Hi Colm,
Thanks for your reply !!
Let me summarize issue again:-
Issue is only in response from wss4j (request is going through fine).
1) wss4j is sending EncryptedKey in response. wss4j is not using
symmetric key that comes in request rather it again generates key while
encrypting response so sends EncryptedKey in soap message - this is not
expected by owsm.
2) wss4j is signing with private key instead of using generated
symmetric key so response also has BST which again is not expected by OWSM
I have attached 2 soap messages -
1) owsm expected message (soap message that owsm sends in response)
2) wss4j actual message (soap message that wss4j sends in response)
Basically, in case of symmetric key, signing should be done by symmetric
come that came in request, also, encryption of response should be done
by symmetric key that came in request instead of again generating key
and then sending EncryptedKey in response.
I see that WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER if used will
resolve my purpose of using symmetric key in signing
and for encryption issue, I found below code segment in WSSecEncrypt:-
if (this.ephemeralKey == null) {
if (symmetricKey == null) {
KeyGenerator keyGen = getKeyGenerator();
this.symmetricKey = keyGen.generateKey();
}
this.ephemeralKey = this.symmetricKey.getEncoded();
}
ephemeralKey is never set in code.
Thanks
Nitin
Colm O hEigeartaigh wrote:
(Forgot to cc the dev list).
Colm.
-----Original Message-----
From: Colm O hEigeartaigh
Sent: 23 April 2009 11:21
To: 'Nitin Handa'
Subject: RE: How to avoid EncryptedKey in responseFlow
Hi Nitin,
I don't understand the need of having EncryptedKey in response and
want
to avoid it.. wss4j should just sign and encypt and shouldn't encrypt
key.
WSS4J has fairly limited support for encrypting using a symmetric key,
as this is in general not a common use-case. Can you detail exactly what
you want to do to the SOAP message? Do you mean both symmetric signature
and encryption? If so by the former are you referring to using a (H)MAC,
and by the latter directly using 3DES or AES?
Can you attach a copy of the SOAP request that OWSM generates? I can
take a look to see if the WSS4J API's can generate a similar message
structure. Can you attach the OWSM client policy?
I also don't understand how is it encrypting key at server side as
it is not having client's public key.
It falls back to trying to get the public key from the signaturePropFile
configuration.
Colm.
-----Original Message-----
From: Nitin Handa [mailto:[email protected]]
Sent: 22 April 2009 05:22
To: [email protected]
Subject: How to avoid EncryptedKey in responseFlow
Hi,
I just starting working on WSS4J.. I am doing this effort to test
interop with oracle's OWSM.
I want to know how to avoid EmbeddedKey in response (and also don't
understand why is it required to encrypt key in response as it should be
only required in request flow)
I have OWSM's client policy for symmetric key sign and encrypt (wss11)
, this request goes to Axis service which has WSS4J policy... request
goes fine and response is signed and encrypted by wss4j but response is
not understood by OWSM as response has EncryptedKey in soap message
which owsm doesn't expect.
I don't understand the need of having EncryptedKey in response and want
to avoid it.. wss4j should just sign and encypt and shouldn't encrypt
key. I also don't understand how is it encrypting key at server side as
it is not having client's public key.
