for my understanding and to be clear
1)you are not implementing rsa-sha256 on Initiator or recipient so the
rsa-sha256 question is a no-op
2)you are not implementing EncryptedKeySHA1 which is for encryption/decryption
only
3)if the web-service is implementing rsa-sha1
Martin Gainty
______________________________________________
_____ _ _____ _ _____ ___ _
_____ _ _ _
|_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___
___ | __|___ _ _ ___ _| |___| |_|_|___ ___
| | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _|
-_| | __| . | | | | . | .'| _| | . | |
|_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_|
|___| |__| |___|___|_|_|___|__,|_| |_|___|_|_|
|_|
> Date: Thu, 10 Mar 2016 15:57:11 +0100
> Subject: Re: WSsecurity: SignatureMethod error
> From: enrique.sori...@gmail.com
> To: java-user@axis.apache.org
>
> Hi Martin, thanks for your response (again).
>
> I've solved the problem by downgrading to axis2-1.6.4. Now the client
> stubs generated by wsdl2java work ok.
>
> Maybe it's just a bug in Axis2 2-1.7.1 (??).
>
> >> how would client signing with rsa-sha1 algorithm be able to communicate
> >> with any webservice expecting rsa-sha256 signature?
>
> This web service expects a rsa-sha1, as I said in previous messages.
>
> According to [1] and [2], WS SecurityPolicy specifies that rsa-sha1
> must be the signature algorithm. I'm not familiar with WS Security
> anyway.
>
> Regards.
> Enrique
>
> Refs:
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/MsgProtect-SOAP-SpecifyAlgorithmSuite.html
MG>this is what Fuse supports..one work around is to implement with Apache ESB
which supports OASIS spec
MG>speaking of which ..lets reference the OASIS spec on Asymmetric Binding to
make sure we are on the same page
MG>if for no other reason than 99% of Financial Institutions only implement
X509 tokens..so if your implementation
MG>does not support X509 you wont be able to implement in majority of financial
institutions
MG>below is a verbatim parroting of OASIS spec:
C.3.1 PolicyThe following example shows a policy indicating an Asymmetric
Binding,
an X509 token as the [Initiator Token],
an X509 token as the [Recipient Token],
an algorithm suite, a requirement to encrypt the message parts before signing,
a requirement to encrypt the message signature,
a requirement to include tokens in the message signature and the supporting
signatures,
a requirement to include wsse11:SignatureConfirmation elements,
a username token attached to the message, and finally an X509 token attached to
the message and endorsing the message signature.
Minimum message protection requirements are described as well.<!-- Example
Endpoint Policy -->
<wsp:Policy xmlns:wsp="..." xmlns:sp="...">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../IncludeToken/Always" />
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../IncludeToken/Always" />
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptBeforeSigning />
<sp:EncryptSignature />
<sp:ProtectTokens />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=".../IncludeToken/Once" />
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:SignedEndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../IncludeToken/Once">
<wsp:Policy> <sp:WssX509v3Token10 /> </wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:SignedEndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>
<!-- Example Message Policy -->
<wsp:All xmlns:wsp="..." xmlns:sp="...">
<sp:SignedParts>
<sp:Header Name="Header1" Namespace="..." />
<sp:Header Name="Header2" Namespace="..." />
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Header Name="Header2" Namespace="..." />
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
MG>by Jboss Fuse doc the Algorithm Suite sp:Basic256 for signature encryption
is wrong?
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 />
</wsp:Policy> </sp:AlgorithmSuite>
MG>Jboss Fuse requirements states there is no algorithm other than dsa-rsa1
supported?
MG>but OASIS standards DO support encryption of SIGNATURES with sp:Basic256
MG>is OASIS incorrect?
> [2] http://cxf.apache.org/docs/ws-securitypolicy.htmlMG>assertions are
> misleading but the CYA statement is DOB accurate when they point to the
> original OASIS spec with this statement:
TheWS-SecurityPolicy specification allows for specifying things like
asymmetric/symmetric keys, using transports (https) for encryption, which
parts/headers to encrypt or sign, whether to sign then encrypt or encrypt then
sign, whether to include timestamps, whether to use derived keys, etc...
Basically, it describes what actions are necessary to securely interact with
the service described in the WSDL.
MG>Additional Note: does CXF tell you that if you use camelcase names for
ComplexElements you will fubar CXF wsdl2java?
MG>i have a 4 year old string of emails that documents this fatal error
MG>CONCLUSION
MG>take everything you read from vendors with a grain of salt
MG>its is always a good idea to go back to the original specification for the
source of truth
MG>Saludos Enrique
> On Thu, Mar 10, 2016 at 2:31 PM, Martin Gainty <mgai...@hotmail.com> wrote:
> > Item1:
> >
> > SHA1 is used for encryption/decryption only
> >
> > http://coheigea.blogspot.com/2013/03/signature-and-encryption-key.html
> >
> > Item2:
> >
> > <sp:AsymmetricBinding >
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> >
> > notice that AlgorithmSuite sp:Basic128 is common to both initiator and
> > recipient
> >
> > how would client signing with rsa-sha1 algorithm be able to communicate with
> > any webservice expecting rsa-sha256 signature?
> >
> > Please explain
> > Martin
> > ______________________________________________
> >
> >
> >
> >
> >
> >
> > ________________________________
> > Date: Wed, 9 Mar 2016 19:34:04 +0100
> > Subject: RE: WSsecurity: SignatureMethod error
> > From: enrique.sori...@gmail.com
> > To: java-user@axis.apache.org
> >
> >
> > On Mar 9, 2016 15:34, "Martin Gainty" <mgai...@hotmail.com> wrote:
> >>
> >> 2000 spec you are
> >> currently implementing:
> >> <ds:KeyInfo xmlns:ds="http://
> >>www.w3.org/2000/09/xmldsig#">
> >>
> >> does not acommodate
> >>256 bit signatures
> >>
> >> your current option will only
> >>allow 2000 xmldsig spec which is why
> >>you are defaulting to rsa-sha1
> >>algorithm in SignatureMethod
> >
> > I want to use rsa-sha1, I don't want to use rsa-sha256 (which is the
> > signature method my client is currently using).
> >
> > Regards.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
> For additional commands, e-mail: java-user-h...@axis.apache.org
>
