TLS 1.2 support

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.2 support

Amit Lonkar
Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit



Reply | Threaded
Open this post in threaded view
|

RE: TLS 1.2 support

Martin Gainty

"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit



Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.2 support

Amit Lonkar
Anyone who could let me know the answer to the question below ?

Thanks
Amit

On Aug 18, 2016, at 5:16 AM, Martin Gainty <[hidden email]> wrote:


"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________ 
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit

Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.2 support

Colm O hEigeartaigh-2
Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?

Colm.

On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <[hidden email]> wrote:
Anyone who could let me know the answer to the question below ?

Thanks
Amit


On Aug 18, 2016, at 5:16 AM, Martin Gainty <[hidden email]> wrote:


"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________ 
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: TLS 1.2 support

Martin Gainty
MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>

MG>if i grep experimental branch wss4j-1.6.19 

MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS  V 1.0 implementation?
/**
 *
 <pre>
 P_SHA-1 DEFINITION
 ==================
 <b>P_SHA-1(secret, seed)</b> =
 HMAC_SHA-1(secret, A(1) + seed) +
 HMAC_SHA-1(secret, A(2) + seed) +
 HMAC_SHA-1(secret, A(3) + seed) + ...
 <i>Where + indicates concatenation.</i>
 <br>
 A() is defined as:
 A(0) = seed
 A(i) = HMAC_SHA-1(secret, A(i-1))
 <br>
 <i>Source : RFC 2246 - The TLS Protocol Version 1.0
 Section 5. HMAC and the pseudorandom function</i>
 </pre>
 *
 * @author Ruchith Fernando
 */

MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain authentication definition for RFC 2246 ?
/**
     * The authentication was performed using either the SSL or TLS protocol with certificate 
     * based client authentication. TLS is described in [RFC 2246].
     */
    public static final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";
MG>Nota Bene: RFC2246 is TLS 1.0


MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash function for RFC 2246 (TLS v 1.0)?
    /**
     * P_hash as defined in RFC 2246 for TLS.
     * 
     * @param secret is the key for the HMAC
     * @param seed the seed value to start the generation - A(0)
     * @param mac the HMAC algorithm
     * @param required number of bytes to generate
     * @return a byte array that contains a secret key
     * @throws Exception
     */
    private static byte[] P_hash(
        byte[] secret, 
        byte[] seed, 
        Mac mac, 
        int required
    ) throws Exception {
        byte[] out = new byte[required];
        int offset = 0, tocpy;
        byte[] a, tmp;
        //
        // a(0) is the seed
        //
        a = seed;
        SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1");
        mac.init(key);
        while (required > 0) {
            mac.update(a);
            a = mac.doFinal();
            mac.update(a);
            mac.update(seed);
            tmp = mac.doFinal();
            tocpy = min(required, tmp.length);
            System.arraycopy(tmp, 0, out, offset, tocpy);
            offset += tocpy;
            required -= tocpy;
        }
        return out;
    }

MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT

MG>assuming AUTH_METHOD_TLS_CLIENT  (referenced in SAMLTokenProcessor) defined in WSS4J SAML1Constants for TLS v1.0

MG>would copying these RFC-2246  attributes/functions to RFC-5246 equivalents allow TLS V1.2 could be implemented?

MG>Suggestions on implementing TLS V1.2 eagerly solicited



From: [hidden email]
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: [hidden email]

Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?

Colm.

On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <[hidden email]> wrote:
Anyone who could let me know the answer to the question below ?

Thanks
Amit


On Aug 18, 2016, at 5:16 AM, Martin Gainty <[hidden email]> wrote:


"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________ 
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.2 support

Colm O hEigeartaigh-2
WSS4J has some references to TLS in the comments, as security requirements may vary depending on whether a message was received over TLS or not. For example, if a SAML Assertion has a Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate OR client authentication TLS must be used, where the client cert matches that of the SAML Assertion.

However, WSS4J delegates all requirements surrounding how messages are created and received, to the SOAP stack that is is use (CXF/Axis/etc). So if you want information on TLS support, please ask these projects instead.

Colm.

On Wed, Aug 24, 2016 at 1:39 PM, Martin Gainty <[hidden email]> wrote:
MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>

MG>if i grep experimental branch wss4j-1.6.19 

MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS  V 1.0 implementation?
/**
 *
 <pre>
 P_SHA-1 DEFINITION
 ==================
 <b>P_SHA-1(secret, seed)</b> =
 HMAC_SHA-1(secret, A(1) + seed) +
 HMAC_SHA-1(secret, A(2) + seed) +
 HMAC_SHA-1(secret, A(3) + seed) + ...
 <i>Where + indicates concatenation.</i>
 <br>
 A() is defined as:
 A(0) = seed
 A(i) = HMAC_SHA-1(secret, A(i-1))
 <br>
 <i>Source : RFC 2246 - The TLS Protocol Version 1.0
 Section 5. HMAC and the pseudorandom function</i>
 </pre>
 *
 * @author Ruchith Fernando
 */

MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain authentication definition for RFC 2246 ?
/**
     * The authentication was performed using either the SSL or TLS protocol with certificate 
     * based client authentication. TLS is described in [RFC 2246].
     */
    public static final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";
MG>Nota Bene: RFC2246 is TLS 1.0


MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash function for RFC 2246 (TLS v 1.0)?
    /**
     * P_hash as defined in RFC 2246 for TLS.
     * 
     * @param secret is the key for the HMAC
     * @param seed the seed value to start the generation - A(0)
     * @param mac the HMAC algorithm
     * @param required number of bytes to generate
     * @return a byte array that contains a secret key
     * @throws Exception
     */
    private static byte[] P_hash(
        byte[] secret, 
        byte[] seed, 
        Mac mac, 
        int required
    ) throws Exception {
        byte[] out = new byte[required];
        int offset = 0, tocpy;
        byte[] a, tmp;
        //
        // a(0) is the seed
        //
        a = seed;
        SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1");
        mac.init(key);
        while (required > 0) {
            mac.update(a);
            a = mac.doFinal();
            mac.update(a);
            mac.update(seed);
            tmp = mac.doFinal();
            tocpy = min(required, tmp.length);
            System.arraycopy(tmp, 0, out, offset, tocpy);
            offset += tocpy;
            required -= tocpy;
        }
        return out;
    }

MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT

MG>assuming AUTH_METHOD_TLS_CLIENT  (referenced in SAMLTokenProcessor) defined in WSS4J SAML1Constants for TLS v1.0

MG>would copying these RFC-2246  attributes/functions to RFC-5246 equivalents allow TLS V1.2 could be implemented?

MG>Suggestions on implementing TLS V1.2 eagerly solicited



From: [hidden email]
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: [hidden email]

Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?

Colm.

On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <[hidden email]> wrote:
Anyone who could let me know the answer to the question below ?

Thanks
Amit


On Aug 18, 2016, at 5:16 AM, Martin Gainty <[hidden email]> wrote:


"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________ 
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com