问题
In response to a security advisory (see http://cxf.apache.org/note-on-cve-2011-1096.html) regarding the RSA v1.5 key transport algorithm, both CXF and WSS4J projects have disallowed use of all related algorithms by default.
They have however supplied a configuration tag "ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM" which should re-allow these algorithms (see https://ws.apache.org/wss4j/config.html)
Our problem is getting these frameworks (JBossWS / CXF / WSS4J) to accept/use this configuration setting. We have tried using:
- jboss-webservice.xml
- custom CXF interceptor (setting the param after CXF creates its WSS4J interceptor)
- custom "hacked" WSS4J build (hardcoding the parameter to "true")
But none of these options seem to actually re-enable support for the RSA v1.5 key transport algorithms.
Does anyone have any idea as to how we could/should specify this configuration parameter?
回答1:
Here's a test I added to CXF:
https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=a73effb5
Note the server has set "allowRSA15KeyTransportAlgorithm" to "true".
回答2:
This setting is only applied if the WSHandlerConstants.ENCRYPT action is included in the actions for the interceptor.
For instance:
Map<String, Object> inProps = new HashMap<>();
inProps.put(WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "true");
inProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.ENCRYPT + " " +
WSHandlerConstants.SIGNATURE);
WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor(inProps);
来源:https://stackoverflow.com/questions/32590707/allow-the-rsa-v1-5-key-transport-algorithm-for-wildfly-jbossws-cxf-wss4j-s