Werner Dittmann wrote:
>
> All,
>
> looking ate the latest activities in W3C XML security and other
> specifications it is obvious that SHA-1 is being phased out step by
> step. The replacement are SHA256 or other digest algos. Up to
> now WSSecSignature was fixed to use SHA-1 as digest algorithm. To
> accommodate the growing use of other algos I extended WSSecSignature
> with some small functions to set and use other Digest algos.
>
> To do so some shall use the standard URI of the digest algo, for
> example:
>
> wsSig.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256";);
> (see TestWSSecurityNew18 how it works)
>
> Default is to use SHA-1 not to break any application. Also the Axis
> handler are not updated to support this extension. Is it required
> to enhance to Axis handlers? The WSS standard are not yet updated
> to accept/define other digest algos.
>
Werner,
Wouldn't it be necessary to also change the SignatureAction class? Right now
it does not explicitely set the digest algorithm. As a result the Algorithm
attribute of the Soap message's DigestMethod tag will always contain the
SHA1 URI, even though you are using RSA-SHA256 for the signature. If I add
these lines to the execute() method of the SignatureAction, it works for me:
if (reqData.getDigestAlgorithm()!=null)
wsSign.setDigestAlgo(reqData.getDigestAlgorithm());
Obviously, I also had to add a digestMethod field to the RequestData class
in order to make it work.
Thanks for letting me know your thoughts. I am pretty new to WSS4J, so
perhaps I am missing something.
Regards,
Rik Gruwez
--
View this message in context:
http://www.nabble.com/Extension-in-WSSecSignature-to-set-the-digest-algorithm-tp19584932p22660395.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
