> > Is there a reason why you don't load add all to your algorithm default > builder? >
I'm not sure what you mean here. Do you mean why don't we add default support for custom RSA-SHA2 algorithm suites? Yes we could do that if there was demand for it - we offer the custom GCM algorithm suites by default. Is it something you're interested in? Given the lack of updates (I'm assuming it's EOL now) to the > WS-SecurityPolicy would you recommend not using WSPolicy are going more to > a programmic definition? > WS-SecurityPolicy is still useful, but if you are concerned about using RSA-SHA256 then either define a custom AlgorithmSuite or use the property to override the signature algorithm. Colm. > > -----Original Message----- > From: Colm O hEigeartaigh <[email protected]> > Sent: Thursday, October 11, 2018 9:48 AM > To: [email protected] > Subject: Re: Better support for newer signature algorithm > > Hi, > > The problem is that the WS-SecurityPolicy specs have never been updated to > use newer signature algorithms (RSA-SHA 256, GCM, etc.) that are available > in the newer XML Signature specs. So we have no standard AlgorithmSuites > that use RSA-SHA 256. The best we can do is to configure the signature > algorithms via properties (you also have the option of defining custom > AlgorithmSuites in WS-SecurityPolicy - see > http://coheigea.blogspot.com/2011/09/specifying-custom-algorithmsuite.html > ) > although that is obviously not interoperable. > > Colm.o > > On Tue, Oct 9, 2018 at 2:35 PM [email protected] < > [email protected]> > wrote: > > > These days we cannot allow anything below SHA2; so it took me a lot of > > trouble shooting to resolve the error below and only found a fix by > > adding > > this: > > properties.put("ws-security.asymmetric.signature.algorithm"," > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";); > > > > I would have liked adding this to the ws-securitypolicy but could not > > find anyway to use the newer ones like the above and best I could do was > this: > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256Sha256Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > > > It would be nice if this was out of the box support or discoverable > > from the keystore signing side. > > > > 2018-10-08 12:30:12.726 DEBUG 19280 --- [ main] > > o.a.w.dom.processor.SignatureProcessor : Verify XML Signature > > 2018-10-08 12:30:12.727 DEBUG 19280 --- [ main] > > o.a.w.c.crypto.AlgorithmSuiteValidator : SignatureMethod > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 does not match > > required values > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@16a9eb2e > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@257e0827 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@806996 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@697a34af > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@38e7ed69 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.frontend.WSDLGetInterceptor@2a367e93 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor@76332405 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@1a6dc589 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@7f6874f2 > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.a.cxf.phase.PhaseInterceptorChain : Invoking handleFault on > > interceptor > > > org.apache.cxf.ext.logging.LoggingInInterceptor$LoggingInFaultInterceptor@3fba233d > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.apache.cxf.ws.addressing.ContextUtils : retrieving MAPs from > > context property javax.xml.ws.addressing.context.inbound > > 2018-10-08 12:30:12.730 DEBUG 19280 --- [ main] > > o.apache.cxf.ws.addressing.ContextUtils : WS-Addressing - failed to > > retrieve Message Addressing Properties from context > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
