Discussion:
Better support for newer signature algorithm
m***@gmail.com
2018-10-08 16:52:13 UTC
Permalink
These days we cannot allow anything below SHA2; so it took me a lot of trouble shooting to resolve the error below and only found a fix by adding this:
properties.put("ws-security.asymmetric.signature.algorithm","http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");

I would have liked adding this to the ws-securitypolicy but could not find anyway to use the newer ones like the above and best I could do was this:
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>

It would be nice if this was out of the box support or discoverable from the keystore signing side.

2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match required values
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@16a9eb2e
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@257e0827
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@806996
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@697a34af
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@38e7ed69
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@2a367e93
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@76332405
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@1a6dc589
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor ***@7f6874f2
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on interceptor org.apache.cxf.ext.logging.LoggingInInterceptor$***@3fba233d
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from context property javax.xml.ws.addressing.context.inbound
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to retrieve Message Addressing Properties from context
Colm O hEigeartaigh
2018-10-11 13:48:16 UTC
Permalink
Hi,

The problem is that the WS-SecurityPolicy specs have never been updated to
use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available
in the newer XML Signature specs. So we have no standard AlgorithmSuites
that use RSA-SHA 256. The best we can do is to configure the signature
algorithms via properties (you also have the option of defining custom
AlgorithmSuites in WS-SecurityPolicy - see
http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html)
although that is obviously not interoperable.

Colm.o
Post by m***@gmail.com
These days we cannot allow anything below SHA2; so it took me a lot of
trouble shooting to resolve the error below and only found a fix by adding
properties.put("ws-security.asymmetric.signature.algorithm","
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
I would have liked adding this to the ws-securitypolicy but could not find
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
It would be nice if this was out of the box support or discoverable from
the keystore signing side.
2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match required
values
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from context
property javax.xml.ws.addressing.context.inbound
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to
retrieve Message Addressing Properties from context
--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mark Diskin
2018-10-11 14:20:57 UTC
Permalink
I understand and it's a beast to figure out- spent a weekend trying to get it to work.

Is there a reason why you don't load add all to your algorithm default builder?

Given the lack of updates (I'm assuming it's EOL now) to the WS-SecurityPolicy would you recommend not using WSPolicy are going more to a programmic definition?

-----Original Message-----
From: Colm O hEigeartaigh <***@apache.org>
Sent: Thursday, October 11, 2018 9:48 AM
To: ***@cxf.apache.org
Subject: Re: Better support for newer signature algorithm

Hi,

The problem is that the WS-SecurityPolicy specs have never been updated to use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available in the newer XML Signature specs. So we have no standard AlgorithmSuites that use RSA-SHA 256. The best we can do is to configure the signature algorithms via properties (you also have the option of defining custom AlgorithmSuites in WS-SecurityPolicy - see
http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html)
although that is obviously not interoperable.

Colm.o
Post by m***@gmail.com
These days we cannot allow anything below SHA2; so it took me a lot of
trouble shooting to resolve the error below and only found a fix by adding
properties.put("ws-security.asymmetric.signature.algorithm","
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
I would have liked adding this to the ws-securitypolicy but could not
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
It would be nice if this was out of the box support or discoverable
from the keystore signing side.
2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match
required values
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from
context property javax.xml.ws.addressing.context.inbound
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to
retrieve Message Addressing Properties from context
--
Colm O hEigeartaigh
Colm O hEigeartaigh
2018-10-16 10:37:07 UTC
Permalink
Post by Mark Diskin
Is there a reason why you don't load add all to your algorithm default builder?
I'm not sure what you mean here. Do you mean why don't we add default
support for custom RSA-SHA2 algorithm suites? Yes we could do that if there
was demand for it - we offer the custom GCM algorithm suites by default. Is
it something you're interested in?

Given the lack of updates (I'm assuming it's EOL now) to the
Post by Mark Diskin
WS-SecurityPolicy would you recommend not using WSPolicy are going more to
a programmic definition?
WS-SecurityPolicy is still useful, but if you are concerned about using
RSA-SHA256 then either define a custom AlgorithmSuite or use the property
to override the signature algorithm.

Colm.
Post by Mark Diskin
-----Original Message-----
Sent: Thursday, October 11, 2018 9:48 AM
Subject: Re: Better support for newer signature algorithm
Hi,
The problem is that the WS-SecurityPolicy specs have never been updated to
use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available
in the newer XML Signature specs. So we have no standard AlgorithmSuites
that use RSA-SHA 256. The best we can do is to configure the signature
algorithms via properties (you also have the option of defining custom
AlgorithmSuites in WS-SecurityPolicy - see
http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html
)
although that is obviously not interoperable.
Colm.o
Post by m***@gmail.com
These days we cannot allow anything below SHA2; so it took me a lot of
trouble shooting to resolve the error below and only found a fix by adding
properties.put("ws-security.asymmetric.signature.algorithm","
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
I would have liked adding this to the ws-securitypolicy but could not
find anyway to use the newer ones like the above and best I could do was
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
It would be nice if this was out of the box support or discoverable
from the keystore signing side.
2018-10-08 12:30:12.726 DEBUG 19280 --- [ main]
o.a.w.dom.processor.SignatureProcessor : Verify XML Signature
2018-10-08 12:30:12.727 DEBUG 19280 --- [ main]
o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match
required values
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on
interceptor
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from
context property javax.xml.ws.addressing.context.inbound
2018-10-08 12:30:12.730 DEBUG 19280 --- [ main]
o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to
retrieve Message Addressing Properties from context
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Continue reading on narkive:
Loading...