Hi Taweewat,
I don't think this can be configured using securitypolicy. We can
only define <sp:RequireDerivedKeys /> under a token assertion. But the
latest Rampart source
uses derived-keys of length 24 and 32. Soap request I generated using the
given policy is attached below. Can you try with latest Rampart and WSS4J
source.
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:wsa="
http://schemas.xmlsoap.org/ws/2004/08/addressing";>
<soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-2850225">
<wsu:Created>2007-11-15T05:09:52.281Z</wsu:Created>
<wsu:Expires>2007-11-15T05:14:52.281Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
Id="EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">Xeg55vRyK3ZhAEhEf+YT0z986L0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>MadAQnq/RbLlJZzdGNwrPOawc5izqyMWaydVvUeOE0JVU+iyGNoGvEGprZJxb3SnKaQI2/SV++ZZqgdROpUZS+sMa5/lWV9EtwAg8nU5IfBnRUw7/fU6cSJubhgDGn7t+OzEpzRc5iyMDsgou+K1xygTfy0KJNZHVZ79yR+EuCk=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken xmlns:wsc="
http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-19287723">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182" ValueType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>32</wsc:Length>
<wsc:Nonce>+Kd70c242Dir6MTRZJ0/hQ==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-32516997" />
</xenc:ReferenceList>
<wsse:BinarySecurityToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="CertId-1776694">MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</wsse:BinarySecurityToken>
<wsc:DerivedKeyToken xmlns:wsc="
http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-6778431">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182" ValueType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offsetf9c>
<wsc:Length>24</wsc:Length>
<wsc:Nonce>eiDjI8+UH3mLkjgyflxpbQ==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:EncryptedData Id="EncDataId-32516997" Type="
http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#derivedKeyId-19287723" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>o/9vupOS7+jJz8NcbRFSgthnbjVBJUsnGzou3gF//rElOCdMzx2HeKgD4H+LJv8ZuZ9vryGpMZJY2YfzjV4Kb+SeGy4j4F9naafTnf788cy+NUXA1T4O/MWWkZnQHYwzo1DCC+Irq/x83NOaixJLySYmgddTyEJGFSKEBAb1373n8/BwCbdV+Pebmgs+TDrKNX5iyUpdkDemzJRZkHgpv6v3ARS+Jf49jCec5gZjWCSpIVS4JltpNn9PtxcT7G/ZEi1LW/zsrPuLib8cfD2dAqIHmorgz9fMqQmX9LJMwlbMiONdtvle8FZ8tnw6YBfxsF/mqR4O78Eg9iQiKSIYmQTE8jY1qo97vUX9Hv5UsnvZoe3JDjdo4fz6jIdN5zo2fhb7Nj3SaUNvEUKQvudxPJ5ypPqoVzMTC8pwKFjABahF3YJYon7v080qArs/mGl8LW6uBH1Z+AFzHCH5xJYsoF9skmGrgOrJw7L6gw1tgs92ZICcsez17cwt7RLqWybP5WhdoN8nQi/Cj+G6PytotilRMV+OSh7Jcz3hnac67eH4I7OFkJQf9TLEefVmXmmx8NtCWgFuqetuILKJynymivOwWmb85AI4uhpWtO55A9fOUZX8aRNd72oZ2b/QUf7mer9LB3//6ivZpUHa/oorQzx0nC9KbJ8/bNpqoS6NPza/zqTQww/yauIV/kLlzxd2plq+N+bMLW+kRinhFqgK0MoUAQyUAvxT/NxaclTzkdXPxsa3tsgFepSpSuM85tkeYKQmIGJ9+C9t1zwV3UyjO43v21X+xnB+57ASE9Mfy2oV9uFADAjeIzqhjSlupgd3KcAIm59bnxgzwaaudLlK+pP9miJtqohAeVcPvy+Jjk7cursUnW0KmvMvSdB0OCQdztHnJsGqwfHErsOFJHwrJg3i5TofGohSPlVreZc0kkFmNV6y4a1QLPGEZAr8/jAsMVqR8COgNwYC/zfr38R/yA6q7tAi3xB8qGRKe2y22tirU3lldFLREjSyYjLTQa8mMfMlD/StZ9aSNY8ppBDmL6sZczGn4ga3TqTU8JikugyOO0hY9cEE+5KUsFpY5g4eBdQBzSO68qjLL4AOwb98NhXQC8p3KGlzefp9z/KdFgBk5yTQYFMbChdYsavpLYVbHcrSDvnc4pQyZBpuC10pRKMRWnz10PNAH1SC5Els7e1TM6QSWu2tj448DbqnYqM4mX77GXCbkxM2Xl9OS0QvYiu1F3JRY0E2NyjcifmDR99kX2j2iGgd+CW3pBUV9Y/RiAWWJEjxDDUX2h5mkdGQCFx5jrRk72/9UWdx9WJ5k3NtsEFTNdy0DRrdsDEzAgHwIIHNsL26phoRy5GMiy2AvLLiRCZUaC84sJauR5y/CFIE9EjjlaeSprGixiJz0O8U9oKjPZECHitpx6lvHuOF74W3q+lG4jZlvvm0En2hTgl9sVYWRlaOKd3MkOuNzB69KjfSB6L40wnUNAcNbKYB7MGPj4MKHLQdW84J1nuO3H8CvcGnysrKJH/1ig1oWUY14lGbe6b+FfQ+5anQ7iCEdDAlt2ur0PM7r9fucjvDaTiIEyTNs3GlJtCs+1fCZOBMpUPFghgce9PIT87Ct9Sf8NGVF5gSmBG8a1i8olC5Jz+zCWkcoTxIN5hHvcg8STHP9JlmjOUDqscDWj96t+RRq6zLbd5Q3UszcX28/G/EWNtealipzuzKAHjNyzw7h+4q</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-14779369">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#Signature-162178">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>i4+g0G524j9pGlrh71FlbQ1hkEQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>WYsKpvHmLm4nrCJRFC2FJBcGO8H+msVwVt2z7DmNt8Uz3EienagSypLKlljvrOmM73Uzfh8c9cM59YcawXZ40QbP0AP+AqLUQC5vygyiBt0gwsmRXg1pwd+SWDUT/cYqM2ToUrvdR9Nd/1k9zVgllmUx2dbByDfJadmoTWbu5XY=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-21573890">
