypted element and wsu:id.
With Regards,
Mayank
> Interestingly, if I sign the arg0 also, then SignatureProcessor during
> this reference processing removes the wsu:id, and hence the parent
> (Body) Signature passes.
>
> Kindly let me know about the reason why we are adding wsu:id to the
> decrypted element, and what to expect in a scenario like above.
>
> Thanking You,
>
> With Regards,
> Mayank Mishra
>
> [1].
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org