Does Metro Support SHA2 - for example SHA-256, SHA-384 or SHA-512 in WS-Trust communication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Does Metro Support SHA2 - for example SHA-256, SHA-384 or SHA-512 in WS-Trust communication

TomekJavaMetro
This post has NOT been accepted by the mailing list yet.

Hello,

I would like to invite all Metro team ;) this is my first post.

 I use Metro in the communication in case (WSP, STS and WSC  - all secured by Metro 2.1.1 / 2.2)  .  I the client communication by WS-Trust 1.3 protocol with STS ,and next communication with the Secured WebServiceProvider i see that the Message digest method is sha1.

i would to ask if the message digest it could configurable to (sha-256, sha-512) or any with SHA-2.

Below is the sample message exchanged between WSC and STS, WSP. In all messages in the communication it is the sha1 digest method used, but i would upgrade it to Sha2.

What i could do to solve this issue?

</ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nyrNZivljVbCJAHw3re7yRkertY=</ds:DigestValue></ds:Reference>

The part of message related to my question. This is the fragment of RST request sended form WSC to STS.

</wsse:BinarySecurityToken><ds:Signature xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/" Id="_1"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="wsse S"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_5002"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="S"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>WerhQ72O2UjxXfXd00EviXeWohM=</ds:DigestValue></ds:Reference><ds:Reference URI="#_5003"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="S"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nyrNZivljVbCJAHw3re7yRkertY=</ds:DigestValue></ds:Reference><ds:Reference URI="#_5004"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="S"/></ds:Transform></ds:Transforms>



Sincerley,
TomekJavaMetro.
Reply | Threaded
Open this post in threaded view
|

Re: Does Metro Support SHA2 - for example SHA-256, SHA-384 or SHA-512 in WS-Trust communication

TomekJavaMetro
This post has NOT been accepted by the mailing list yet.

I would like to very sorry for my question.
it is very easy to do it.


1. change / configure the Algorithm Suite on  "Secuirty Mechanisms" on STS service . it could be ease do
   by Quality of Service /Secure service Tab in NetBeans 7.x

   in the wsdl file of the Sts , this are the lines:
    <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic256Sha256/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>


1. change / configure the Algorithm Suite on  "Secuirty Mechanisms" on secured WSP service . it could be ease do     by Quality of Service /Secure service Tab in NetBeans 7.x

  Change The Key Size : 128 -> 256   , and also change  AlgorithmSuite   128Bit-> Basic256Sha256

In the Wsdl file of the WSp it is changed to;


<sp:ProtectionToken>
                            <wsp:Policy>
                                <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                    <sp:RequestSecurityTokenTemplate>
                                        <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
                                        <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
                                        <t:KeySize>256</t:KeySize>
                                    </sp:RequestSecurityTokenTemplate>
......
......
<sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic256Sha256/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:SymmetricBinding>



3. Verification Tests - the part of RST requ message from WSC to STS

  The communication between  WSC, STS and WSP is all right. the Message is signed in sha2 (sha256 in this case).

<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>


=</wsse:BinarySecurityToken><ds:Signature xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/" Id="_1"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="wsse S"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_5002"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="S"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Fkih3acCiWIIkZPsdP39lkbTCi1pQuAT8MebkrXHuJc=</ds:DigestValue></ds:Reference>


The part of example message "secured WSP -> secured WSC" confirms, that the KeySize is 256 bits.

</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><trust:SecondaryParameters><trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType><trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType><trust:KeySize>256</trust:KeySize></trust:SecondaryParameters><trust:Entropy><trust:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">ETbLeuB4K8VVCpsZj3dM6uyrXd8PcVjIyD6KVs1uiDI=</trust:BinarySecret></trust:Entropy><trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm></trust:RequestSecurityToken></S:Body></S:Envelope>

This issue is resolved.