<wsse:SecurityTokenReference xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-3190337">
<wsse:Reference URI="#CertId-1776694" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:To>http://127.0.0.1:1110/services/XC</wsa:To>
<wsa:ReplyTo>
<wsa:Address>
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:101C398F6758B4FF111195103392295</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken xmlns:wst="
http://schemas.xmlsoap.org/ws/2005/02/trust";>
<wst:RequestType>
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wsp:AppliesTo4b8 xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsa:EndpointReference>
<wsa:Address>http://127.0.0.1:1110/services/XC
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">2007-11-15T05:09:52.234Z</wsu:Created>
<wsu:Expires xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">2007-11-15T05:14:52.234Z</wsu:Expires>
</wst:Lifetime>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</wst:TokenType>
<wst:Entropy>
<wst:BinarySecret Type="
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
">oq06WFja6FOVEnZyo3LYTUq37566zDXySJJKttZezXxbiFUfPnj6jqSBqPDd2HClw/Z8mbchpmvlxxG8HzW6NydF1DMDHsW9ssTA+sxw9b0sjtBr4VD3TW18XjrHq9Jlr4pFfY3ecRRfKpbNINTMgKQBpq5bqcbXga4wJtDVFdlbRrvIqBz4lst/XKa6k8A5w5/7gWC7fsCiC3WszIZ0ekHB+/0+0AXvnIIT/bBPaya/Zh7qK6q9fopeMjTkZ0e4bifUM/GcGwLEQBICDCvoymv2RbLQ606qmiw/pgYY6m3V7bo79zMQ7QHJuNAnZaaH1byUXeiSKreTQjozGNibww==</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</wst:ComputedKeyAlgorithm>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
Regards,
Nandana
On Nov 13, 2007 2:02 PM, Taweewat Luangwiriya <[EMAIL PROTECTED]>
wrote:
> Hi dev,
>
> Can i config the length of derived key from the policy file? The problem
> is wse3.0 use derived-key as following
> ----------------------------------------------------------------
> <wssc:DerivedKeyToken
> wsu:Id="SecurityToken-4cdbe731-ad21-4dff-afc3-2ab43f754756" Algorithm="
> http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1"; xmlns:wssc="
> http://schemas.xmlsoap.org/ws/2005/02/sc";>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#SecurityToken-b3c94658-1e36-4637-bc42-604fbce4544a" ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wssc:Generation>0</wssc:Generation>
> <wssc:Length>24</wssc:Length>
>
> <wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label>
> <wssc:Nonce>GRT5sLVWPCOjBECjj5kUWQ==</wssc:Nonce>
> </wssc:DerivedKeyToken>
> <wssc:DerivedKeyToken
> wsu:Id="SecurityToken-190de257-b060-49bc-94d2-692ff6c43550" Algorithm="
> http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1"; xmlns:wssc="
> http://schemas.xmlsoap.org/ws/2005/02/sc";>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#SecurityToken-b3c94658-1e36-4637-bc42-604fbce4544a" ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wssc:Generation>0</wssc:Generation>
> <wssc:Length>32</wssc:Length>
>
> <wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label>
> <wssc:Nonce>9LbRRJM89pbDCkb374wm/A==</wssc:Nonce>
> </wssc:DerivedKeyToken>
> ---------------------------------------------------------------
> In wse3.0 they using length of derived-key 24 and 32 respectively, and my
> work which using rampart module generate derived-key with lenght 16 and 32.
> Can i change length of derived-key in rampart ?
>
> My policy file show below
> -------------------------------------------------------------
> <sp:SymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:SecureConversationToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireKeyIdentifierReference/>
> <sp:WssX509V3Token11/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireThumbprintRefderence/>
> <sp:WssX509V3Token11/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11>
> <wsp:Policy>
> <sp:RequireSignatureConfirmation/>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
>
> ---------------------------------------------------------------------------------
>
> Thank you for advance
> twl
>
