SHA-256 is only used for the digest algorithm for any of the standard WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always RSA-SHA1 and cannot be configured. Ideally, we would have a new specification to cater for newer security algorithms, but this does not appear likely from my understanding.
I've created a JIRA to find a way around this problem: https://issues.apache.org/jira/browse/CXF-5200 I think I will add a configuration option to override the default RSA-SHA1 signature algorithm. Colm. On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen <[email protected]>wrote: > I was afraid of that. > > The policy that is used is as follows: > > <wsp:Policy wsu:Id="..."> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireThumbprintReference/> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator > "> > <wsp:Policy> > <sp:RequireThumbprintReference/> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256Sha256Rsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > When I look at this policy, I'd think that SHA256 would be used i thought > RSA-SHA256 would be used as the signature-algorithm, but when I look at the > XML that is output by CXF RSA-SHA1 is used. > > Where am I going wrong? > > Ted > > > > > 2013/8/13 Colm O hEigeartaigh <[email protected]> > > > You can't set the SignatureAlgorithm if you are using WS-SecurityPolicy, > > as it defaults to that of the spec. What requirements do you have? What > > signature algorithm do you want to use? > > > > Colm. > > > > > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen < > [email protected]>wrote: > > > >> Hi Colm, > >> > >> The WSS4JOutInterceptor is created and configured automatically by CXF, > >> right? > >> Can I somehow retrieve the WSS4JOutInterceptor during the process and > set > >> the signatureAlgorithm tag, without having to configure the entire > >> interceptor? > >> > >> Ted > >> > >> > >> > >> > >> 2013/8/13 Colm O hEigeartaigh <[email protected]> > >> > >>> If you are using WS-SecurityPolicy, then the spec defines the signature > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for > >>> Symmetric Signature. Otherwise, you can set it via the > >>> "signatureAlgorithm" > >>> configuration tag on the WSS4JOutInterceptor. > >>> > >>> Colm. > >>> > >>> > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen < > >>> [email protected]>wrote: > >>> > >>> > Hi All, > >>> > > >>> > How does CXF determine which signature method to use? > >>> > Does it retrieve it from the security-policy in the WSDL or do you > >>> have to > >>> > configure it? > >>> > > >>> > kind regards, > >>> > > >>> > Ted > >>> > > >>> > >>> > >>> > >>> -- > >>> Colm O hEigeartaigh > >>> > >>> Talend Community Coder > >>> http://coders.talend.com > >>> > >> > >> > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