this is service.wsdd file
<requestFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="PWCallback1"/>
<parameter name="action" value="Signature Encrypt"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
<parameter name="decryptionPropFile"
value="crypto.properties" />
<parameter name="encryptionKeyIdentifier"
value="DirectReference" />
<parameter name="decryptionKeyIdentifier"
value="DirectReference" />
<parameter name="signatureKeyIdentifier"
value="DirectReference" />
</handler>
</requestFlow>
<responseFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="passwordCallbackClass"
value="PWCallback1"/>
<parameter name="user" value="orakey"/>
<parameter name="action" value="Signature Encrypt"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
<parameter name="signatureKeyIdentifier"
value="DirectReference" />
<parameter name="encryptionKeyIdentifier"
value="Thumbprint" />
</handler>
</responseFlow>
I have tried many other options too but didn't work
Thanks
Nitin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/";><env:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; env:mustUnderstand="1"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-UItEah85m9qGEuzoeW1Zaw22"><wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-23T11:31:11Z</wsu:Created><wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-23T11:36:11Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference URI="#_obSYkYMC1SbAvOHPeusBhQ22"/></xenc:ReferenceList><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><dsig:Reference URI="#Timestamp-UItEah85m9qGEuzoeW1Zaw22"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>nlrpB/fhTSDp+TX6zhmF4x7Vrg8=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#Body-wavVPBymiiwK1NH4O6Qt9Q22"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>7HHby79uWTrnfS+yXK73gAB1Uag=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#SIGCNFRM-5pYKUEFscf7f3iVA3KBfXA22"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>tdeOQy5eCk3f3CV68c858UWeli8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>RBUfwnsCuPVKKqtpBIu+M/yzraQ=</dsig:SignatureValue><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:KeyIdentifier xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>slexACwzQmkXgD0OE34OjzCiXKY=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo></dsig:Signature><wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; xmlns="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; Value="D3H1DjvSOeIbiWJwb2qwA5UNx64=" wsu:Id="SIGCNFRM-5pYKUEFscf7f3iVA3KBfXA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/></wsse:Security></env:Header><env:Body wsu:Id="Body-wavVPBymiiwK1NH4O6Qt9Q22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Content"; Id="_obSYkYMC1SbAvOHPeusBhQ22"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:KeyIdentifier xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>slexACwzQmkXgD0OE34OjzCiXKY=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime"; xmime:contentType="application/octet-stream">gSmwy9jRME1PkCzbdwyVvFESwK1xJHdnCDAhFCN2061ohovHdVzgc6qMSbeqP8x+PRzyqjx0k2MK
BHBdEqg5T7ujHcbF2Ne/Uk5Z6QEBsE4H8iAYZehnLJIOj+AqtRPtIv/nwchfORH9YolGTyCCtqnJ
4oVz5Hx+fGnT4N9isvKLLnm6MYivz+HtKoh20XyruuNNtqjQprpM/eQO2D+KYUy+HDMix26nSAoB
jsfwvzZbcF043I2bq9/3G4GIB9jteBZuuz+SN46e1zxRw4MZP/RO4TsvH2WVPBsZBwAIzxV+AEYX
xLkQi1z38t7uERmefyUjiDIZkdz6J6K8vKx7EVdK8nXBNVVOWKovH/Wpjs4LWegBV/i7ZYV2Ti6T
