> Following these derived key tokens there are two xenc:EncryptedData elements remaining in the header. I assume one of them is the > SignedEncryptedSupportingTokens UsernameToken. What would the other be? The message signature encrypted (the > sp:EncryptSignature element perhaps)?
Yes, exactly. If you change logging to DEBUG you will see what is decrypted in your logging output. Colm. On Tue, May 7, 2013 at 1:11 AM, Josh Hill <[email protected]> wrote: > > The client generates the Symmetric Key and then encrypts it with the > public key of the STS. The request is signed + encrypted with the Symmetric > Key. The > > STS decrypts the received symmetric key, and uses it to decrypt + verify > the signature on the request. So, you are correct in stating that the > symmetric key > > is not itself signed. > > Thanks Colm. I appreciate your time. I plan on writing a detailed blog > post covering the flow and logic behind what is happening between the WSC, > WSP, and STS. Something others will hopefully find useful. > > I see the soap message sent from client to sts contains an > xenc:EncryptedKey element which I assume is the client generated symmetric > key encrypted using the sts public key. Below this element there are two > wsc:DerivedKeyToken elements, these are derived from the symmetric key > (once the sts decrypts it) correct? > > Following these derived key tokens there are two xenc:EncryptedData > elements remaining in the header. I assume one of them is the > SignedEncryptedSupportingTokens UsernameToken. What would the other be? The > message signature encrypted (the sp:EncryptSignature element perhaps)? > > Josh > > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Tuesday, 7 May 2013 1:30 a.m. > To: Josh Hill > Cc: [email protected] > Subject: Re: SymmetricBinding key exchange and signing > > > Is there not some exchange of the generated key between the client and > STS? If the client signs (and encrypts) the request how does > > the STS have the generated key to verify signature and decrypt? My > original question suggested that it is exchanged by encrypting it > > with the STS public key but not sure how it is signed in this exchange. > Perhaps the exchange of the generated key isn't signed? > The client generates the Symmetric Key and then encrypts it with the > public key of the STS. The request is signed + encrypted with the Symmetric > Key. The STS decrypts the received symmetric key, and uses it to decrypt + > verify the signature on the request. So, you are correct in stating that > the symmetric key is not itself signed. > Colm. > > On Sun, May 5, 2013 at 8:56 PM, Josh Hill <[email protected]> wrote: > Andrei, > > Yes I have the IssuedToken policy on the WSP (not shown). The below > policies are on my STS service. The question was in regards to connecting > to the STS service to have a token issued (or renewed, or validated). I > authenticate using the SignedEncryptedSupportingTokens UsernameToken. What > I'm trying to figure out is how the key generated by the client for > symmetric binding is exchanged with the STS service so that it can > sign/verify encrypt/decrypt messages with the client. > > > Colm, > > Is there not some exchange of the generated key between the client and > STS? If the client signs (and encrypts) the request how does the STS have > the generated key to verify signature and decrypt? My original question > suggested that it is exchanged by encrypting it with the STS public key but > not sure how it is signed in this exchange. Perhaps the exchange of the > generated key isn't signed? > > I appreciate your time. > > Josh > > > > > Josh Hill > Senior Java Developer > > > sovereign finance and banking software > > A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, > Auckland, New Zealand > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 > E [email protected] W http://www.finzsoft.com > > Please note: This email contains information that is confidential and may > be privileged. If you are not the intended recipient, you must not peruse, > use, disseminate, distribute or copy this email or attachments. If you have > received this in error, please notify Finzsoft Solutions (New Zealand) Ltd > immediately by return email and delete this email. Thank you. > > > Josh Hill > Senior Java Developer > > > sovereign finance and banking software > > A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, > Auckland, New Zealand > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 > E [email protected] W http://www.finzsoft.com > > Please note: This email contains information that is confidential and may > be privileged. If you are not the intended recipient, you must not peruse, > use, disseminate, distribute or copy this email or attachments. If you have > received this in error, please notify Finzsoft Solutions (New Zealand) Ltd > immediately by return email and delete this email. Thank you. > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Saturday, 4 May 2013 12:36 a.m. > > To: [email protected] > > Subject: Re: SymmetricBinding key exchange and signing > > > > The Symmetric key that the client generates signs (and encrypts) the > request > > (SOAP Body). There is no need for a signing certificate as you are using > the > > Symmetric binding. Authentication is enforced via the UsernameToken > > SupportingToken. > > > > Colm. > > > > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> > wrote: > > > > > My understanding is that the client generates the symmetric key (as > > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it > > > using the STS's public key (configured on client using > > > "ws-security.encryption.properties\username"). When sending this > > > encrypted key to the STS what is it signed with? I haven't set the > > > "ws-security.signature.properties\username" on my client but the input > > > policy on the STS requires the sp:Body be signed. **** > > > > > > ** ** > > > > > > ...**** > > > > > > <entry key="ws-security.sts.client">**** > > > > > > <bean > > > class="org.apache.cxf.ws.security.trust.STSClient">* > > > *** > > > > > > <constructor-arg ref="cxf" />**** > > > > > > <property name="wsdlLocation" value=" > > > http://localhost:8080/STS?wsdl"; />**** > > > > > > <property name="serviceName" value="{ > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService > > > " /> > > > **** > > > > > > <property name="endpointName" value="{ > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />**** > > > > > > <property name="properties">**** > > > > > > <map>**** > > > > > > <entry > > > key="ws-security.username" value="bob" />**** > > > > > > <entry > > > key="ws-security.callback-handler" value="ClientCallbackHandler" > > > />**** > > > > > > <entry > > > key="ws-security.encryption.properties" > > > value="clientKeystore.properties" /> > > > **** > > > > > > <entry > > > key="ws-security.encryption.username" value="stskey" />**** > > > > > > </map>**** > > > > > > </property>**** > > > > > > </bean>**** > > > > > > </entry>**** > > > > > > .**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > > > > <sp:SymmetricBinding>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:ProtectionToken>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:X509Token sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > > /Never > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > > > > <sp:WssX509V3Token10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:X509Token>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:ProtectionToken>**** > > > > > > > > > <sp:AlgorithmSuite>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Basic256/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:AlgorithmSuite>**** > > > > > > > > > <sp:Layout>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Lax/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:Layout>**** > > > > > > > > > <sp:IncludeTimestamp/>**** > > > > > > > > > <sp:EncryptSignature/>**** > > > > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SymmetricBinding>**** > > > > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:UsernameToken sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > > /AlwaysToRecipient > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:HashPassword/>**** > > > > > > > > > <sp:WssUsernameToken10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:UsernameToken>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > > > <sp:Wss11>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Wss11>**** > > > > > > <sp:Trust13>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > > > > <sp:RequireClientEntropy/>**** > > > > > > > > > <sp:RequireServerEntropy/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Trust13>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > > > > > > > *Josh Hill* > > > Senior Java Developer > > > > > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > > > > > sovereign finance and banking software > > > > > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > > Greenlane, Auckland, New Zealand > > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > > *E* [email protected] *W* www.finzsoft.com > > > > > > > > > *Please note*: This email contains information that is > > > confidential and may be privileged. If you are not the intended > > > recipient, you must not peruse, use, disseminate, distribute or copy > this > > email or attachments. > > > If you have received this in error, please notify Finzsoft Solutions > > > (New > > > Zealand) Ltd immediately by return email and delete this email. Thank > you. > > > > > > > > > > > __________________________________________________________ > > ____________ > > > This email has been scanned by the Symantec Email Security.cloud > service. > > > > > __________________________________________________________ > > ____________ > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > __________________________________________________________ > > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > __________________________________________________________ > > ____________ > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
