[
https://issues.apache.org/jira/browse/CXF-3646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13061863#comment-13061863
]
Colm O hEigeartaigh commented on CXF-3646:
------------------------------------------
Hi,
The current implementation is correct according to the spec. RSA-SHA1 is the
only algorithm used for asymmetric signature, even if you specify a
"Basic256Sha256..." algorithm suite:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/cd/ws-securitypolicy-1.3-spec-cs-01.html#_Toc212617835
At least that's my reading of the spec - it's seems a bit odd that the
asymmetric signature algorithm doesn't vary according to the Algorithm suite.
Colm.
> Use of asymmetric key is implicit and defaults to RSA_SHA1 in the security
> policy implementation
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-3646
> URL: https://issues.apache.org/jira/browse/CXF-3646
> Project: CXF
> Issue Type: Bug
> Components: Core, WS-* Components
> Affects Versions: 2.3.2, 2.5
> Environment: Linux
> Reporter: vaidya.krishnamurthy
> Labels: security
>
> Since the use of SHA1 has been recently discouraged I tried to switch to
> using atleast SHA256 ( http://www.w3.org/TR/xmldsig-core1/#sec-MessageDigests
> )
> Currently the policy is set like this in the wsdl file :
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> From the log I can see that a part of the message is signed with
> rsa-sha1
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#Timestamp-1">
>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