8GS8BqkeaAmgqBLRhXIojqwpnyvNoVQAKeovz/XqWnFwz7Y=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-22466412"><wsu:Created>2009-04-23T11:33:13.062Z</wsu:Created><wsu:Expires>2009-04-23T11:38:13.062Z</wsu:Expires></wsu:Timestamp><xenc:EncryptedKey Id="EncKeyId-BE6F1D646A5E346C14124048639306230"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";></xenc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>A/6KNeEtyjZvLzt9FIQ3v6Jwttw=</wsse:KeyIdentifier></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>UeP4qTYlcROdgQQjXMqB21VeToOc9qZv232Xc9uP9KEdwJfD3nY4TkHmd/YTaf5Fe7x4v7jHh8UgAg+bNZMPidHGTwgpE4Q8cDsxfjFTb5zeFRbo4185LFx2dCnfYZ0nk/B2ChVv29akzMN4AjIHVVaNc9eh26RdPpWSashUVpQ=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-15948884"></xenc:DataReference></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="CertId-1993108">MIICLjCCAZcCBEjiSZEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxDzANBgNVBAoTBk9yYWNsZTErMCkGA1UECxMiSjJFRSBUZXN0IEVuY3J5cHRpb24gUHVycG9zZXMgT25seTERMA8GA1UEAxMId2VibG9naWMwHhcNMDgwOTMwMTU0NTIxWhcNMTgwODA5MTU0NTIxWjBeMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGT3JhY2xlMSswKQYDVQQLEyJKMkVFIFRlc3QgRW5jcnlwdGlvbiBQdXJwb3NlcyBPbmx5MREwDwYDVQQDEwh3ZWJsb2dpYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAq7+NVbxFO+IvuGb9RbkYVjDSMM3wfwyenmKGgxyC8sQq3CIwAdYSFBJX4ugUw8ghsz8P66d7fCGypQAjkV/WaTu9HWbw+R0OzkZXd+ze6K+MLVsdjZl3tAhDectMs993RWOP/RAQFiThEtw1w53Qd7/KeB2J1XKGxLb+vBNe0RkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCkKtPvXhmB7LFJGA7JsT50/Ge8vfVDLhVQLOE6g9G0jDWN1GVeN7ahPJqYWxQzp7hmvmrqwuSz2fJtPyxE7dNBw1DsencYav/AtUYHAHgwtRJET9bBZ1vtFyn38axiURtk+T/oKWuNPb0PcWKCCMoc+x58E1HcvFOTobOiDrw4JQ==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-17657950">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#id-15948884">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>r9sWnOa3JAWi0jLKfuLRY6isEZ0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigConf-5632190">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>dJmCEcZAzw3QZITLaoJnp4x15LI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
HV20Phl3rGlzCSuzp2Jz8P+uTDbCOFDHEsGicxdXEAl+Hf5ic3EoTqAyhbt8DqpUh5O94iTWGTOC
nxzKGT1/R0H/be81hXYo8VEBBGFCXOmsGTWDoExILWLy1VHt9gCi6RI/neSb7ldef9ZgwQnJIpvo
FFwtWpRMpGOrw1aahCQ=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-21782573">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-20855925"><wsse:Reference URI="#CertId-1993108" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature><wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; Value="aZyDMz8RezYNJ8KPuPwsT8OaL5M=" wsu:Id="SigConf-5632190"></wsse11:SignatureConfirmation></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-15948884"><xenc:EncryptedData Id="EncDataId-15948884" Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";></xenc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference URI="#EncKeyId-BE6F1D646A5E346C14124048639306230"></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>uFqLTBMD2hj/CgWJzHApNtaJDb6DIWJIz44zGlxwTzMAXdewcJrx1Aoxbd/xp3EDQoytt+9tKMPR
wQ787mHDF6xzLsDrcYpKt6xBWGLpVtqUNN+91a0xxg98BsfV5KYN0rP7OqkyDPjS10nXNRbPizqu
RpGUP4KNZLpKbfa2mswC48Qdx+JvIA+VKMfxY7wtAIzidj9xwXFQe/3H6ducC0xYbNffDZfj6E2z
4WctfBnI3nSLjlWBXOOrTu8l5+lEsjsKzNRairUEexloThTKhyp6UIfyGPzPMTMluTbNS3/YALsU
K0BBE4GDRpnuUu6aPxXJnXkJazgAos1ksGn5P9CJeu9Y4xIqSzUOwIklf3FuUucAFVBCJpyI8BCZ
oZCIgaOfMH62wIelCfgEb6EFFF5bgRaTiE9vVVQUtXPIhuaROVkM/tBfqoJXZ+gjhupU4SCRRVpq
YYPQ0ZvYzreWK+yUaH6civE+RSRkextxfHjD6Q0xKLdd3UIgatfxvjfoSP4LqvJHlFsH9gxPSSHO
PZqPk9iJVYRIlhOL5a+QK6/Am22fUH+uCfbMrhI3dEDBCQ3ODG1SC9V0Td3lNHbzkOsGqZWPo45k
1VmAZzmoUKdmpI6RDMRD4L7kGI08k/Ji+Daj2aPFDElyyRlzRXULwdB8fN0rPHL41xkriHDO9nG3
6p3z7JTaajnW6kgdFeiR</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
