You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Brian S <ic...@hotmail.com> on 2008/09/03 20:49:39 UTC

issue validating soap message

I'm trying to validate a soap message using the Apache XML security library. Thus far, I have based my solution similar to the SimpleValidate.cpp provided. However, it seems that I get the messge "Unknown KeyInfo element found". I believe I have tracked the issue back to DSIGKeyInfoList::addXMLKeyInfo where the function searches for specific values within the keyinfo structure. My xml file does not have one of these specific values, and hence it fails. According to my interpretation of the xml-dsig-core spec, there's a common set, although not a mandated set of values that these can (not must) be used within the keyinfo element. Could you tell me if there is some flag or some method that I can use to bypass the error/function call for keyinfo when using the load function (which eventually calls this function).  My keyinfo structure for my example is listed below:
 
<ds:KeyInfo Id="KeyId-20335771"><wsse:SecurityTokenReference wsu:Id="STRId-21448734"><wsse:Reference URI="#CertId-26165834"/></wsse:SecurityTokenReference></ds:KeyInfo>
 
The CertID is referenced earlier in the document by my BinarySecurityToken (My X.509 Cert in BASE64)
 
Thanks,
 
Brian
_________________________________________________________________
See how Windows Mobile brings your life together—at home, work, or on the go.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/

RE: issue validating soap message

Posted by Scott Cantor <ca...@osu.edu>.

> Could
> you tell me if there is some flag or some method that I can use to bypass
> the error/function call for keyinfo when using the load function (which
> eventually calls this function).

Nope. That's a bug. Skipping the extension may be a viable fix to get around
the exception, but the code overall isn't really equipped to provide the
functionality you need to handle extensions.

Probably the least invasive fix would be a patch that adds a generic
DSIGKeyInfoExtension type to handle anything that isn't built-in, and just
expose the DOM.

I have my own XML wrappers for all my work, partly because of this kind of
problem, but I have to rely on load() in xmlsec to handle the signature
node, and then I lose control and the ability to wrap the XML myself to
handle extensions properly. I just haven't run into this bug because I
haven't tried to handle an extension there.

-- Scott