Re: Usage of wsu:id in EncryptedKeyProcessor

Wed, 24 Sep 2008 03:01:03 -0700 

Any answer to my query will be appreciated a lot.

With Regards,
Mayank

Mayank Mishra wrote:

Hi All,
I have one query about the check in [1] done for revision *644264* </viewvc?view=rev&revision=644264> in EncryptedKeyProcessor.
For a decrypted node which is of type Element, if that node doesn't belong to Signature Namespace or else wsu:id attribute is not present, then we are add wsu:id attribute to that decrypted node. 
Let us assume, a scenario where we have,

<body>    <arg0>
          xyz
   </arg0>
</body>
If we have a WS-Security policy like, Signing Body, Encrypting arg0, and I wish to perform Signature operation before Encryption. Then on the sever side, Decryption of Encrypted Data of arg0 will happen. This will leave us with, 

<body wsu:id=...>  (as body is signed)
   <arg0 wsu:id=."enc-id..> (code adds wsu:id to the decrypted node)
          xyz
   </arg0>
</body>
Now the signature verification of the body fails as the original and decrypted text has difference (decipher arg0 includes wsu:id too).
I can very well assume that after decryption the decipher text will be the same as the original text. Hence, I am putting a signature over the parent element and verifying the same. I assume above is a valid scenario.
I guess, the wsu:id may be needed in the case when I need to again refer the decrypted element, say if arg0 has been signed before encryption, then SignatureProcessor may search for the element using that Signature reference by wsu:id. But that's only in case when we need to refer the element once again, which is not the case in the above scenario.
Interestingly, if I sign the arg0 also, then SignatureProcessor during this reference processing removes the wsu:id, and hence the parent (Body) Signature passes.
Kindly let me know about the reason why we are adding wsu:id to the decrypted element, and what to expect in a scenario like above. 

Thanking You,

With Regards,
Mayank Mishra
[1]. http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=610709&r2=644264&diff_format=h 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to