Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.9

2017-08-14 Thread Hugo Trippaers 
+1 (non-binding)

Cheers,

Hugo

> On 14 Aug 2017, at 13:10, Colm O hEigeartaigh  wrote:
> 
> This is a vote to release Apache Santuario - XML Security for Java 2.0.9. 
> This is a minor bug fix release - perhaps the most significant fix is to 
> allow setting default algorithms without invoking the SecurityManager, and so 
> to allow Santuario to run in google app engine. 
> 
> SVN tag:
> 
> https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/xmlsec-2.0.9/
>  
> 
> 
> Artifacts:
> 
> https://repository.apache.org/content/repositories/orgapachesantuario-1015/ 
> 
> 
> Source dist:
> 
> https://repository.apache.org/content/repositories/orgapachesantuario-1015/org/apache/santuario/xmlsec/2.0.9/xmlsec-2.0.9-source-release.zip
>  
> 
> 
> +1 from me.
> 
> Colm.
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com

SANTUARIO-458

2017-01-12 Thread Hugo Trippaers 
Hey Colm,

Whats the next step in discussing the patch for SANTUARIO-458?  Does my 
solution make sense given the requirements of the interface i’m trying to talk 
to or should i try for an alternative approach?


Cheers,

Hugo

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.8

2016-12-02 Thread Hugo Trippaers 
Aahhh.. me bad..

I did submit a patch that day, but didn’t update jira.

https://github.com/apache/santuario-java/pull/9/commits/ea7138d512908612598fd418b7496c4072d97d00
 
<https://github.com/apache/santuario-java/pull/9/commits/ea7138d512908612598fd418b7496c4072d97d00>


Cheers,

Hugo

> On 2 Dec 2016, at 14:42, Colm O hEigeartaigh <cohei...@apache.org> wrote:
> 
> I asked on the JIRA to see if you had finished with the patch and got no 
> response: https://issues.apache.org/jira/browse/SANTUARIO-458 
> <https://issues.apache.org/jira/browse/SANTUARIO-458>
> 
> Colm.
> 
> On Fri, Dec 2, 2016 at 1:37 PM, Hugo Trippaers <trip...@gmail.com 
> <mailto:trip...@gmail.com>> wrote:
> Hey Colm,
> 
> Was there something still wrong with the patch for SANTUARIO-458 so it 
> couldn’t be included on 2.0.8?
> 
> Cheers,
> 
> Hugo
> 
> 
>> On 1 Dec 2016, at 14:39, Colm O hEigeartaigh <cohei...@apache.org 
>> <mailto:cohei...@apache.org>> wrote:
>> 
>> This is a vote to release Apache Santuario - XML Security for Java 2.0.8. 
>> 
>> Issues fixed:
>> 
>> https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12336742 
>> <https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12336742>
>> 
>> Maven artifacts:
>> 
>> https://repository.apache.org/content/repositories/orgapachesantuario-1013/ 
>> <https://repository.apache.org/content/repositories/orgapachesantuario-1013/>
>> 
>> SVN tag:
>> 
>> https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/xmlsec-2.0.8/
>>  
>> <https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/xmlsec-2.0.8/>
>> 
>> +1 from me.
>> 
>> Colm.
>> 
>> 
>> -- 
>> Colm O hEigeartaigh
>> 
>> Talend Community Coder
>> http://coders.talend.com <http://coders.talend.com/>
> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com <http://coders.talend.com/>

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.8

2016-12-02 Thread Hugo Trippaers 
Hey Colm,

Was there something still wrong with the patch for SANTUARIO-458 so it couldn’t 
be included on 2.0.8?

Cheers,

Hugo


> On 1 Dec 2016, at 14:39, Colm O hEigeartaigh  wrote:
> 
> This is a vote to release Apache Santuario - XML Security for Java 2.0.8. 
> 
> Issues fixed:
> 
> https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12336742 
> 
> 
> Maven artifacts:
> 
> https://repository.apache.org/content/repositories/orgapachesantuario-1013/ 
> 
> 
> SVN tag:
> 
> https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/xmlsec-2.0.8/
>  
> 
> 
> +1 from me.
> 
> Colm.
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com

Question on specific document requirements

2016-10-12 Thread Hugo Trippaers 
Hey folks,

Hope this is the right place to ask this, but i’m working on an interface to a 
system with some specific requirements i haven’t figured out yet. I’ve got some 
of them covered so far (they use KeyName as key identifier for example), but i 
have a few remaining things i need to solve and i would like to know if those 
are possible to configure with the current version of the santuario library.

First of all their implementation expects the signature element to be the last 
element in the resulting xml document. See the example below, can this be done 
with a configuration?



  ….
  …


Second they don’t accept Ids in the root and signature element and expect the 
Reference URI to be an empty string.

And they also seem to take offence at the 'http://www.w3.org/2001/10/xml-exc-c14n#; />’ transform being present.

