I looked at the version history and the following commit seems to be related:
http://svn.apache.org/viewvc?rev=1087600&view=rev Maybe that's the change between 1.6.4 and 1.7.0 that explains your issue. Andreas On Fri, Mar 11, 2016 at 3:55 PM, Enrique Soriano <enrique.sori...@gmail.com> wrote: > Hi Martin, I really appreciate your efforts to help me, but I think you > didn’t understand the problem. > > The client stubs generated by Axis2 1.7.1 were sending rsa-sha256 > signatures, this is a fact. > > The server I need to use requires rsa-sha1 signatures, this is a fact. > > The client stubs generated by Axis2 1.6.4 are sending rsa-sha1 signatures, > this is a fact. > > The client and the server can *now* verify the request/responses, this is > a fact. > > My question was not a no-op. > > > Thanks again. > Regards. > > On Fri, Mar 11, 2016 at 1:56 PM, Martin Gainty <mgai...@hotmail.com> > wrote: > >> for my understanding and to be clear >> >> 1)you are not implementing rsa-sha256 on Initiator or recipient so the >> rsa-sha256 question is a no-op >> >> 2)you are not implementing EncryptedKeySHA1 which is for >> encryption/decryption only >> >> 3)if the web-service is implementing rsa-sha1 >> Martin Gainty >> ______________________________________________ >> >> _____ _ _____ _ _____ ___ _ >> _____ _ _ _ >> |_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ >> ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___ >> | | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| >> _| -_| | __| . | | | | . | .'| _| | . | | >> |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| >> |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_| >> |_| >> >> >> >> >> > Date: Thu, 10 Mar 2016 15:57:11 +0100 >> > Subject: Re: WSsecurity: SignatureMethod error >> > From: enrique.sori...@gmail.com >> > To: java-user@axis.apache.org >> > >> > Hi Martin, thanks for your response (again). >> > >> > I've solved the problem by downgrading to axis2-1.6.4. Now the client >> > stubs generated by wsdl2java work ok. >> > >> > Maybe it's just a bug in Axis2 2-1.7.1 (??). >> > >> > >> how would client signing with rsa-sha1 algorithm be able to >> communicate with any webservice expecting rsa-sha256 signature? >> > >> > This web service expects a rsa-sha1, as I said in previous messages. >> > >> > According to [1] and [2], WS SecurityPolicy specifies that rsa-sha1 >> > must be the signature algorithm. I'm not familiar with WS Security >> > anyway. >> > >> > Regards. >> > Enrique >> > >> > Refs: >> > >> > [1] >> https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/MsgProtect-SOAP-SpecifyAlgorithmSuite.html >> MG>this is what Fuse supports..one work around is to implement with >> Apache ESB which supports OASIS spec >> MG>speaking of which ..lets reference the OASIS spec on Asymmetric >> Binding to make sure we are on the same page >> MG>if for no other reason than 99% of Financial Institutions only >> implement X509 tokens..so if your implementation >> MG>does not support X509 you wont be able to implement in majority of >> financial institutions >> MG>below is a verbatim parroting of OASIS spec: >> >> C.3.1 Policy >> >> The following example shows a policy indicating an Asymmetric Binding, >> an X509 token as the [Initiator Token], >> an X509 token as the [Recipient Token], >> an algorithm suite, a requirement to encrypt the message parts before >> signing, >> a requirement to encrypt the message signature, >> a requirement to include tokens in the message signature and the >> supporting signatures, >> a requirement to include wsse11:SignatureConfirmation elements, >> a username token attached to the message, and finally an X509 token >> attached to the message and endorsing the message signature. >> Minimum message protection requirements are described as well. >> >> <!-- Example Endpoint Policy --> >> <wsp:Policy xmlns:wsp="..." xmlns:sp="..."> >> <sp:AsymmetricBinding> >> <wsp:Policy> >> <sp:RecipientToken> >> <wsp:Policy> >> <sp:X509Token sp:IncludeToken=".../IncludeToken/Always" /> >> </wsp:Policy> >> </sp:RecipientToken> >> <sp:InitiatorToken> >> <wsp:Policy> >> <sp:X509Token sp:IncludeToken=".../IncludeToken/Always" /> >> </wsp:Policy> >> </sp:InitiatorToken> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256 /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict /> >> </wsp:Policy> >> </sp:Layout> >> <sp:IncludeTimestamp /> >> <sp:EncryptBeforeSigning /> >> <sp:EncryptSignature /> >> <sp:ProtectTokens /> >> </wsp:Policy> >> </sp:AsymmetricBinding> >> <sp:SignedEncryptedSupportingTokens> >> <wsp:Policy> >> <sp:UsernameToken sp:IncludeToken=".../IncludeToken/Once" /> >> </wsp:Policy> >> </sp:SignedEncryptedSupportingTokens> >> <sp:SignedEndorsingSupportingTokens> >> <wsp:Policy> >> <sp:X509Token sp:IncludeToken=".../IncludeToken/Once"> >> >> <wsp:Policy> >> >> <sp:WssX509v3Token10 /> >> >> </wsp:Policy> >> >> </sp:X509Token> >> </wsp:Policy> >> </sp:SignedEndorsingSupportingTokens> >> <sp:Wss11> >> <wsp:Policy> >> <sp:RequireSignatureConfirmation /> >> </wsp:Policy> >> </sp:Wss11> >> </wsp:Policy> >> >> >> >> <!