You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by "massimiliano.masi@gmail.com" <ma...@gmail.com> on 2012/06/19 12:28:02 UTC
Xml-Signature wrapping
Hello All,
I am trying to write a code against XML-Signature wrapping.
The attached XML is validating, but it shouldn't (the signature was made
on the correct XML, where I switched the body) :-)
I was trying to use the w3c's best practice #14, which is described in
http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
How can I do that easily with wss4j?
Thanks a lot!
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<wsse:Security s:mustUnderstand="true" xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsse:BinarySecurityToken EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#
">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="" xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
<ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
<wsse:SecurityTokenReference
wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
<wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<fooHeader>
<s:Body wsu:Id="id-1" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
this is a value
</ns1:sampleValue>
</s:Body>
</fooHeader>
</s:Header>
<Body xmlns="http://www.w3.org/2003/05/soap-envelope">
<sampleValue xmlns="urn:tiani-spirit:test">This is another one,
FAKED</sampleValue>
</Body>
</s:Envelope>
--
Massimiliano Masi
http://www.mascanc.net/~max
Re: Xml-Signature wrapping
Posted by "massimiliano.masi@gmail.com" <ma...@gmail.com>.
Hi,
On Tue, Jun 19, 2012 at 1:34 PM, Colm O hEigeartaigh <co...@apache.org>wrote:
> It works with any element in the SOAP Envelope. Basically, WSS4J validates
> the signature and each of the references, by searching for the reference
> element in the SOAP Envelope corresponding to the Id of the Reference. It
> then stores the Reference Element, as well as an XPath corresponding to the
> location of the Element in the SOAP Envelope. Downstream code can then
> extract the list of signed elements and compare the location to the
> location that was "expected".
>
>
Yep, that's a good solution, to get out the xpath from the WSDataRef, and
compare it with
the actual position in the tree.
I see a possible DoS, isn't? One can forge fake xmls with valid signatures
wrapped, then
send to the service provider. Instead of rejecting the fake message, it
validates the signature, performs xpath query, and check the error.
But I think this can be avoided by a priori framework agreements, on the
exact content
of the structure.
Thanks again,
Massi
--
Massimiliano Masi
http://www.mascanc.net/~max
Re: Xml-Signature wrapping
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Thanks for your answer! :) That's the case of the soap body, what about
another element
> in the soap tree?
It works with any element in the SOAP Envelope. Basically, WSS4J validates
the signature and each of the references, by searching for the reference
element in the SOAP Envelope corresponding to the Id of the Reference. It
then stores the Reference Element, as well as an XPath corresponding to the
location of the Element in the SOAP Envelope. Downstream code can then
extract the list of signed elements and compare the location to the
location that was "expected".
Colm.
On Tue, Jun 19, 2012 at 12:21 PM, massimiliano.masi@gmail.com <
massimiliano.masi@gmail.com> wrote:
> Hi,
>
> Thanks for your answer! :) That's the case of the soap body, what about
> another element
> in the soap tree?
>
> The idea to have xpath references in the ds:Transform keeps the semantic
> of the signature tied to the structure of the xml document. Do you know if
> there is a way to
> add such xpath property to the ds:Transform, without creating a custom
> signature
> processor?
>
> Ciao,
>
> Massi
>
> On Tue, Jun 19, 2012 at 12:53 PM, Colm O hEigeartaigh <coheigea@apache.org
> > wrote:
>
>> Hi Massimiliano,
>>
>> WSS4J does not enforce that certain elements in a request must be signed
>> or encrypted, that's the job of the calling code. So for example, if a CXF
>> endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
>> signed, then your sample altered request will fail at that stage.
>>
>> Colm.
>>
>>
>> On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
>> massimiliano.masi@gmail.com> wrote:
>>
>>> Hello All,
>>>
>>> I am trying to write a code against XML-Signature wrapping.
>>>
>>> The attached XML is validating, but it shouldn't (the signature was made
>>> on the correct XML, where I switched the body) :-)
>>>
>>> I was trying to use the w3c's best practice #14, which is described in
>>>
>>> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>>>
>>> How can I do that easily with wss4j?
>>>
>>> Thanks a lot!
>>>
>>> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>>>
>>> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>>>
>>> <s:Header>
>>>
>>> <wsse:Security s:mustUnderstand="true" xmlns:wsse="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> ">
>>>
>>> <wsse:BinarySecurityToken EncodingType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>>> ValueType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>>> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>>>
>>> <ds:Signature Id="SIG-2" xmlns:ds="
>>> http://www.w3.org/2000/09/xmldsig#">
>>>
>>> <ds:SignedInfo>
>>>
>>> <ds:CanonicalizationMethod Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>>
>>> <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
>>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>
>>> </ds:CanonicalizationMethod>
>>>
>>> <ds:SignatureMethod Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>
>>> <ds:Reference URI="#id-1">
>>>
>>> <ds:Transforms>
>>>
>>> <ds:Transform Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>>
>>> <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
>>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>
>>> </ds:Transform>
>>>
>>> </ds:Transforms>
>>>
>>> <ds:DigestMethod Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>
>>> <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>>>
>>> </ds:Reference>
>>>
>>> </ds:SignedInfo>
>>>
>>>
>>> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>>>
>>>
>>> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>>>
>>> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>>>
>>> <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>>>
>>> <wsse:SecurityTokenReference
>>> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>>>
>>> <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
>>> ValueType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
>>> "/>
>>>
>>> </wsse:SecurityTokenReference>
>>>
>>> </ds:KeyInfo>
>>>
>>> </ds:Signature>
>>>
>>> </wsse:Security>
>>>
>>> <fooHeader>
>>>
>>> <s:Body wsu:Id="id-1" xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> ">
>>>
>>> <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>>>
>>> this is a value
>>>
>>> </ns1:sampleValue>
>>>
>>> </s:Body>
>>>
>>> </fooHeader>
>>>
>>> </s:Header>
>>>
>>> <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>>>
>>> <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
>>> FAKED</sampleValue>
>>>
>>> </Body>
>>>
>>> </s:Envelope>
>>>
>>>
>>>
>>>
>>> --
>>> Massimiliano Masi
>>>
>>> http://www.mascanc.net/~max
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Xml-Signature wrapping
Posted by "massimiliano.masi@gmail.com" <ma...@gmail.com>.
