axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harsha Venkataramu" <vhar...@gmail.com>
Subject Re: Rampart Issues with EncryptBeforeSigning
Date Tue, 18 Dec 2007 07:27:26 GMT
Hi Nandana & Martin,

Thanks for the quick response.

1) I now understand why Rampart puts <ReferenceList> outside
<EncryptedKey> in the EncryptBeforeSigning case. But, how about this
requirement in BSP 1.0?:

http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedKey_ReferenceList_Preferred

I guess it says "SHOULD" and not "MUST"? A colleague of mine mentioned
that Rampart-C bails out if an <EncryptedKey> does not contain
<ReferenceList>. Not absolutely certain about this though. However, I
know from my own testing that Rampart-Java is able to process
<ReferenceList> under the <Security> header.

2) I'll file a bug against the handling of headers. I think, right
now, only signing of headers works. EncryptionOnly,
SignBeforeEncrypting and EncryptBeforeSiging are all broken. When
encrypting a header, Rampart ends up replacing the entire header with
the <EncryptedData> element. As per my understanding (which could be
wrong!), only the "content" of the header should be replaced by
<EncryptedData>, going by this:

http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#EncryptedHeaders

If we fixed this, it automatically takes care of the issue I brought
up earlier, with EncryptBeforeSigning.

Harsha

On Dec 17, 2007 9:06 PM, Martin Gainty <mgainty@hotmail.com> wrote:
>
>
> Here is the SignedParts node I have in my policy.xml for Rampart 1.3
>    <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>     <sp:Body/>
>    </sp:SignedParts>
> Can you display the policy.xml so we can compare to the Rampart 1.3
> Examples?
>
> Thanks/
> M-
>
>
>
> ----- Original Message -----
> From: Nandana Mihindukulasooriya
> To: axis-user@ws.apache.org
> Sent: Monday, December 17, 2007 7:10 AM
> Subject: Re: Rampart Issues with EncryptBeforeSigning
>
> Hi Harsha,
>
>
>
> > 1) When I set <EncryptedParts> and <SignedParts> to <Body>,
> > <ReferenceList> gets added as a direct child of the <wsse:Security>
> > header. However, when I use <SignBeforeEncrypting>, <ReferenceList>
> > gets added to <EncryptedKey>. Why this difference?
>
>
> This is because Rampart processes the elements in the security header in the
> order they appear in the security header. So the signature to be correctly
> verified,
>
> SignBeforeEncrypt case :
>     Reference List must appear before the Signature element. ( so the
> signature is verified over decrypted elements ).
>
> EncryptBeforeSign case :
>    Signature must appear before the Reference List element. ( so the
> signature is verified over encrypted elements ).
>
> So in the sign before encrypt case we can add the reference list to
> encrypted
> key as a internal reference.
>
> But in the encrypt before sign case, we have to use external reference as
> the
> reference list have to go after the signature element.
>
>
>
> > 2) When I set <EncryptedParts> and <SignedParts> to some header,
> > Rampart does the encryption correctly, but doesn't sign. I dug into
> > the code and found that after the message is encrypted the original
> > nodes are no longer there (because they have been replaced by
> > <EncryptedData> elements) and therefore, the signing function can't
> > find any nodes to sign.
> >
>
>
> Can you please raise a JIRA in Rampart with the policy you used ?
>
> Thanks,
> Nandana
>
>
>
> >
> >
> > Regards,
> > Harsha
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message