ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: TLS 1.2 support
Date Wed, 24 Aug 2016 12:48:08 GMT
WSS4J has some references to TLS in the comments, as security requirements
may vary depending on whether a message was received over TLS or not. For
example, if a SAML Assertion has a Holder-of-Key requirement, the message
must be signed by a Signature using the Assertion's Subject certificate OR
client authentication TLS must be used, where the client cert matches that
of the SAML Assertion.

However, WSS4J delegates all requirements surrounding how messages are
created and received, to the SOAP stack that is is use (CXF/Axis/etc). So
if you want information on TLS support, please ask these projects instead.

Colm.

On Wed, Aug 24, 2016 at 1:39 PM, Martin Gainty <mgainty@hotmail.com> wrote:

> MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>
>
> MG>if i grep experimental branch wss4j-1.6.19
>
> MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is
> TLS  V 1.0 implementation?
> /**
>  *
>  <pre>
>  P_SHA-1 DEFINITION
>  ==================
>  <b>P_SHA-1(secret, seed)</b> =
>  HMAC_SHA-1(secret, A(1) + seed) +
>  HMAC_SHA-1(secret, A(2) + seed) +
>  HMAC_SHA-1(secret, A(3) + seed) + ...
>  <i>Where + indicates concatenation.</i>
>  <br>
>  A() is defined as:
>  A(0) = seed
>  A(i) = HMAC_SHA-1(secret, A(i-1))
>  <br>
>  <i>Source : RFC 2246 - The TLS Protocol Version 1.0
>  Section 5. HMAC and the pseudorandom function</i>
>  </pre>
>  *
>  * @author Ruchith Fernando
>  */
>
> MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to
> contain authentication definition for RFC 2246 ?
> /**
>      * The authentication was performed using either the SSL or TLS
> protocol with certificate
>      * based client authentication. TLS is described in [RFC 2246].
>      */
>     public static final String AUTH_METHOD_TLS_CLIENT =
> "urn:ietf:rfc:2246";
> MG>Nota Bene: RFC2246 is TLS 1.0
>
>
> MG>org.apache.ws.security.message.token.UsernameToken seems to implement
> P_hash function for RFC 2246 (TLS v 1.0)?
>     /**
>      * P_hash as defined in RFC 2246 for TLS.
>      *
>      * @param secret is the key for the HMAC
>      * @param seed the seed value to start the generation - A(0)
>      * @param mac the HMAC algorithm
>      * @param required number of bytes to generate
>      * @return a byte array that contains a secret key
>      * @throws Exception
>      */
>     private static byte[] P_hash(
>         byte[] secret,
>         byte[] seed,
>         Mac mac,
>         int required
>     ) throws Exception {
>         byte[] out = new byte[required];
>         int offset = 0, tocpy;
>         byte[] a, tmp;
>         //
>         // a(0) is the seed
>         //
>         a = seed;
>         SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1");
>         mac.init(key);
>         while (required > 0) {
>             mac.update(a);
>             a = mac.doFinal();
>             mac.update(a);
>             mac.update(seed);
>             tmp = mac.doFinal();
>             tocpy = min(required, tmp.length);
>             System.arraycopy(tmp, 0, out, offset, tocpy);
>             offset += tocpy;
>             required -= tocpy;
>         }
>         return out;
>     }
>
> MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT
>
> MG>assuming AUTH_METHOD_TLS_CLIENT  (referenced in SAMLTokenProcessor)
> defined in WSS4J SAML1Constants for TLS v1.0
>
> MG>would copying these RFC-2246  attributes/functions to RFC-5246
> equivalents allow TLS V1.2 could be implemented?
>
> MG>Suggestions on implementing TLS V1.2 eagerly solicited
>
>
> ------------------------------
> From: coheigea@apache.org
> Date: Wed, 24 Aug 2016 09:55:46 +0100
> Subject: Re: TLS 1.2 support
> To: users@ws.apache.org
>
> Apache WSS4J does not implement TLS at all, it is solely an implementation
> of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?
>
> Colm.
>
> On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <amitlonkar@yahoo.com>
> wrote:
>
> Anyone who could let me know the answer to the question below ?
>
> Thanks
> Amit
>
>
> On Aug 18, 2016, at 5:16 AM, Martin Gainty <mgainty@hotmail.com> wrote:
>
>
> "Could you please let me know which version of wss4j implements TLSv1.2
> (rfc5246)"
>
> Please honour this question
>
> Thank You,
> Martin
> ______________________________________________
>
>  _____ _          _____             _          _____     ___ _                      
 _____               _     _   _
> |_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___  
|   __|___ _ _ ___ _| |___| |_|_|___ ___
>   | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_| 
|   __| . | | |   | . | .'|  _| | . |   |
>   |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___| 
|__|  |___|___|_|_|___|__,|_| |_|___|_|_|
>                        |_|
>
>
>
>
> ------------------------------
> From: amitlonkar@yahoo.com
> Subject: TLS 1.2 support
> Date: Tue, 16 Aug 2016 09:27:56 -0600
> To: users@ws.apache.org
>
> Could you please let me know which version of wss4j implements TLSv1.2
> (rfc5246)
>
> Thanks
> Amit
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message