User login

[rampart c] key info verification

Submitted by Lukas Josefik on January 18, 2008 - 06:32. Forums :

Hi,

I think you are doing a good job :-). I study some of your source codes. But i don't find any checking that key info, which is processed, is linked with settings in config.

- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

- <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

- <ds:X509Data>

- <ds:X509IssuerSerial>

  <ds:X509IssuerName>O=OASIS, CN=OASIS Interop Test CA</ds:X509IssuerName>

  <ds:X509SerialNumber>2147483647</ds:X509SerialNumber>

  </ds:X509IssuerSerial>

  </ds:X509Data>

  </wsse:SecurityTokenReference>

  </ds:KeyInfo>

X

 <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
                    <rampc:User>Bob</rampc:User>
                    <rampc:TimeToLive>360</rampc:TimeToLive>
                    <rampc:EncryptionUser>b</rampc:EncryptionUser>
                    <rampc:PasswordType>Digest</rampc:PasswordType>
                    <rampc:PasswordCallbackClass>WSFC_HOME/bin/samples/rampart/callback/libpwcb.so</rampc:PasswordCallbackClass>
                    <rampc:ReceiverCertificate>WSFC_HOME/bin/samples/rampart/keys/bhome/alice_cert.cert</rampc:ReceiverCertificate>
                    <rampc:Certificate>WSFC_HOME/bin/samples/rampart/keys/bhome/bob_cert.cert</rampc:Certificate>
                    <rampc:PrivateKey>WSFC_HOME/bin/samples/rampart/keys/bhome/bob_key.pem</rampc:PrivateKey>
                </rampc:RampartConfig>

Am i wrong? It's processed in function rampart_shp_process_encrypted_key. Thank for replay.

Lukas

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ AXIS2/C -- WSO2 Web Services Framework for C v1.2.0 Released ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re:[rampart c] key info verification

Submitted by kaushalye on January 23, 2008 - 01:36.

Hi,

We do not check the key information at this level. The main reason is that we do not support multiple key/certificate pairs for a service. Therefore, if the request is encrypted using a certificate other than the service's, then there will be a decryption failure. So there is no point of calling function for the stored certificate to check if it tally with the one mentioned in the message. If we are to support multiple key/certificates pairs (which is very unlikely in practice to get two X509 private keys for one service)then we definitely need to do what you have mentioned.

Thanks,
Kaushalye

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.