Hi, Let me add a little bit to what Nandana mentioned. The length of the derived key *only* depends on the algorithm suite used in the policy. Please see the WS-SecuirtyPolicy specification for different key sizes used with different algos. Page 36 of [1].
We found a lot of issues in rampart-1.3 release with respect to key sizes and those are fixed in the latest rampart/wss4j. Thanks, Ruchith 1. http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf Nandana Mihindukulasooriya wrote: > Hi Taweewat, > I don't think this can be configured using securitypolicy. We can > only define <sp:RequireDerivedKeys /> under a token assertion. But the > latest Rampart source > uses derived-keys of length 24 and 32. Soap request I generated using the > given policy is attached below. Can you try with latest Rampart and WSS4J > source. > > <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:wsa=" > http://schemas.xmlsoap.org/ws/2004/08/addressing";> > <soapenv:Header> > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="true"> > <wsu:Timestamp xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="Timestamp-2850225"> > <wsu:Created>2007-11-15T05:09:52.281Z</wsu:Created> > <wsu:Expires>2007-11-15T05:14:52.281Z</wsu:Expires> > </wsu:Timestamp> > <xenc:EncryptedKey > Id="EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182"> > <xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > ">Xeg55vRyK3ZhAEhEf+YT0z986L0=</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > > <xenc:CipherValue>MadAQnq/RbLlJZzdGNwrPOawc5izqyMWaydVvUeOE0JVU+iyGNoGvEGprZJxb3SnKaQI2/SV++ZZqgdROpUZS+sMa5/lWV9EtwAg8nU5IfBnRUw7/fU6cSJubhgDGn7t+OzEpzRc5iyMDsgou+K1xygTfy0KJNZHVZ79yR+EuCk=</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedKey> > <wsc:DerivedKeyToken xmlns:wsc=" > http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="derivedKeyId-19287723"> > <wsse:SecurityTokenReference> > <wsse:Reference > URI="#EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182" ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; > /> > </wsse:SecurityTokenReference> > <wsc:Offset>0</wsc:Offset> > <wsc:Length>32</wsc:Length> > <wsc:Nonce>+Kd70c242Dir6MTRZJ0/hQ==</wsc:Nonce> > </wsc:DerivedKeyToken> > <xenc:ReferenceList> > <xenc:DataReference URI="#EncDataId-32516997" /> > </xenc:ReferenceList> > <wsse:BinarySecurityToken xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > wsu:Id="CertId-1776694">MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35Yb pikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</wsse:BinarySecurityToken> > <wsc:DerivedKeyToken xmlns:wsc=" > http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="derivedKeyId-6778431"> > <wsse:SecurityTokenReference> > <wsse:Reference > URI="#EncKeyId-urn:uuid:46F36BF2438AF2A29611951033937182" ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; > /> > </wsse:SecurityTokenReference> > <wsc:Offset>0</wsc:Offsetf9c> > <wsc:Length>24</wsc:Length> > <wsc:Nonce>eiDjI8+UH3mLkjgyflxpbQ==</wsc:Nonce> > </wsc:DerivedKeyToken> > <xenc:EncryptedData Id="EncDataId-32516997" Type=" > http://www.w3.org/2001/04/xmlenc#Element";> > <xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#derivedKeyId-19287723" /> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > > <xenc:CipherValue>o/9vupOS7+jJz8NcbRFSgthnbjVBJUsnGzou3gF//rElOCdMzx2HeKgD4H+LJv8ZuZ9vryGpMZJY2YfzjV4Kb+SeGy4j4F9naafTnf788cy+NUXA1T4O/MWWkZnQHYwzo1DCC+Irq/x83NOaixJLySYmgddTyEJGFSKEBAb1373n8/BwCbdV+Pebmgs+TDrKNX5iyUpdkDemzJRZkHgpv6v3ARS+Jf49jCec5gZjWCSpIVS4JltpNn9PtxcT7G/ZEi1LW/zsrPuLib8cfD2dAqIHmorgz9fMqQmX9LJMwlbMiONdtvle8FZ8tnw6YBfxsF/mqR4O78Eg9iQiKSIYmQTE8jY1qo97vUX9Hv5UsnvZoe3JDjdo4fz6jIdN5zo2fhb7Nj3SaUNvEUKQvudxPJ5ypPqoVzMTC8pwKFjABahF3YJYon7v080qArs/mGl8LW6uBH1Z+AFzHCH5xJYsoF9skmGrgOrJw7L6gw1tgs92ZICcsez17cwt7RLqWybP5WhdoN8nQi/Cj+G6PytotilRMV+OSh7Jcz3hnac67eH4I7OFkJQf9TLEefVmXmmx8NtCWgFuqetuILKJynymivOwWmb85AI4uhpWtO55A9fOUZX8aRNd72oZ2b/QUf7mer9LB3//6ivZpUHa/oorQzx0nC9KbJ8/bNpqoS6NPza/zqTQww/yauIV/kLlzxd2plq+N+bMLW+kRinhFqgK0MoUAQyUAvxT/NxaclTzkdXPxsa3tsgFepSpSuM85tkeYKQmIGJ9+C9t1zwV3UyjO43v21X+xnB+57ASE9Mfy2oV9uFADAjeIzqhjSlupgd3KcAIm59bnxgzwaaudLlK+pP9miJtqohAeVcPvy+Jjk7cursUnW0KmvMvSdB0OCQdztHnJsGqwfHErsOFJHwrJg3i5TofGohSPlVreZc0kkFmNV6y4a1QLPGEZAr8/jAsMVqR8COgNw