Re: Better support for newer signature algorithm
> > Is there a reason why you don't load add all to your algorithm default > builder? > I'm not sure what you mean here. Do you mean why don't we add default support for custom RSA-SHA2 algorithm suites? Yes we could do that if there was demand for it - we offer the custom GCM algorithm suites by default. Is it something you're interested in? Given the lack of updates (I'm assuming it's EOL now) to the > WS-SecurityPolicy would you recommend not using WSPolicy are going more to > a programmic definition? > WS-SecurityPolicy is still useful, but if you are concerned about using RSA-SHA256 then either define a custom AlgorithmSuite or use the property to override the signature algorithm. Colm. > > -Original Message- > From: Colm O hEigeartaigh > Sent: Thursday, October 11, 2018 9:48 AM > To: users@cxf.apache.org > Subject: Re: Better support for newer signature algorithm > > Hi, > > The problem is that the WS-SecurityPolicy specs have never been updated to > use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available > in the newer XML Signature specs. So we have no standard AlgorithmSuites > that use RSA-SHA 256. The best we can do is to configure the signature > algorithms via properties (you also have the option of defining custom > AlgorithmSuites in WS-SecurityPolicy - see > http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html > ) > although that is obviously not interoperable. > > Colm.o > > On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com < > mark.dis...@gmail.com> > wrote: > > > These days we cannot allow anything below SHA2; so it took me a lot of > > trouble shooting to resolve the error below and only found a fix by > > adding > > this: > > properties.put("ws-security.asymmetric.signature.algorithm"," > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;); > > > > I would have liked adding this to the ws-securitypolicy but could not > > find anyway to use the newer ones like the above and best I could do was > this: > > > > > > > > > > > > > > It would be nice if this was out of the box support or discoverable > > from the keystore signing side. > > > > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] > > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature > > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] > > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match > > required values > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.interceptor.AttachmentI
RE: Better support for newer signature algorithm
I understand and it's a beast to figure out- spent a weekend trying to get it to work. Is there a reason why you don't load add all to your algorithm default builder? Given the lack of updates (I'm assuming it's EOL now) to the WS-SecurityPolicy would you recommend not using WSPolicy are going more to a programmic definition? -Original Message- From: Colm O hEigeartaigh Sent: Thursday, October 11, 2018 9:48 AM To: users@cxf.apache.org Subject: Re: Better support for newer signature algorithm Hi, The problem is that the WS-SecurityPolicy specs have never been updated to use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available in the newer XML Signature specs. So we have no standard AlgorithmSuites that use RSA-SHA 256. The best we can do is to configure the signature algorithms via properties (you also have the option of defining custom AlgorithmSuites in WS-SecurityPolicy - see http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html) although that is obviously not interoperable. Colm.o On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com wrote: > These days we cannot allow anything below SHA2; so it took me a lot of > trouble shooting to resolve the error below and only found a fix by > adding > this: > properties.put("ws-security.asymmetric.signature.algorithm"," > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;); > > I would have liked adding this to the ws-securitypolicy but could not > find anyway to use the newer ones like the above and best I could do was this: > > > > > > > It would be nice if this was out of the box support or discoverable > from the keystore signing side. > > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match > required values > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from > context property javax.xml.ws.addressing.context.inbound > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to > retrieve Message Addressing Properties from context > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: Better support for newer signature algorithm
Hi, The problem is that the WS-SecurityPolicy specs have never been updated to use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available in the newer XML Signature specs. So we have no standard AlgorithmSuites that use RSA-SHA 256. The best we can do is to configure the signature algorithms via properties (you also have the option of defining custom AlgorithmSuites in WS-SecurityPolicy - see http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html) although that is obviously not interoperable. Colm.o On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com wrote: > These days we cannot allow anything below SHA2; so it took me a lot of > trouble shooting to resolve the error below and only found a fix by adding > this: > properties.put("ws-security.asymmetric.signature.algorithm"," > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;); > > I would have liked adding this to the ws-securitypolicy but could not find > anyway to use the newer ones like the above and best I could do was this: > > > > > > > It would be nice if this was out of the box support or discoverable from > the keystore signing side. > > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match required > values > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from context > property javax.xml.ws.addressing.context.inbound > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to > retrieve Message Addressing Properties from context > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com