Re: Better support for newer signature algorithm
>
> Is there a reason why you don't load add all to your algorithm default
> builder?
>
I'm not sure what you mean here. Do you mean why don't we add default
support for custom RSA-SHA2 algorithm suites? Yes we could do that if there
was demand for it - we offer the custom GCM algorithm suites by default. Is
it something you're interested in?
Given the lack of updates (I'm assuming it's EOL now) to the
> WS-SecurityPolicy would you recommend not using WSPolicy are going more to
> a programmic definition?
>
WS-SecurityPolicy is still useful, but if you are concerned about using
RSA-SHA256 then either define a custom AlgorithmSuite or use the property
to override the signature algorithm.
Colm.
>
> -Original Message-
> From: Colm O hEigeartaigh
> Sent: Thursday, October 11, 2018 9:48 AM
> To: users@cxf.apache.org
> Subject: Re: Better support for newer signature algorithm
>
> Hi,
>
> The problem is that the WS-SecurityPolicy specs have never been updated to
> use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available
> in the newer XML Signature specs. So we have no standard AlgorithmSuites
> that use RSA-SHA 256. The best we can do is to configure the signature
> algorithms via properties (you also have the option of defining custom
> AlgorithmSuites in WS-SecurityPolicy - see
> http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html
> )
> although that is obviously not interoperable.
>
> Colm.o
>
> On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com <
> mark.dis...@gmail.com>
> wrote:
>
> > These days we cannot allow anything below SHA2; so it took me a lot of
> > trouble shooting to resolve the error below and only found a fix by
> > adding
> > this:
> > properties.put("ws-security.asymmetric.signature.algorithm","
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;);
> >
> > I would have liked adding this to the ws-securitypolicy but could not
> > find anyway to use the newer ones like the above and best I could do was
> this:
> >
> >
> >
> >
> >
> >
> > It would be nice if this was out of the box support or discoverable
> > from the keystore signing side.
> >
> > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
> > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
> > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
> > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match
> > required values
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> >
> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor
> >
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589
> > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> > interceptor org.apache.cxf.interceptor.AttachmentI
RE: Better support for newer signature algorithm
I understand and it's a beast to figure out- spent a weekend trying to get it
to work.
Is there a reason why you don't load add all to your algorithm default builder?
Given the lack of updates (I'm assuming it's EOL now) to the WS-SecurityPolicy
would you recommend not using WSPolicy are going more to a programmic
definition?
-Original Message-
From: Colm O hEigeartaigh
Sent: Thursday, October 11, 2018 9:48 AM
To: users@cxf.apache.org
Subject: Re: Better support for newer signature algorithm
Hi,
The problem is that the WS-SecurityPolicy specs have never been updated to use
newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available in the
newer XML Signature specs. So we have no standard AlgorithmSuites that use
RSA-SHA 256. The best we can do is to configure the signature algorithms via
properties (you also have the option of defining custom AlgorithmSuites in
WS-SecurityPolicy - see
http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html)
although that is obviously not interoperable.
Colm.o
On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com
wrote:
> These days we cannot allow anything below SHA2; so it took me a lot of
> trouble shooting to resolve the error below and only found a fix by
> adding
> this:
> properties.put("ws-security.asymmetric.signature.algorithm","
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;);
>
> I would have liked adding this to the ws-securitypolicy but could not
> find anyway to use the newer ones like the above and best I could do was this:
>
>
>
>
>
>
> It would be nice if this was out of the box support or discoverable
> from the keystore signing side.
>
> 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
> o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
> 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
> o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match
> required values
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from
> context property javax.xml.ws.addressing.context.inbound
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to
> retrieve Message Addressing Properties from context
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Better support for newer signature algorithm
Hi,
The problem is that the WS-SecurityPolicy specs have never been updated to
use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available
in the newer XML Signature specs. So we have no standard AlgorithmSuites
that use RSA-SHA 256. The best we can do is to configure the signature
algorithms via properties (you also have the option of defining custom
AlgorithmSuites in WS-SecurityPolicy - see
http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html)
although that is obviously not interoperable.
Colm.o
On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com
wrote:
> These days we cannot allow anything below SHA2; so it took me a lot of
> trouble shooting to resolve the error below and only found a fix by adding
> this:
> properties.put("ws-security.asymmetric.signature.algorithm","
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256;);
>
> I would have liked adding this to the ws-securitypolicy but could not find
> anyway to use the newer ones like the above and best I could do was this:
>
>
>
>
>
>
> It would be nice if this was out of the box support or discoverable from
> the keystore signing side.
>
> 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
> o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
> 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
> o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match required
> values
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
> interceptor
> org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from context
> property javax.xml.ws.addressing.context.inbound
> 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
> o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to
> retrieve Message Addressing Properties from context
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