Below it the complete signature as generated by my current configuration. 

If using the library indirectly from the CXF XmlSecOutInterceptor with the 
following configuration:

final SignatureProperties properties = new SignatureProperties();

/* 1. The entire XML message must be signed.
/* 2. For the purpose of generating the digest of the main message, the 
inclusive canonicalization algorithm must be used.
/* 3. For the purpose of generating the signature value, the exclusive 
canonicalization algorithm must be used.
 */
properties.setSignatureC14nMethod(XMLSecurityConstants.NS_C14N_EXCL);

/* 4. The syntax for an enveloped signature must be used.
 * 5. For hashing purposes the SHA256 algorithm must be used.
 */
properties.setSignatureDigestAlgo(XMLSecurityConstants.NS_XENC_SHA256);

/* 6. For signature purposes the RSAWithSHA256 algorithm must be used. RSA keys 
must be 2,048 bits long.
 */
properties.setSignatureAlgo(XMLSecurityConstants.NS_XMLDSIG_RSASHA256);

/* 7. The public key must be referenced using a fingerprint of an X.509 
certificate. The fingerprint must be
 * calculated according to the following formula HEX(SHA-1(DER certificate)).
 */
properties.setSignatureKeyIdType("KeyName");


Looking for some pointer to get this done, if it is configuration that would be 
great. If this needs some modifications in the code i would be happy with some 
pointers in the right direction.

Thanks!

Hugo




  http://www.w3.org/2000/09/xmldsig#; 
Id="G1345d174-e9d2-4a6f-b573-8b750773b2ee">

  http://www.w3.org/2001/10/xml-exc-c14n#; />
  http://www.w3.org/2001/04/xmldsig-more#rsa-sha256; />
  

  http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
  http://www.w3.org/2001/10/xml-exc-c14n#; />

http://www.w3.org/2001/04/xmlenc#sha256; 
/>

AtXiXRQ7sLparlwtp9PwFcUmdzR8XsJenVNxy3Ulue4=
  


I+qG/S2HV+1c9a6quuH15cooZHslLG+GlyWgvnzn83DYGh6tgG4c2sKgUMy3OuES3raw8dczf02Q
THvwztwoMl7136Ca2M9/Qyc/BRhW7fVoMqMzkppHcTtFFB/V7Q3D9k8VquqdPuGwFb+rPSgQfdxe
owB00/OGt5eXcMcpLERvbK6t9iRbg6ykLBGgc0VLQSYbxcA4FgBe1RTOFbuUadq9Nz4qVxXmZyTY
rH/kdmOIvsL1yrCmhQ2EqVw8XalNVBoamu2T3WCxPWDSvZrvJ0Hf7bp0K6hd/aF7vRwaYzklDA0Z
F1XAUMctYXnBNFc5yjeyrCEGiEmkLYsafcP3AQ==


  B1E1820D3DC7D8E57F80AF11B968749380A5D1EB

Re: KeyName support in santuario

2016-10-11 Thread Hugo Trippaers 
Hi Colm,

Yeah, that sounds even easier. Thanks for the feedback, i’ll start working on 
the patch and submit it when finished.

Cheers,

Hugo

> On 10 Oct 2016, at 18:02, Colm O hEigeartaigh <cohei...@apache.org> wrote:
> 
> Hi Hugo,
> 
> The JSR-105 API in Java just takes a String as parameter, so I think it would 
> be simpler just to add a new String property in XMLSecurityProperties which 
> is taken as the KeyName value:
> 
> https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.html#newKeyName(java.lang.String)
> 
> Colm.
> 
> On Mon, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <trip...@gmail.com> wrote:
> Hello,
> 
> I’m working on a project that uses KeyName to identify the key used to verify 
> or sign the signature. I’m using the santuario library through the 
> XmlSecIn/OutInterceptors in the CXF project. Currently the KeyName identifier 
> is not supported for outgoing messages.
> 
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException: KeyName 
> not supported.
>at 
> org.apache.xml.security.stax.impl.processor.output.XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(XMLSignatureEndingOutputProcessor.java:146)
>  ~[xmlsec-2.0.7.jar!/:2.0.7]
> 
> So i’m looking to add some support for it. I’ve got a small proof of concept 
> implementation ready but i ran into the problem that there is not clear 
> definition of what should be in the KeyName. The project that i’m working on 
> defined the contents of the KeyName as the SHA1 fingerprint of the 
> certificate, but i’ve also seen and/or read about solution that use the CN or 
> any other identifier.
> 
> So i’m thinking of extending 
> org.apache.xml.security.stax.ext.XMLSecurityProperties with a field 
> identifying the method to use to generate the KeyName content. And then use 
> that info in 
> XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature() to 
> build a KeyName KeyInfo token with the required contents.
> 
> I’m looking for some feedback if that would be an acceptable solution.
> 
> Cheers,
> 
> Hugo
> 
> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com