This is exactly what WSS4J does. - for encryption: WSS4J generates a random session key for every new "session" (SOAP message), encrypts the data, uses the server's public key (usually contained in a X.509 certificate) to encrypt the session key, packs it into the relevant SOAP header structures.
- for decryption: it's just the other way around :-) - Signature: the client uses it's private key to sign, the server uses the client's public key to check the signature. The client's public key is usually contained in a signed certificate (signed by some Certificate Authority, for example VeriSign) What is sent over the wire and is contained in the SOAP headers is described in the relevant OASIS WS-Security standards. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext ??? [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 3. April 2008 11:40 > An: wss4j-dev > Betreff: how to config WSDoAllSender to use "session key" mode? > > wss4j-dev,I am a graduate student who is working on wss4j, > and I encounter some problems. > Sorry for my ignorance, I am not quite sure > what the mailing-list used for, but I am very appreciated if > you can help me. > What I want to do is using > WSDoAllSender to encrypt message,and send it to the server, > here is the problem: > I know that the encrpt procedure is this: > 1. client sends its certificate to server > 2. server generates a dynamic session > key ,and encrpt this key using client's public key > 3. server sends the encrypted key to client > 4. client decrypts the message with its > private key and gets the session key > 5. following, client and server will > use this session key to encrypt/decrypt message being sent > between them... > > So am I right? > If I am right, this is what I want to > achieve, but when I use wss4j, there seems to be some problem. > my client-deploy.wsdd file is as this: > > **************************************************************** > deployment > xmlns="http://xml.apache.org/axis/wsdd/"; > xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> > <transport name="http" > > pivot="java:org.apache.axis.transport.http.HTTPSender" /> > <globalConfiguration> > <requestFlow> > <handler > > type="java:org.apache.ws.axis.security.WSDoAllSender"> > > > > <!-- this is used for Signature > and Encrypt --> > > <parameter > name="action" value="Encrypt" /> > > <parameter > name="encryptionPropFile" > value="crypto.properties" /> > <parameter > name="encryptionUser" value="wsj" /> > <parameter > name="encryptionKeyIdentifier" > value="X509KeyIdentifier" /> > > <!-- this is used for Signature > and Encrypt --> > > > </handler> > </requestFlow> > </globalConfiguration> > </deployment> > > **************************************************************** > but is seems that when configured this way, > client will use RSA to encrypt the data, client will use the > public key of the > user to encrypt the data, so server needs to > hold the private key of client in order to decrypt data, this > isn't what we want. > following is the soap message I capture during communication: > ************************************************************** > ****************************** > <?xml version="1.0" encoding="utf-8"?> > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Header> > <wsse:Security soapenv:mustUnderstand="1" > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 > 1-wss-wssecurity-secext-1.0.xsd"> > <xenc:EncryptedKey Id="EncKeyId-14962806"> > <xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > <ds:KeyInfo > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 > 401-wss-soap-message-security-1.0#Base64Binary" > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-x509-token-profile-1.0#X509v3"> > > MIIDijCCAvOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQDEwJjYT > ELMAkGA1UEBhMCY24xEDAOBgNVBAcTB2JlaWppbmcxEDAOBgNVBAgTB2JlaWpp > bmcxDDAKBgNVBAoTA2pzaTENMAsGA1UECxMEYnVhYTEgMB4GCSqGSIb3DQEJAR > YRYWRtaW5AZXhhbXBsZS5jb20wHhcNMDcwNjI0MTE0NjMxWhcNMDgwNjIzMTE0 > NjMxWjB5MQwwCgYDVQQDEwN3c2oxDDAKBgNVBAsTA2pzaTENMAsGA1UEChMEYn > VhYTEQMA4GA1UEBxMHYmVpamluZzELMAkGA1UECBMCY24xCzAJBgNVBAYTAmNu > MSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w > 0BAQEFAAOBjQAwgYkCgYEAlalaSJwnUzQWPi8Wop+j2nJhvaX33RsaBYzxCmV7 > ODgouP6A/uANqgGLXgkQs5hk+ZySyTiWuZO29Tty+3bZLYUXcku0hQzdux9g/t nM/TLQkYNiVAhUIeaHh3WNM4IJt+i5HXlE/fghC5e9hxcOhEICq3FdoGUXaqK/yrJuaakCAwEAAaOCARwwggEYMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO04lhQCamshTNT0vqHdpFb07b6PMIGoBgNV> HSMEgaAwgZ2AFNFiB4wumxDQ8pvpJUuwlbd53Ut6oYGBpH8wfTELMAkGA1UEAx > MCY2ExCzAJBgNVBAYTAmNuMRAwDgYDVQQHEwdiZWlqaW5nMRAwDgYDVQQIEwdi > ZWlqaW5nMQwwCgYDVQQKEwNqc2kxDTALBgNVBAsTBGJ1YWExIDAeBgkqhkiG9w > 0BCQEWEWFkbWluQGV4YW1wbGUuY29tggEBMAsGA1UdDwQEAwIEsDARBglghkgB > hvhCAQEEBAMCBaAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBg > kqhkiG9w0BAQQFAAOBgQC3h3k1pf/djfPnfzTSky+Pnok4mCmARD+ZVIeW7X2A > XotqxKtd3kPWj0faPboxeB6QUJaNtsG/8a+MadwDxeM112T/Wa8Tgfnvvnr/Ss > 03hc/xM4wovly3FsR8JN31wBC3gSBBOJy9rANY/x7xWMvtnJBs0CgTLJYkIYEPLHziNw== > </wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue> > > eYZa9u9lDZQ1+B3R8wShsbH/QYVzK63WumlrsIWq5TsDoJbmEaWVoJHAU2zBfh ePYdLsGdUlu1pCpvyyRU7G+EdNeaMyrue2zZJgucmM4vKFnoJqnUpinIaGVl5tMSgeCYNCYgRrBFAO6j8E4S4aIM25h4EJJJFHKcUIqJDbi8A= > </xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference > URI="#EncDataId-5041714" /> > </xenc:ReferenceList> > </xenc:EncryptedKey> > </wsse:Security> > </soapenv:Header> > <soapenv:Body> > <xenc:EncryptedData Id="EncDataId-5041714" > Type="http://www.w3.org/2001/04/xmlenc#Content";> > <xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> > <xenc:CipherData> > <xenc:CipherValue> > > XiCyk397eYToqdHG8YpQtlb5+uj7K0vzLtSpulRl8pDUB/I62RcF3d7SSe1Ey8 > e6OyetluAT97bN > > R3HNW33/G3o57v42iQxpmVnii3CpsbzM3UR/3MGX19x7z8Oq/RRQc/7dyGL40m > xAsqaumkS72knG > > Ru2TrYtMgc9mdCdi4T9NYnmrtSI3a8pBos53nTkAVXB93HRTlw1THPyVG03pLY > FRgpWQtR5EX77m > > r3MvsPzgNrm5lORUjnHGVOUiQmTJgIV8JiCd8Q6pJWHW8/x8csDxAikqZGI0f5 > EAsa+lUIiD6IGu > sqMjLN3w7qzm8d7k > </xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </soapenv:Body> > </soapenv:Envelope> > ************************************************************** > ************************************ > > But I think this is just a configure problem > with WSDoAllSender, so please tell me how can I configure > the WSDoAllSender to implements > "session-key" mode? If possible, please send me > a sample client-deploy.wsdd and server-deploy.wsdd. > best regards, > shuaijie wang > [EMAIL PROTECTED] > 2008-04-03 > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
