Usage of wsu:id in EncryptedKeyProcessor

Fri, 19 Sep 2008 06:04:43 -0700 

Hi All,
I have one query about the check in [1] done for revision *644264* </viewvc?view=rev&revision=644264> in EncryptedKeyProcessor. 


For a decrypted node which is of type Element, if that node doesn't 
belong to Signature Namespace or else wsu:id attribute is not present, 
then we are add wsu:id attribute to that decrypted node.

Let us assume, a scenario where we have,


<body> 
   <arg0>

          xyz
   </arg0>
</body>


If we have a WS-Security policy like,  Signing Body, Encrypting arg0, 
and I wish to perform Signature operation before Encryption.
Then on the sever side, Decryption of Encrypted Data of arg0 will 
happen. This will leave us with,


<body wsu:id=...>  (as body is signed)
   <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
          xyz
   </arg0>
</body>


Now the signature verification of the body fails as the original and 
decrypted text has difference (decipher arg0 includes wsu:id too).



I can very well assume that after decryption the decipher text will be 
the same as the original text. Hence, I am putting a signature over the 
parent element and verifying the same. I assume  above is a valid scenario.



I guess, the wsu:id may be needed in the case when I need to again refer 
the decrypted element, say if arg0 has been signed before encryption, 
then SignatureProcessor may search for the element using that Signature 
reference by wsu:id. But that's only in case when we need to refer the 
element once again, which is not the case in the above scenario.



Interestingly, if I sign the arg0 also, then SignatureProcessor during 
this reference processing removes the wsu:id, and hence the parent 
(Body) Signature passes.



Kindly let me know about the reason why we are adding wsu:id to the 
decrypted element, and what to expect in a scenario like above.


Thanking You,

With Regards,
Mayank Mishra


[1]. 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to