[
https://issues.apache.org/jira/browse/RAMPART-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542388
]
Paul Anderson commented on RAMPART-111:
---------------------------------------
Even with <sp:SignBeforeEncrypt /> it's the same. Here's my complete policy
config for Synapse 1.1/Rampart 1.3:-
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<!-- <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>-->
<wsp:Policy>
<!--<sp:RequireIssuerSerialReference/>-->
<sp:RequireKeyIdentifierReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<!-- <sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>-->
<sp:SignBeforeEncrypt />
<!-- <sp:EncryptBeforeSigning />-->
</wsp:Policy>
</sp:AsymmetricBinding>
<!--
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
-->
<!--<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>-->
<!--
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
-->
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss11>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<!--<ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>-->
<ramp:passwordCallbackClass>pja.PjaPwCallback</ramp:passwordCallbackClass>
<!--<ramp:signatureKeyIdentifier>IssuerSerial</ramp:signatureKeyIdentifier>-->
<!--<ramp:encryptionKeyIdentifier value="IssuerSerial" />-->
<!--<ramp:encryptionKeyIdentifier value="DirectReference" /-->
<!--<encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>-->
<!--<encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>-->
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">***</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">***</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
> Rampart won't send certificate serial + issuer. Only either BinaryToken or
> Identity, but not always as it should
> ----------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-111
> URL: https://issues.apache.org/jira/browse/RAMPART-111
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.3
> Environment: JDK6 on RHEL3, in Synapse 1.1
> Reporter: Paul Anderson
> Assignee: Nandana Mihindukulasooriya
> Attachments: RAMPART-111.patch
>
>
> Usually, Rampart seems to send BinaryToken (literal certificate) with
> messages when you specify a signed body and/or signed username token.
> I need to get Rampart to use Key Identifier or Issuer/Serial No. instead, and
> preferably when UsernameToken's enabled too.
> But I found:
> - If I use signed supporting tokens (username) then Rampart will always send
> only a literal BinaryToken.
> - If I disable username token, set Body to be signed, and set InitiatorToken
> Never in my WS-Policy, Rampart sends the key identity as token reference for
> WS-Security signing.
> But it always does this, even if I try to specify Issuer/Serial as the token
> reference by including
> <ramp:signatureKeyIdentifier>IssuerSerial</ramp:signatureKeyIdentifier>
> and/or
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
> or Never or AlwaysToRecipient
> <wsp:Policy>
> <sp:RequireIssuerSerialReference/>
> <!--<sp:RequireKeyIdentifierReference/>-->
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> These seemed to have no effect:
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> Putting the lines in the RecipientToken as well seemed to have no effect.
> It's a problem for me because on the recipient side I have to be specific
> about what form the certificate key will come in, and I have 2 WS clients for
> the same service. I don't want to deploy the service twice just because
> Rampart can only send BinaryToken.
> I hope there's a nightly build of Axis2 or Rampart alone that I can use to
> check any fix. Maybe I've misunderstood, and these are undocumented features
> and not a bug.. Maybe Rampart works OK for SymmetricBinding - I'm using
> Asymmetric.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
