I understand and it's a beast to figure out- spent a weekend trying to get it to work.
Is there a reason why you don't load add all to your algorithm default builder? Given the lack of updates (I'm assuming it's EOL now) to the WS-SecurityPolicy would you recommend not using WSPolicy are going more to a programmic definition? -----Original Message----- From: Colm O hEigeartaigh <cohei...@apache.org> Sent: Thursday, October 11, 2018 9:48 AM To: users@cxf.apache.org Subject: Re: Better support for newer signature algorithm Hi, The problem is that the WS-SecurityPolicy specs have never been updated to use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available in the newer XML Signature specs. So we have no standard AlgorithmSuites that use RSA-SHA 256. The best we can do is to configure the signature algorithms via properties (you also have the option of defining custom AlgorithmSuites in WS-SecurityPolicy - see http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html) although that is obviously not interoperable. Colm.o On Tue, Oct 9, 2018 at 2:35 PM mark.dis...@gmail.com <mark.dis...@gmail.com> wrote: > These days we cannot allow anything below SHA2; so it took me a lot of > trouble shooting to resolve the error below and only found a fix by > adding > this: > properties.put("ws-security.asymmetric.signature.algorithm"," > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";); > > I would have liked adding this to the ws-securitypolicy but could not > find anyway to use the newer ones like the above and best I could do was this: > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256Sha256Rsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > > It would be nice if this was out of the box support or discoverable > from the keystore signing side. > > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match > required values > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2 > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > interceptor > org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from > context property javax.xml.ws.addressing.context.inbound > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to > retrieve Message Addressing Properties from context > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
