cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: SymmetricBinding key exchange and signing
Date Tue, 07 May 2013 10:26:05 GMT
> Following these derived key tokens there are two xenc:EncryptedData
elements remaining in the header. I assume one of them is the
> SignedEncryptedSupportingTokens UsernameToken. What would the other be?
The message signature encrypted (the
> sp:EncryptSignature element perhaps)?

Yes, exactly. If you change logging to DEBUG you will see what is decrypted
in your logging output.

Colm.


On Tue, May 7, 2013 at 1:11 AM, Josh Hill <Josh.Hill@finzsoft.com> wrote:

> > The client generates the Symmetric Key and then encrypts it with the
> public key of the STS. The request is signed + encrypted with the Symmetric
> Key. The
> > STS decrypts the received symmetric key, and uses it to decrypt + verify
> the signature on the request. So, you are correct in stating that the
> symmetric key
> > is not itself signed.
>
> Thanks Colm. I appreciate your time. I plan on writing a detailed blog
> post covering the flow and logic behind what is happening between the WSC,
> WSP, and STS. Something others will hopefully find useful.
>
> I see the soap message sent from client to sts contains an
> xenc:EncryptedKey element which I assume is the client generated symmetric
> key encrypted using the sts public key. Below this element there are two
> wsc:DerivedKeyToken elements, these are derived from the symmetric key
> (once the sts decrypts it) correct?
>
> Following these derived key tokens there are two xenc:EncryptedData
> elements remaining in the header. I assume one of them is the
> SignedEncryptedSupportingTokens UsernameToken. What would the other be? The
> message signature encrypted (the sp:EncryptSignature element perhaps)?
>
> Josh
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, 7 May 2013 1:30 a.m.
> To: Josh Hill
> Cc: users@cxf.apache.org
> Subject: Re: SymmetricBinding key exchange and signing
>
> > Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does
> > the STS have the generated key to verify signature and decrypt? My
> original question suggested that it is exchanged by encrypting it
> > with the STS public key but not sure how it is signed in this exchange.
> Perhaps the exchange of the generated key isn't signed?
> The client generates the Symmetric Key and then encrypts it with the
> public key of the STS. The request is signed + encrypted with the Symmetric
> Key. The STS decrypts the received symmetric key, and uses it to decrypt +
> verify the signature on the request. So, you are correct in stating that
> the symmetric key is not itself signed.
> Colm.
>
> On Sun, May 5, 2013 at 8:56 PM, Josh Hill <Josh.Hill@finzsoft.com> wrote:
> Andrei,
>
> Yes I have the IssuedToken policy on the WSP (not shown). The below
> policies are on my STS service. The question was in regards to connecting
> to the STS service to have a token issued (or renewed, or validated). I
> authenticate using the SignedEncryptedSupportingTokens UsernameToken. What
> I'm trying to figure out is how the key generated by the client for
> symmetric binding is exchanged with the STS service so that it can
> sign/verify encrypt/decrypt messages with the client.
>
>
> Colm,
>
> Is there not some exchange of the generated key between the client and
> STS? If the client signs (and encrypts) the request how does the STS have
> the generated key to verify signature and decrypt? My original question
> suggested that it is exchanged by encrypting it with the STS public key but
> not sure how it is signed in this exchange. Perhaps the exchange of the
> generated key isn't signed?
>
> I appreciate your time.
>
> Josh
>
> >
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812     P 64 9 571 6800   F 64 9 571 6899
> E Josh.Hill@finzsoft.com   W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may
> be privileged. If you are not the intended recipient, you must not peruse,
> use, disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
>
>
> Josh Hill
> Senior Java Developer
>
>
> sovereign finance and banking software
>
> A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane,
> Auckland, New Zealand
> D 64 9 571 6812     P 64 9 571 6800   F 64 9 571 6899
> E Josh.Hill@finzsoft.com   W http://www.finzsoft.com
>
> Please note: This email contains information that is confidential and may
> be privileged. If you are not the intended recipient, you must not peruse,
> use, disseminate, distribute or copy this email or attachments. If you have
> received this in error, please notify Finzsoft Solutions (New Zealand) Ltd
> immediately by return email and delete this email. Thank you.
> -----Original Message-----
>
>
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Saturday, 4 May 2013 12:36 a.m.
> > To: users@cxf.apache.org
> > Subject: Re: SymmetricBinding key exchange and signing
> >
> > The Symmetric key that the client generates signs (and encrypts) the
> request
> > (SOAP Body). There is no need for a signing certificate as you are using
> the
> > Symmetric binding. Authentication is enforced via the UsernameToken
> > SupportingToken.
> >
> > Colm.
> >
> >
> > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <Josh.Hill@finzsoft.com>
> wrote:
> >
> > >  My understanding is that the client generates the symmetric key (as
> > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it
> > > using the STS's public key (configured on client using
> > > "ws-security.encryption.properties\username"). When sending this
> > > encrypted key to the STS what is it signed with? I haven't set the
> > > "ws-security.signature.properties\username" on my client but the input
> > > policy on the STS requires the sp:Body be signed. ****
> > >
> > > ** **
> > >
> > > ...****
> > >
> > > <entry key="ws-security.sts.client">****
> > >
> > >                 <bean
> > > class="org.apache.cxf.ws.security.trust.STSClient">*
> > > ***
> > >
> > >                                 <constructor-arg ref="cxf" />****
> > >
> > >                                 <property name="wsdlLocation" value="
> > > http://localhost:8080/STS?wsdl" />****
> > >
> > >                                 <property name="serviceName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService
> > > " />
> > > ****
> > >
> > >                                 <property name="endpointName" value="{
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />****
