Menu
▾
▴
Re: [ebxmlms-develop] signed acknowledgments
|
From: Gait B. <gai...@ti...> - 2003-04-07 09:31:20
|
I don't set the envelope when doing verification. But if you don't set =
it, it gets automatically set to 'dsa-sha1' since that is the default.
See diffs below to enable the key-alg loading from the properties file.
diff -r1.148 MessageServiceHandler.java
727a728,729
> private static String keyAlg =3D null;
>=20
822a825
> keyAlg =3D prop.get(Constants.PROPERTY_MSH_KEY_ALGORITHM);
824c827,831
< if (keystorePath.equals("")) {
---
> if (keyAlg.equals("")) {
> keyAlg =3D null;
> }
>=20
> if (keystorePath.equals("")) {
2425c2432,2433
< ackMessage.sign(keystoreAlias, keystorePassword.toCharArray(),
---
> if( keyAlg =3D=3D null ) {
> ackMessage.sign(keystoreAlias, keystorePassword.toCharArray(),
2426a2435,2439
> }
> else {
> ackMessage.sign(keystoreAlias, keystorePassword.toCharArray(),
> keystore, keyAlg);
> }
diff -r1.20 Constants.java
196a197,202
> /**
> * Path to get key algorithm in configuration file
> */
> public static final String PROPERTY_MSH_KEY_ALGORITHM =3D
> "MSH/DigitalSignature/AckSign/Key/Algorithm";
>=20
----- Original Message -----=20
From: Patrick Yee=20
To: ebx...@li...=20
Sent: Monday, April 07, 2003 10:41 AM
Subject: Re: [ebxmlms-develop] signed acknowledgments
Yes, you can pass "dsa-sha1" or "rsa-sha1" as the algorithm parameter =
to the ebxmlMessage.sign() function. And we missed this option when =
signing acks. Adding a property to trigger this behavious sounds good.
Gait, for the verification, there is no need to set the algorithm. =
According to JavaDoc of the XML security library
=
http://nagoya.apache.org/gump/javadoc/xml-security/build/doc/html/api/org=
/apache/xml/security/signature/XMLSignature.html
We can omit the SignatureMethod parameter when constructing the =
XMLSignature object. Since we omit that parameter, so setting any value =
in envelope will have no effect.
BTW, how do you set the envelope when doing verification?
Regards, -Patrick
----- Original Message -----=20
From: Gait Boxman=20
To: ebx...@li...=20
Sent: Friday, April 04, 2003 6:45 PM
Subject: Re: [ebxmlms-develop] signed acknowledgments
Actually, with a bit of hacking I got it to work (I think). BC is =
used from apache...xml/security, where the jce classes are dynamically =
loaded from an Australian ftp site to bypass US export regulations. The =
trick was to pass in the 'rsa-sha1' algorithm parameter to the =
ebxmlMessage.sign function. For acks, I added a property to trigger this =
behaviour ( for signed messages, you can do it from the client =
directly). Funny thing is that verification occurs with the envelope set =
to dsa-sha1 :-), and still works fine. I guess that's because that =
information sits inside the ds:Signature, which is never signed itself, =
and is not used for the verification itself. I don't think I got it =
quite right, yet, bit it seems to work on the loopback...
----- Original Message -----=20
From: Ronald van Kuijk=20
To: 'ebx...@li...'=20
Sent: Friday, April 04, 2003 10:50 AM
Subject: RE: [ebxmlms-develop] signed acknowledgments
from what i've seen the bouncycastle libraries are used in the =
signature process. The rsa algorithms are probably not included due to =
licensing restrictions.
But thats just a wild guess
-----Oorspronkelijk bericht-----
Van: Gait Boxman [mailto:gai...@ti...]
Verzonden: vrijdag 4 april 2003 9:27
Aan: ebx...@li...
Onderwerp: Re: [ebxmlms-develop] signed acknowledgments
One more question: is the limitation to DSA signatures local to =
my machine (i.e. a setup problem on my part), a limitation from Hermes, =
or a limitation from XMLDsig?
I seem to remember we were able to use RSA in the earlier days, =
and they certainly work for SSL...=20
----- Original Message -----=20
From: Gait Boxman=20
To: ebx...@li...=20
Sent: Monday, March 31, 2003 1:56 PM
Subject: [ebxmlms-develop] signed acknowledgments
Hi team,=20
per ebMS2, when signed acknowledgments are requested, the =
acknowledgment must contain the digests of the original (signed or =
unsigned) message. AFAICT, this is currently not implemented. Is there =
an easy way to add it? I've tracked down signing as far as the Apache =
XML security libs, but I was hoping of an easier and faster way to add =
the digests than going through three levels of API's...
thnx, Gait.
|