YC/zfr38R/yA6q7tAi3xB8qGRKe2y22tirU3lldFLREjSyYjLTQa8mMfMlD/StZ9aSNY8ppBDmL6sZczGn4ga3TqTU8JikugyOO0hY9cEE+5KUsFpY5g4eBdQBzSO68qjLL4AOwb98NhXQC8p3KGlzefp9z/KdFgBk5yTQYFMbChdYsavpLYVbHcrSDvnc4pQyZBpuC10pRKMRWnz10PNAH1SC5Els7e1TM6QSWu2tj448DbqnYqM4mX77GXCbkxM2Xl9OS0QvYiu1F3JRY0E2NyjcifmDR99kX2j2iGgd+CW3pBUV9Y/RiAWWJEjxDDUX2h5mkdGQCFx5jrRk72/9UWdx9WJ5k3NtsEFTNdy0DRrdsDEzAgHwIIHNsL26phoRy5GMiy2AvLLiRCZUaC84sJauR5y/CFIE9EjjlaeSprGixiJz0O8U9oKjPZECHitpx6lvHuOF74W3q+lG4jZlvvm0En2hTgl9sVYWRlaOKd3MkOuNzB69KjfSB6L40wnUNAcNbKYB7MGPj4MKHLQdW84J1nuO3H8CvcGnysrKJH/1ig1oWUY14lGbe6b+FfQ+5anQ7iCEdDAlt2ur0PM7r9fucjvDaTiIEyTNs3GlJtCs+1fCZOBMpUPFghgce9PIT87Ct9Sf8NGVF5gSmBG8a1i8olC5Jz+zCWkcoTxIN5hHvcg8STHP9JlmjOUDqscDWj96t+RRq6zLbd5Q3UszcX28/G/EWNtealipzuzKAHjNyzw7h+4q</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="Signature-14779369"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <ds:Reference URI="#Signature-162178"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>i4+g0G524j9pGlrh71FlbQ1hkEQ=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>WYsKpvHmLm4nrCJRFC2FJBcGO8H+msVwVt2z7DmNt8Uz3EienagSypLKlljvrOmM73Uzfh8c9cM59YcawXZ40QbP0AP+AqLUQC5vygyiBt0gwsmRXg1pwd+SWDUT/cYqM2ToUrvdR9Nd/1k9zVgllmUx2dbByDfJadmoTWbu5XY=</ds:SignatureValue> > <ds:KeyInfo Id="KeyId-21573890"> > <wsse:SecurityTokenReference xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="STRId-3190337"> > <wsse:Reference URI="#CertId-1776694" ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > /> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > <wsa:To>http://127.0.0.1:1110/services/XC</wsa:To> > <wsa:ReplyTo> > <wsa:Address> > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous > </wsa:Address> > </wsa:ReplyTo> > > <wsa:MessageID>urn:uuid:101C398F6758B4FF111195103392295</wsa:MessageID> > <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT > </wsa:Action> > </soapenv:Header> > <soapenv:Body> > <wst:RequestSecurityToken xmlns:wst=" > http://schemas.xmlsoap.org/ws/2005/02/trust";> > <wst:RequestType> > http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> > <wsp:AppliesTo4b8 xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsa:EndpointReference> > <wsa:Address>http://127.0.0.1:1110/services/XC > </wsa:Address> > </wsa:EndpointReference> > </wsp:AppliesTo> > <wst:Lifetime> > <wsu:Created xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2007-11-15T05:09:52.234Z</wsu:Created> > <wsu:Expires xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2007-11-15T05:14:52.234Z</wsu:Expires> > </wst:Lifetime> > <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct > </wst:TokenType> > <wst:Entropy> > <wst:BinarySecret Type=" > http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce > ">oq06WFja6FOVEnZyo3LYTUq37566zDXySJJKttZezXxbiFUfPnj6jqSBqPDd2HClw/Z8mbchpmvlxxG8HzW6NydF1DMDHsW9ssTA+sxw9b0sjtBr4VD3TW18XjrHq9Jlr4pFfY3ecRRfKpbNINTMgKQBpq5bqcbXga4wJtDVFdlbRrvIqBz4lst/XKa6k8A5w5/7gWC7fsCiC3WszIZ0ekHB+/0+0AXvnIIT/bBPaya/Zh7qK6q9fopeMjTkZ0e4bifUM/GcGwLEQBICDCvoymv2RbLQ606qmiw/pgYY6m3V7bo79zMQ7QHJuNAnZaaH1byUXeiSKreTQjozGNibww==</wst:BinarySecret> > </wst:Entropy> > <wst:ComputedKeyAlgorithm> > http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 > </wst:ComputedKeyAlgorithm> > </wst:RequestSecurityToken> > </soapenv:Body> > </soapenv:Envelope> > > > Regards, > Nandana > > > > On Nov 13, 2007 2:02 PM, Taweewat Luangwiriya <[EMAIL PROTECTED]> > wrote: > >> Hi dev, >> >> Can i config the length of derived key from the policy file? The problem >> is wse3.0 use derived-key as following >> ---------------------------------------------------------------- >> <wssc:DerivedKeyToken >> wsu:Id="SecurityToken-4cdbe731-ad21-4dff-afc3-2ab43f754756" Algorithm=" >> http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1"; xmlns:wssc=" >> http://schemas.xmlsoap.org/ws/2005/02/sc";> >> <wsse:SecurityTokenReference> >> <wsse:Reference >> URI="#SecurityToken-b3c94658-1e36-4637-bc42-604fbce4544a" ValueType=" >> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; >> /> >> </wsse:SecurityTokenReference> >> <wssc:Generation>0</wssc:Generation> >> <wssc:Length>24</wssc:Length> >> >> <wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label> >> <wssc:Nonce>GRT5sLVWPCOjBECjj5kUWQ==</wssc:Nonce> >> </wssc:DerivedKeyToken> >> <wssc:DerivedKeyToken >> wsu:Id="SecurityToken-190de257-b060-49bc-94d2-692ff6c43550" Algorithm=" >> http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1"; xmlns:wssc=" >> http://schemas.xmlsoap.org/ws/2005/02/sc";> >> <wsse:SecurityTokenReference> >> <wsse:Reference >> URI="#SecurityToken-b3c94658-1e36-4637-bc42-604fbce4544a" ValueType=" >> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; >> /> >> </wsse:SecurityTokenReference> >> <wssc:Generation>0</wssc:Generation> >> <wssc:Length>32</wssc:Length> >> >> <wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label> >> <wssc:Nonce>9LbRRJM89pbDCkb374wm/A==</wssc:Nonce> >> </wssc:DerivedKeyToken> >> --------------------------------------------------------------- >> In wse3.0 they using length of derived-key 24 and 32 respectively, and my >> work which using rampart module generate derived-key with lenght 16 and 32. >> Can i change length of derived-key in rampart ? >> >> My policy file show below >> ------------------------------------------------------------- >> <sp:SymmetricBinding xmlns:sp=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> <wsp:Policy> >> <sp:ProtectionToken> >> <wsp:Policy> >> <sp:SecureConversationToken sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> >> <wsp:Policy> >> <sp:RequireDerivedKeys/> >> <sp:BootstrapPolicy> >> <wsp:Policy> >> <sp:SymmetricBinding> >> <wsp:Policy> >> <sp:ProtectionToken> >> <wsp:Policy> >> <sp:X509Token sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> >> <wsp:Policy> >> <sp:RequireDerivedKeys/> >> <sp:RequireKeyIdentifierReference/> >> <sp:WssX509V3Token11/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:ProtectionToken> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256Rsa15/> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict/> >> </wsp:Policy> >> </sp:Layout> >> <sp:IncludeTimestamp/> >> <sp:EncryptSignature/> >> <sp:OnlySignEntireHeadersAndBody/> >> </wsp:Policy> >> </sp:SymmetricBinding> >> <sp:EndorsingSupportingTokens> >> <wsp:Policy> >> <sp:X509Token sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> "> >> <wsp:Policy> >> <sp:RequireThumbprintRefderence/> >> <sp:WssX509V3Token11/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:EndorsingSupportingTokens> >> <sp:Wss11> >> <wsp:Policy> >> <sp:RequireSignatureConfirmation/> >> <sp:MustSupportRefKeyIdentifier/> >> <sp:MustSupportRefIssuerSerial/> >> </wsp:Policy> >> </sp:Wss11> >> <sp:Trust10> >> <wsp:Policy> >> <sp:MustSupportIssuedTokens/> >> <sp:RequireClientEntropy/> >> <sp:RequireServerEntropy/> >> </wsp:Policy> >> </sp:Trust10> >> </wsp:Policy> >> </sp:BootstrapPolicy> >> </wsp:Policy> >> </sp:SecureConversationToken> >> </wsp:Policy> >> </sp:ProtectionToken> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256Rsa15/> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict/> >> </wsp:Policy> >> </sp:Layout> >> <sp:IncludeTimestamp/> >> <sp:EncryptSignature/> >> <sp:OnlySignEntireHeadersAndBody/> >> </wsp:Policy> >> </sp:SymmetricBinding> >> >> --------------------------------------------------------------------------------- >> >> Thank you for advance >> twl >> >
signature.asc
Description: OpenPGP digital signature
