You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by jbendsen <ja...@bec.dk> on 2007/10/09 13:59:00 UTC
signing the Binary Security Token (BST)
Hi,
I'm using CXF and WSS4J to develop consumers and providers that exchange
signed soap messages.
Signing the body and timestamp elements works just fine. However, I also
need to sign the x509 certificate that is included in the security header
(using the direct reference strategy).
Below I've outlined the structure of the soap message that I would like to
produce.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
<soapenv:Header>
<wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
MIIE...<!--an x509v3 certificate-->
</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
</ds:SignatureMethod>
<ds:Reference URI="#id-10168913"> <!--reference to body. Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#Timestamp-30487154"> <!--reference to timestamp.
Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#CertId-24950043"> <!-- Reference to certificate.
This is the reference I want to generate-->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MkA...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-19714461">
<wsse:SecurityTokenReference...>
<wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp...>
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body ... wsu:Id="id-10168913">
...
</soapenv:Body>
</soapenv:Envelope>
I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken",
but it doesn't work.
Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!
best regards,
Jakob Bendsen
BEC, Denmark
www.bec.dk
--
View this message in context: http://www.nabble.com/signing-the-Binary-Security-Token-%28BST%29-tf4593716.html#a13114086
Sent from the cxf-user mailing list archive at Nabble.com.
Re: signing the Binary Security Token (BST)
Posted by Fred Dushin <fr...@dushin.net>.
You're trying to sign an element (BST containing the certificate)
that hasn't been created yet.
This is a bit of an odd use-case -- typically, you'd sign the body of
the message with the private key associated with the public key in
the certificate you are sending, and then do some kin dof cert
validation on the receiving side (e.g., to verify that the cert sent
in the message is singed by a trustworthy authority). But now you
want to add a signature on top of that. What key are you planning to
use to do that? The same one?
I think the only way you're going to get this to work will be to
chain 2 WSS4JOutInterceptors. Make the first one sign the body, and
the second the BST.
-Fred
On Oct 9, 2007, at 8:57 AM, Mayank Mishra wrote:
> jbendsen wrote:
>> Hi,
>> I'm using CXF and WSS4J to develop consumers and providers that
>> exchange
>> signed soap messages. Signing the body and timestamp elements
>> works just fine. However, I also
>> need to sign the x509 certificate that is included in the security
>> header
>> (using the direct reference strategy).
>> Below I've outlined the structure of the soap message that I would
>> like to
>> produce.
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope ...>
>> <soapenv:Header>
>> <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
>> <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
>> MIIE...<!--an x509v3 certificate-->
>> </wsse:BinarySecurityToken>
>>
>> <ds:Signature>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
>> </ds:CanonicalizationMethod>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
>> </ds:SignatureMethod>
>> <ds:Reference URI="#id-10168913"> <!--reference to body.
>> Works OK!-->
>> ...
>> </ds:Reference>
>> <ds:Reference URI="#Timestamp-30487154"> <!--reference to
>> timestamp.
>> Works OK!-->
>> ...
>> </ds:Reference>
>> <ds:Reference URI="#CertId-24950043"> <!-- Reference to
>> certificate.
>> This is the reference I want to generate-->
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> MkA...
>> </ds:SignatureValue>
>> <ds:KeyInfo Id="KeyId-19714461">
>> <wsse:SecurityTokenReference...>
>> <wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <wsu:Timestamp...>
>> <wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
>> <wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
>> </wsu:Timestamp>
>> </wsse:Security>
>> </soapenv:Header>
>> <soapenv:Body ... wsu:Id="id-10168913">
>> ...
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> I've tried to get it to work by configuring setting the
>> org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS
>> property
>> to this value:
>> "{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
>> wssecurity-secext-1.0.xsd}BinarySecurityToken",
>> but it doesn't work.
>>
>> Has anyone tried to sign the BinarySecurityToken? Any help will be
>> appreciated!
>>
>
> Hi Jakob,
>
> I also tried, but it gave following error, I guess the same,
>
> General security error (WSEncryptBody/WSSignEnvelope: Element to
> encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/
> oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken)
>
> Surprisingly, SecurityTokenReference can refer to the
> BinarySecurityToken using wsu:id, then why ds:Reference can't refer
> to the token.
>
> With Regards,
> Mayank
>
>> best regards,
>> Jakob Bendsen
>>
>> BEC, Denmark
>> www.bec.dk
>>
>
>
Re: signing the Binary Security Token (BST)
Posted by Mayank Mishra <ma...@pramati.com>.
jbendsen wrote:
> Hi,
>
> I'm using CXF and WSS4J to develop consumers and providers that exchange
> signed soap messages.
> Signing the body and timestamp elements works just fine. However, I also
> need to sign the x509 certificate that is included in the security header
> (using the direct reference strategy).
>
> Below I've outlined the structure of the soap message that I would like to
> produce.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope ...>
> <soapenv:Header>
> <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
> <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
> MIIE...<!--an x509v3 certificate-->
> </wsse:BinarySecurityToken>
>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
> </ds:SignatureMethod>
> <ds:Reference URI="#id-10168913"> <!--reference to body. Works OK!-->
> ...
> </ds:Reference>
> <ds:Reference URI="#Timestamp-30487154"> <!--reference to timestamp.
> Works OK!-->
> ...
> </ds:Reference>
> <ds:Reference URI="#CertId-24950043"> <!-- Reference to certificate.
> This is the reference I want to generate-->
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> MkA...
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-19714461">
> <wsse:SecurityTokenReference...>
> <wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp...>
> <wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
> <wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body ... wsu:Id="id-10168913">
> ...
> </soapenv:Body>
> </soapenv:Envelope>
>
> I've tried to get it to work by configuring setting the
> org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
> to this value:
> "{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken",
> but it doesn't work.
>
> Has anyone tried to sign the BinarySecurityToken? Any help will be
> appreciated!
>
Hi Jakob,
I also tried, but it gave following error, I guess the same,
General security error (WSEncryptBody/WSSignEnvelope: Element to
encrypt/sign not found:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
BinarySecurityToken)
Surprisingly, SecurityTokenReference can refer to the
BinarySecurityToken using wsu:id, then why ds:Reference can't refer to
the token.
With Regards,
Mayank
> best regards,
> Jakob Bendsen
>
> BEC, Denmark
> www.bec.dk
>