Hi Nandana & Martin, Thanks for the quick response.
1) I now understand why Rampart puts <ReferenceList> outside <EncryptedKey> in the EncryptBeforeSigning case. But, how about this requirement in BSP 1.0?: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedKey_ReferenceList_Preferred I guess it says "SHOULD" and not "MUST"? A colleague of mine mentioned that Rampart-C bails out if an <EncryptedKey> does not contain <ReferenceList>. Not absolutely certain about this though. However, I know from my own testing that Rampart-Java is able to process <ReferenceList> under the <Security> header. 2) I'll file a bug against the handling of headers. I think, right now, only signing of headers works. EncryptionOnly, SignBeforeEncrypting and EncryptBeforeSiging are all broken. When encrypting a header, Rampart ends up replacing the entire header with the <EncryptedData> element. As per my understanding (which could be wrong!), only the "content" of the header should be replaced by <EncryptedData>, going by this: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedHeaders If we fixed this, it automatically takes care of the issue I brought up earlier, with EncryptBeforeSigning. Harsha On Dec 17, 2007 9:06 PM, Martin Gainty <[EMAIL PROTECTED]> wrote: > > > Here is the SignedParts node I have in my policy.xml for Rampart 1.3 > <sp:SignedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:SignedParts> > Can you display the policy.xml so we can compare to the Rampart 1.3 > Examples? > > Thanks/ > M- > > > > ----- Original Message ----- > From: Nandana Mihindukulasooriya > To: [email protected] > Sent: Monday, December 17, 2007 7:10 AM > Subject: Re: Rampart Issues with EncryptBeforeSigning > > Hi Harsha, > > > > > 1) When I set <EncryptedParts> and <SignedParts> to <Body>, > > <ReferenceList> gets added as a direct child of the <wsse:Security> > > header. However, when I use <SignBeforeEncrypting>, <ReferenceList> > > gets added to <EncryptedKey>. Why this difference? > > > This is because Rampart processes the elements in the security header in the > order they appear in the security header. So the signature to be correctly > verified, > > SignBeforeEncrypt case : > Reference List must appear before the Signature element. ( so the > signature is verified over decrypted elements ). > > EncryptBeforeSign case : > Signature must appear before the Reference List element. ( so the > signature is verified over encrypted elements ). > > So in the sign before encrypt case we can add the reference list to > encrypted > key as a internal reference. > > But in the encrypt before sign case, we have to use external reference as > the > reference list have to go after the signature element. > > > > > 2) When I set <EncryptedParts> and <SignedParts> to some header, > > Rampart does the encryption correctly, but doesn't sign. I dug into > > the code and found that after the message is encrypted the original > > nodes are no longer there (because they have been replaced by > > <EncryptedData> elements) and therefore, the signing function can't > > find any nodes to sign. > > > > > Can you please raise a JIRA in Rampart with the policy you used ? > > Thanks, > Nandana > > > > > > > > > Regards, > > Harsha > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
