Re: Signing AMQP messages
On 13/09/18 19:54, Gordon Sim wrote: On 13/09/18 19:40, Chuck Rolke wrote: I'd put the signature in part of the 'bare message', such as application properties, which passes from sender to receiver unmodified. That would require the signature to be in the bytes the signature signs. I should clarify, the above is assuming that the signature is of the entire bare message. If instead it was just of the body, then the problem above can be ignored. (And if it is the bare message, that has further implications on the API, since you need the encoded form of the bare message in order to generate the signature). - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: Signing AMQP messages
Okay, it sounds like my approach was correct but unfortunately access to both the footer and message-annotations are package-private so there isn't a clean way to do what I want currently. Also found an open issue related to annotation access here https://issues.apache.org/jira/browse/QPIDJMS-153. On 9/13/18, 11:54 AM, "Gordon Sim" wrote: On 13/09/18 19:40, Chuck Rolke wrote: > I'd put the signature in part of the 'bare message', such as application properties, which passes from sender to receiver unmodified. That would require the signature to be in the bytes the signature signs. The 'footer' section was designed to be used for "message hashes, HMACs, signatures and encryption details" (section 3.2.9), but message-annotations would also work I think. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: Signing AMQP messages
On 13/09/18 19:40, Chuck Rolke wrote: I'd put the signature in part of the 'bare message', such as application properties, which passes from sender to receiver unmodified. That would require the signature to be in the bytes the signature signs. The 'footer' section was designed to be used for "message hashes, HMACs, signatures and encryption details" (section 3.2.9), but message-annotations would also work I think. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: Signing AMQP messages
I'd put the signature in part of the 'bare message', such as application properties, which passes from sender to receiver unmodified. See https://www.google.com/url?sa=t=j==s=web=1=2ahUKEwiEzeqL0LjdAhVIGt8KHeuOAHEQFjAAegQIABAC=http%3A%2F%2Fdocs.oasis-open.org%2Famqp%2Fcore%2Fv1.0%2Fos%2Famqp-core-complete-v1.0-os.pdf=AOvVaw1D46wtDArjTxXScquWPJW1 "The bare message is immutable within the AMQP network. That is, none of the sections can be changed by any node acting as an AMQP intermediary. If a section of the bare message is omitted, one MUST NOT be inserted by an intermediary. The exact encoding of sections of the bare message MUST NOT be modified. This preserves message hashes, HMACs and signatures based on the binary encoding of the bare message." - Original Message - > From: "Steve Huston" > To: users@qpid.apache.org > Sent: Thursday, September 13, 2018 12:47:05 PM > Subject: RE: Signing AMQP messages > > I recommend signing the message before handing it off for send. You will need > to decide on where to place the signature and if/where you will place the > certificate. > > Steve Huston > > > -Original Message- > > From: Ryan Yeats > > Sent: Thursday, September 13, 2018 12:33 PM > > To: users@qpid.apache.org > > Subject: Signing AMQP messages > > > > Hi, > > I want to sign and receive signed messages so that I can authenticate who > > they originally came from even when they are picked up and resent across > > multiple brokers. I didn’t see any built-in way to sign messages in the > > client > > though. I was thinking I would just add a signature to the message footer > > myself. I can override onSend(long producerTtl) in the > > AmqpJmsMessageFacade and call encodeMessage().array() to get the > > message bytes to create a signature, however the methods to add to the > > footer are package-private so it doesn’t look like I have any place to put > > the > > signature. What is the correct way to sign an amqp message? > > > > Thanks! > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
RE: Signing AMQP messages
I recommend signing the message before handing it off for send. You will need to decide on where to place the signature and if/where you will place the certificate. Steve Huston > -Original Message- > From: Ryan Yeats > Sent: Thursday, September 13, 2018 12:33 PM > To: users@qpid.apache.org > Subject: Signing AMQP messages > > Hi, > I want to sign and receive signed messages so that I can authenticate who > they originally came from even when they are picked up and resent across > multiple brokers. I didn’t see any built-in way to sign messages in the > client > though. I was thinking I would just add a signature to the message footer > myself. I can override onSend(long producerTtl) in the > AmqpJmsMessageFacade and call encodeMessage().array() to get the > message bytes to create a signature, however the methods to add to the > footer are package-private so it doesn’t look like I have any place to put the > signature. What is the correct way to sign an amqp message? > > Thanks!