-- Example Message Policy --> >> <wsp:All xmlns:wsp="..." xmlns:sp="..."> >> <sp:SignedParts> >> <sp:Header Name="Header1" Namespace="..." /> >> <sp:Header Name="Header2" Namespace="..." /> >> <sp:Body/> >> </sp:SignedParts> >> <sp:EncryptedParts> >> <sp:Header Name="Header2" Namespace="..." /> >> <sp:Body/> >> </sp:EncryptedParts> >> </wsp:All> >> >> >> MG>by Jboss Fuse doc the Algorithm Suite sp:Basic256 for signature >> encryption is wrong? >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256 /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> MG>Jboss Fuse requirements states there is no algorithm other than >> dsa-rsa1 supported? >> MG>but OASIS standards DO support encryption of SIGNATURES with >> sp:Basic256 >> MG>is OASIS incorrect? >> >> > [2] http://cxf.apache.org/docs/ws-securitypolicy.html >> MG>assertions are misleading but the CYA statement is DOB accurate when >> they point to the original OASIS spec with this statement: >> >> TheWS-SecurityPolicy specification >> <http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html> >> allows >> for specifying things like asymmetric/symmetric keys, using transports >> (https) for encryption, which parts/headers to encrypt or sign, whether to >> sign then encrypt or encrypt then sign, whether to include timestamps, >> whether to use derived keys, etc... Basically, it describes what actions >> are necessary to securely interact with the service described in the WSDL. >> >> MG>Additional Note: does CXF tell you that if you use camelcase names for >> ComplexElements you will fubar CXF wsdl2java? >> MG>i have a 4 year old string of emails that documents this fatal error >> >> MG>CONCLUSION >> MG>take everything you read from vendors with a grain of salt >> MG>its is always a good idea to go back to the original specification for >> the source of truth >> MG>Saludos Enrique >> >> > On Thu, Mar 10, 2016 at 2:31 PM, Martin Gainty <mgai...@hotmail.com> >> wrote: >> > > Item1: >> > > >> > > SHA1 is used for encryption/decryption only >> > > >> > > >> http://coheigea.blogspot.com/2013/03/signature-and-encryption-key.html >> > > >> > > Item2: >> > > >> > > <sp:AsymmetricBinding > >> > > <wsp:Policy> >> > > <sp:InitiatorToken> >> > > <wsp:Policy> >> > > <sp:X509Token >> > > sp:IncludeToken=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> "> >> > > <wsp:Policy> >> > > <sp:WssX509V3Token10/> >> > > </wsp:Policy> >> > > </sp:X509Token> >> > > </wsp:Policy> >> > > </sp:InitiatorToken> >> > > <sp:RecipientToken> >> > > <wsp:Policy> >> > > <sp:X509Token >> > > sp:IncludeToken=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> "> >> > > <wsp:Policy> >> > > <sp:WssX509V3Token10/> >> > > </wsp:Policy> >> > > </sp:X509Token> >> > > </wsp:Policy> >> > > </sp:RecipientToken> >> > > <sp:AlgorithmSuite> >> > > <wsp:Policy> >> > > <sp:Basic128/> >> > > </wsp:Policy> >> > > </sp:AlgorithmSuite> >> > > >> > > notice that AlgorithmSuite sp:Basic128 is common to both initiator and >> > > recipient >> > > >> > > how would client signing with rsa-sha1 algorithm be able to >> communicate with >> > > any webservice expecting rsa-sha256 signature? >> > > >> > > Please explain >> > > Martin >> > > ______________________________________________ >> > > >> > > >> > > >> > > >> > > >> > > >> > > ________________________________ >> > > Date: Wed, 9 Mar 2016 19:34:04 +0100 >> > > Subject: RE: WSsecurity: SignatureMethod error >> > > From: enrique.sori...@gmail.com >> > > To: java-user@axis.apache.org >> > > >> > > >> > > On Mar 9, 2016 15:34, "Martin Gainty" <mgai...@hotmail.com> wrote: >> > >> >> > >> 2000 spec you are >> > >> currently implementing: >> > >> <ds:KeyInfo xmlns:ds="http:// >> > >>www.w3.org/2000/09/xmldsig#"> >> > >> >> > >> does not acommodate >> > >>256 bit signatures >> > >> >> > >> your current option will only >> > >>allow 2000 xmldsig spec which is why >> > >>you are defaulting to rsa-sha1 >> > >>algorithm in SignatureMethod >> > > >> > > I want to use rsa-sha1, I don't want to use rsa-sha256 (which is the >> > > signature method my client is currently using). >> > > >> > > Regards. >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org >> > For additional commands, e-mail: java-user-h...@axis.apache.org >> > >> > >