Hi,
Thanks for your answer! :) That's the case of the soap body, what about
another element
in the soap tree?
The idea to have xpath references in the ds:Transform keeps the semantic of
the signature tied to the structure of the xml document. Do you know if
there is a way to
add such xpath property to the ds:Transform, without creating a custom
signature
processor?
Ciao,
Massi
On Tue, Jun 19, 2012 at 12:53 PM, Colm O hEigeartaigh
<co...@apache.org>wrote:
> Hi Massimiliano,
>
> WSS4J does not enforce that certain elements in a request must be signed
> or encrypted, that's the job of the calling code. So for example, if a CXF
> endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
> signed, then your sample altered request will fail at that stage.
>
> Colm.
>
>
> On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
> massimiliano.masi@gmail.com> wrote:
>
>> Hello All,
>>
>> I am trying to write a code against XML-Signature wrapping.
>>
>> The attached XML is validating, but it shouldn't (the signature was made
>> on the correct XML, where I switched the body) :-)
>>
>> I was trying to use the w3c's best practice #14, which is described in
>>
>> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>>
>> How can I do that easily with wss4j?
>>
>> Thanks a lot!
>>
>> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>>
>> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>>
>> <s:Header>
>>
>> <wsse:Security s:mustUnderstand="true" xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> ">
>>
>> <wsse:BinarySecurityToken EncodingType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>> ValueType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>>
>> <ds:Signature Id="SIG-2" xmlns:ds="
>> http://www.w3.org/2000/09/xmldsig#">
>>
>> <ds:SignedInfo>
>>
>> <ds:CanonicalizationMethod Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>
>> </ds:CanonicalizationMethod>
>>
>> <ds:SignatureMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>> <ds:Reference URI="#id-1">
>>
>> <ds:Transforms>
>>
>> <ds:Transform Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ds:SignedInfo>
>>
>>
>> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>>
>>
>> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>>
>> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>>
>> <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>>
>> <wsse:SecurityTokenReference
>> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>>
>> <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
>> ValueType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
>> "/>
>>
>> </wsse:SecurityTokenReference>
>>
>> </ds:KeyInfo>
>>
>> </ds:Signature>
>>
>> </wsse:Security>
>>
>> <fooHeader>
>>
>> <s:Body wsu:Id="id-1" xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> ">
>>
>> <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>>
>> this is a value
>>
>> </ns1:sampleValue>
>>
>> </s:Body>
>>
>> </fooHeader>
>>
>> </s:Header>
>>
>> <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>>
>> <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
>> FAKED</sampleValue>
>>
>> </Body>
>>
>> </s:Envelope>
>>
>>
>>
>>
>> --
>> Massimiliano Masi
>>
>> http://www.mascanc.net/~max
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
--
Massimiliano Masi
http://www.mascanc.net/~max
Re: Xml-Signature wrapping
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Massimiliano,
WSS4J does not enforce that certain elements in a request must be signed or
encrypted, that's the job of the calling code. So for example, if a CXF
endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
signed, then your sample altered request will fail at that stage.
Colm.
On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
massimiliano.masi@gmail.com> wrote:
> Hello All,
>
> I am trying to write a code against XML-Signature wrapping.
>
> The attached XML is validating, but it shouldn't (the signature was made
> on the correct XML, where I switched the body) :-)
>
> I was trying to use the w3c's best practice #14, which is described in
>
> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>
> How can I do that easily with wss4j?
>
> Thanks a lot!
>
> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>
> <s:Header>
>
> <wsse:Security s:mustUnderstand="true" xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
> <wsse:BinarySecurityToken EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>
> <ds:Signature Id="SIG-2" xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:CanonicalizationMethod>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <ds:Reference URI="#id-1">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transform>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
>
> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>
>
> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>
> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>
> <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>
> <wsse:SecurityTokenReference
> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>
> <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> "/>
>
> </wsse:SecurityTokenReference>
>
> </ds:KeyInfo>
>
> </ds:Signature>
>
> </wsse:Security>
>
> <fooHeader>
>
> <s:Body wsu:Id="id-1" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
> <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>
> this is a value
>
> </ns1:sampleValue>
>
> </s:Body>
>
> </fooHeader>
>
> </s:Header>
>
> <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>
> <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
> FAKED</sampleValue>
>
> </Body>
>
> </s:Envelope>
>
>
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com