ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: SignatureConfirmation with handler chaining
Date Tue, 08 Nov 2005 14:47:05 GMT
Ruchith,

you are right with the hmac-sha1. Well, the XML-SEC library
supports hmac-sha1, but the other mechanisms are not in
place in WSS4J.

Similar to the UT_SIGN (use a key derived from a UsernameToken
to create a Signature) this could be a two step process because
of the handling of the encrypted key.

However, in WSS4J the order of the Signatures would be reversed,
but this should not do any further harm to the receiver.

I'll start to check how to do it / enhance WSS4J to support this.

Regards,
Werner

> -----Urspr√ľngliche Nachricht-----
> Von: Ruchith Fernando [mailto:ruchith.fernando@gmail.com] 
> Gesendet: Dienstag, 8. November 2005 15:25
> An: Dittmann, Werner
> Cc: wss4j-dev@ws.apache.org
> Betreff: Re: SignatureConfirmation with handler chaining
> 
> Hi Werner,
> 
> Great !!!.
> Thanks a lot for the information.
> 
> This is the scenario I'm concerned with: We have to create a session
> key (K), encrypt it with the service's public key (create an encrypted
> key with the key identifier being 'ThumbprintSHA1'). Then K is used to
> do hmac-sha1 of all headers and body - this is the first signaure.
> Then we have to sign (rsa-sha1) the first signature with the client's
> public key using a direct reference to the certificate. The only
> blocker I seem to have with this scenario is that we can't seem to do
> the first signature. I'll attach the sample msg that is expected by
> the service (Indigo) that I'm trying to interoperate with.
> 
> Thanks
> Ruchith
> 
> On 11/8/05, Dittmann, Werner <werner.dittmann@siemens.com> wrote:
> > Ruchith,
> >
> > a specific handling for handler chaining is not necessary
> > anymore. Ut's handled transparently in the SignatureConfirmation
> > code inside WSS4JHandler. Thus you may go on testing it
> > with Axis 2
> >
> > Regards,
> > Werner
> >
> > > -----Urspr√ľngliche Nachricht-----
> > > Von: Werner Dittmann [mailto:Werner.Dittmann@t-online.de]
> > > Gesendet: Freitag, 4. November 2005 14:58
> > > An: Ruchith Fernando
> > > Cc: wss4j-dev@ws.apache.org
> > > Betreff: Re: SignatureConfirmation with handler chaining
> > >
> > > Ruchith,
> > >
> > > need to look at what was wrong when doing chaining. I'll check
> > > my internal testcases and give you some info tomorrow.
> > >
> > > Regards,
> > > Werner
> > >
> > > Ruchith Fernando wrote:
> > > > Hi Werner,
> > > >
> > > > If possible, can you please give me some points as to what
> > > we need to
> > > > do to get sig-confirmation working with handler chaining in
> > > Axis 1.x.
> > > >
> > > > I'm trying to do the same with Axis2 security module.
> > > >
> > > >
> > > >>Sep 6, 2005: Extending WSS4J to the new OASIS specs - first
> > > impl of SignatureConfirmation :
> > > >>
> > > >>If anybody is going to test this _and_ uses the handler chaining
> > > >>feature of WSS4J pls ask for additional info. In this case one
> > > >>specific modification in the WSDD files may be required.
> > > >
> > > >
> > > >
> > > > Thanks,
> > > > Ruchith
> > > >
> > > > On 9/6/05, Werner Dittmann <Werner.Dittmann@t-online.de> wrote:
> > > >
> > > >>All,
> > > >>
> > > >>with the next checkin a first step of the SIgnatureConfirmation
> > > >>feature of WSS 1.1 is done.
> > > >>
> > > >>Because of some open issues with the spec this first 
> implementation
> > > >>assumes:
> > > >>
> > > >>- generate SignatureConfirmation for every Signature of every
> > > >>  wsse:Security header of the request - there my be several
> > > >>  wsse:Security headers in one request (with different 
> actor/role)
> > > >>
> > > >>- place all SignatureConfirmation elements together in one
> > > >>  wsse:Security header of the response. This because it is not
> > > >>  necessary that the wsse:Security headers have a one-to-one
> > > >>  relationship with the request headers.
> > > >>
> > > >>- do not sign SignatureConfirmation yet - here are IMHO
> > > some open issues
> > > >>  in the spec
> > > >>
> > > >>- do not encrypt even if the Signature block of the request was
> > > >>  encrypted. I doubt if such an encryption makes sense.
> > > >>
> > > >>To enable and test this feature you need to download the source
> > > >>from SVN (trunk head), set the variable
> > > "enableSignatureConfirmation"
> > > >>to "true" (for the time being it set to "false" by default).
> > > >>
> > > >>If anybody is going to test this _and_ uses the handler chaining
> > > >>feature of WSS4J pls ask for additional info. In this case one
> > > >>specific modification in the WSDD files may be required.
> > > >>
> > > >>Regards,
> > > >>Werner
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>------------------------------------------------------------
> > > ---------
> > > >>To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > >>For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Ruchith
> > > >
> > > >
> > > 
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > >
> > > >
> > >
> > >
> > > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > >
> > >
> >
> 
> 
> --
> Ruchith
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message