User Close

Search

THE DEVELOPER PORTAL FOR SOA

[rampart c] key info verification

lukas josefik's picture

Submitted by lukas josefik on January 18, 2008 - 06:32

Hi,

I think you are doing a good job :-). I study some of your source codes. But i don't find any checking that key info, which is processed, is linked with settings in config.

- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

- <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

- <ds:X509Data>

- <ds:X509IssuerSerial>

<ds:X509IssuerName>O=OASIS, CN=OASIS Interop Test CA</ds:X509IssuerName>

<ds:X509SerialNumber>2147483647</ds:X509SerialNumber>

</ds:X509IssuerSerial>

</ds:X509Data>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

X

<rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
                    <rampc:User>Bob</rampc:User>
                    <rampc:TimeToLive>360</rampc:TimeToLive>
                    <rampc:EncryptionUser>b</rampc:EncryptionUser>
                    <rampc:PasswordType>Digest</rampc:PasswordType>
                    <rampc:PasswordCallbackClass>WSFC_HOME/bin/samples/rampart/callback/libpwcb.so</rampc:PasswordCallbackClass>
                    <rampc:ReceiverCertificate>WSFC_HOME/bin/samples/rampart/keys/bhome/alice_cert.cert</rampc:ReceiverCertificate>
                    <rampc:Certificate>WSFC_HOME/bin/samples/rampart/keys/bhome/bob_cert.cert</rampc:Certificate>
                    <rampc:PrivateKey>WSFC_HOME/bin/samples/rampart/keys/bhome/bob_key.pem</rampc:PrivateKey>
                </rampc:RampartConfig>

Am i wrong? It's processed in function rampart_shp_process_encrypted_key. Thank for replay.

Lukas

kaushalye's picture

Re:[rampart c] key info verification

Submitted by kaushalye on January 23, 2008 - 01:36.

Hi, We do not check the key information at this level. The main reason is that we do not support multiple key/certificate pairs for a service. Therefore, if the request is encrypted using a certificate other than the service's, then there will be a decryption failure. So there is no point of calling function for the stored certificate to check if it tally with the one mentioned in the message. If we are to support multiple key/certificates pairs (which is very unlikely in practice to get two X509 private keys for one service)then we definitely need to do what you have mentioned. Thanks, Kaushalye

Login or register to post comments

library project main code

Featured

In your cloud environment, if a user is consuming too much of your resources, either you have to control the user's behavior or scale up your resources to cater the situation and charge the user for consuming resources. If you decide to control the user, then, throttling is the answer for you...

WSO2 StratosLive is the public Platform as a Service (PaaS) from WSO2. With its lean, complete and 100% open source model, StratosLive holds key attributes to become competitively prominent in the enterprise cloud space...

Messaging is used with distributed computing to achieve asynchronous communication. An Event is a change of state in a software system. Eventing is referred to as propagating messages which contain those event information through publish and subscribe...

Patterns are essential ingredients for architects when building solutions since patterns make solutions more stable as well as clean. It is important to pick the correct pattern based on the problem or the use-case that is implemented by a solution...

WSO2 Carbon Studio immensely simplifies SOA development by providing a complete Eclipse IDE for service/application development, deployment and execution. This article explains Carbon Studio and its benefits...

Popular Content

Developing Web Services Using Apache Axis2 Eclipse Plugins - Part 1 (456075 reads)
How to Embed an Axis2 based Web Service in your Webapp? (104726 reads)
Hello World with Apache Axis2 (102572 reads)
Web Services Security with Apache Rampart – Part 1 ( Transport Level Security ) (96143 reads)
Downloading a Binary File from a Web Service using Axis2 and SOAP with Attachments (91215 reads)
Developing Web Services Using Apache Axis2 Eclipse Plugins - Part 2 (84676 reads)
Writing Your Own services.xml for Axis2 Web Services (80080 reads)
Reference Guide to Apache Axis2 Client API Parameters (72621 reads)

Learn Cloud

Learn

Cloud

The WSO2 Application Server is a reliable application server that can host your enterprise web applications. The WSO2 Application Server as a Service is offered in StratosLive, the WSO2 Platform as a Service. This article explains how a simple web application can be developed and deployed from Carbon Studio to the WSO2 Application Server...

Latest Webinar

Different groups within an organization need to monitor different Key Performance Indicators (KPIs) - An operations team will be interested in the response times of business services and loads of each service,..

Thursday, February 9th 2012, 09.00 AM (PST)

Thursday, February 9th 2012, 10.00 AM (GMT)

Tags

WS-Security WS-* WS-Eventing WS-Trust WS-Policy transports Web services WS-PolicyAttachment WS-ReliableMessaging WS-Policy