> > >
> > >                                 <property name="properties">****
> > >
> > >                                                 <map>****
> > >
> > >                                                                 <entry
> > > key="ws-security.username" value="bob" />****
> > >
> > >                                                                 <entry
> > > key="ws-security.callback-handler" value="ClientCallbackHandler"
> > > />****
> > >
> > >                                                                 <entry
> > > key="ws-security.encryption.properties"
> > > value="clientKeystore.properties" />
> > > ****
> > >
> > >                                                                 <entry
> > > key="ws-security.encryption.username" value="stskey" />****
> > >
> > >                                                 </map>****
> > >
> > >                                 </property>****
> > >
> > >                 </bean>****
> > >
> > > </entry>****
> > >
> > > .****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-UT-Policy">****
> > >
> > >                 <wsp:ExactlyOne>****
> > >
> > >                                 <wsp:All>****
> > >
> > >
> > > <sp:SymmetricBinding>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:ProtectionToken>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:X509Token sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /Never
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:RequireDerivedKeys/>****
> > >
> > >
> > > <sp:RequireThumbprintReference/>****
> > >
> > >
> > > <sp:WssX509V3Token10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:X509Token>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:ProtectionToken>****
> > >
> > >
> > > <sp:AlgorithmSuite>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Basic256/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:AlgorithmSuite>****
> > >
> > >
> > > <sp:Layout>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:Lax/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:Layout>****
> > >
> > >
> > > <sp:IncludeTimestamp/>****
> > >
> > >
> > > <sp:EncryptSignature/>****
> > >
> > >
> > > <sp:OnlySignEntireHeadersAndBody/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SymmetricBinding>****
> > >
> > >
> > > <sp:SignedEncryptedSupportingTokens>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:UsernameToken sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken
> > > /AlwaysToRecipient
> > > ">****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:HashPassword/>****
> > >
> > >
> > > <sp:WssUsernameToken10/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:UsernameToken>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >
> > > </sp:SignedEncryptedSupportingTokens>****
> > >
> > >                                                 <sp:Wss11>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportRefKeyIdentifier/>****
> > >
> > >
> > > <sp:MustSupportRefIssuerSerial/>****
> > >
> > >
> > > <sp:MustSupportRefThumbprint/>****
> > >
> > >
> > > <sp:MustSupportRefEncryptedKey/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >                                                 </sp:Wss11>****
> > >
> > >                                                 <sp:Trust13>****
> > >
> > >
> > > <wsp:Policy>****
> > >
> > >
> > > <sp:MustSupportIssuedTokens/>****
> > >
> > >
> > > <sp:RequireClientEntropy/>****
> > >
> > >
> > > <sp:RequireServerEntropy/>****
> > >
> > >
> > > </wsp:Policy>****
> > >
> > >                                                 </sp:Trust13>****
> > >
> > >                                 </wsp:All>****
> > >
> > >                 </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Input-Policy">****
> > >
> > >                 <wsp:ExactlyOne>****
> > >
> > >                                 <wsp:All>****
> > >
> > >                                                 <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >                                                 </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > >                                 </wsp:All>****
> > >
> > >                 </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > > ** **
> > >
> > > <wsp:Policy wsu:Id="STS-Output-Policy">****
> > >
> > >                 <wsp:ExactlyOne>****
> > >
> > >                                 <wsp:All>****
> > >
> > >                                                 <sp:SignedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >                                                 </sp:SignedParts>****
> > >
> > >
> > > <sp:EncryptedParts>****
> > >
> > >
> > > <sp:Body/>
> > > ****
> > >
> > >
> > > </sp:EncryptedParts>****
> > >
> > >                                 </wsp:All>****
> > >
> > >                 </wsp:ExactlyOne>****
> > >
> > > </wsp:Policy>****
> > >
> > >
> > >
> > > *Josh Hill*
> > > Senior Java Developer
> > >
> > >
> > >
> > > [image: Finzsoft - Your Vision + Our Innovations]
> > >
> > >
> > >
> > > sovereign finance and banking software
> > >
> > >
> > >
> > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road,
> > > Greenlane, Auckland, New Zealand
> > > *D* 64 9 571 6812       *P* 64 9 571 6800    *F* 64 9 571 6899
> > > *E* Josh.Hill@finzsoft.com    *W* www.finzsoft.com
> > >
> > >
> > >       *Please note*: This email contains information that is
> > > confidential and may be privileged. If you are not the intended
> > > recipient, you must not peruse, use, disseminate, distribute or copy
> this
> > email or attachments.
> > > If you have received this in error, please notify Finzsoft Solutions
> > > (New
> > > Zealand) Ltd immediately by return email and delete this email. Thank
> you.
> > >
> > >
> > >
> > __________________________________________________________
> > ____________
> > > This email has been scanned by the Symantec Email Security.cloud
> service.
> > >
> > __________________________________________________________
> > ____________
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> > __________________________________________________________
> > ____________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > __________________________________________________________
> > ____________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> ______________________________________________________________________
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message