I have filed RAMPART-125: https://issues.apache.org/jira/browse/RAMPART-125
On Dec 18, 2007 12:57 PM, Harsha Venkataramu <[EMAIL PROTECTED]> wrote: > Hi Nandana & Martin, > > Thanks for the quick response. > > 1) I now understand why Rampart puts <ReferenceList> outside > <EncryptedKey> in the EncryptBeforeSigning case. But, how about this > requirement in BSP 1.0?: > > http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedKey_ReferenceList_Preferred > > I guess it says "SHOULD" and not "MUST"? A colleague of mine mentioned > that Rampart-C bails out if an <EncryptedKey> does not contain > <ReferenceList>. Not absolutely certain about this though. However, I > know from my own testing that Rampart-Java is able to process > <ReferenceList> under the <Security> header. > > 2) I'll file a bug against the handling of headers. I think, right > now, only signing of headers works. EncryptionOnly, > SignBeforeEncrypting and EncryptBeforeSiging are all broken. When > encrypting a header, Rampart ends up replacing the entire header with > the <EncryptedData> element. As per my understanding (which could be > wrong!), only the "content" of the header should be replaced by > <EncryptedData>, going by this: > > http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedHeaders > > If we fixed this, it automatically takes care of the issue I brought > up earlier, with EncryptBeforeSigning. > > Harsha > > > On Dec 17, 2007 9:06 PM, Martin Gainty <[EMAIL PROTECTED]> wrote: > > > > > > Here is the SignedParts node I have in my policy.xml for Rampart 1.3 > > <sp:SignedParts > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <sp:Body/> > > </sp:SignedParts> > > Can you display the policy.xml so we can compare to the Rampart 1.3 > > Examples? > > > > Thanks/ > > M- > > > > > > > > ----- Original Message ----- > > From: Nandana Mihindukulasooriya > > To: [email protected] > > Sent: Monday, December 17, 2007 7:10 AM > > Subject: Re: Rampart Issues with EncryptBeforeSigning > > > > Hi Harsha, > > > > > > > > > 1) When I set <EncryptedParts> and <SignedParts> to <Body>, > > > <ReferenceList> gets added as a direct child of the <wsse:Security> > > > header. However, when I use <SignBeforeEncrypting>, <ReferenceList> > > > gets added to <EncryptedKey>. Why this difference? > > > > > > This is because Rampart processes the elements in the security header in the > > order they appear in the security header. So the signature to be correctly > > verified, > > > > SignBeforeEncrypt case : > > Reference List must appear before the Signature element. ( so the > > signature is verified over decrypted elements ). > > > > EncryptBeforeSign case : > > Signature must appear before the Reference List element. ( so the > > signature is verified over encrypted elements ). > > > > So in the sign before encrypt case we can add the reference list to > > encrypted > > key as a internal reference. > > > > But in the encrypt before sign case, we have to use external reference as > > the > > reference list have to go after the signature element. > > > > > > > > > 2) When I set <EncryptedParts> and <SignedParts> to some header, > > > Rampart does the encryption correctly, but doesn't sign. I dug into > > > the code and found that after the message is encrypted the original > > > nodes are no longer there (because they have been replaced by > > > <EncryptedData> elements) and therefore, the signing function can't > > > find any nodes to sign. > > > > > > > > > Can you please raise a JIRA in Rampart with the policy you used ? > > > > Thanks, > > Nandana > > > > > > > > > > > > > > > Regards, > > > Harsha > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
