You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Oleg Korneychuk <al...@gmail.com> on 2013/05/15 17:03:26 UTC
Soap Envelope part signature verification
Hello,
I have created two tests. One of them signs Soap Body part and successfully
verifies them. Another one signs Soap Envelope part and fails during
verification.
Tests are identical at all except of WSEncryptionPart instances creation.
Please, advise me what I am doing wrong.
Sources are attached.
Thank you.
Oleg Korneychuk.
Java Developer.
RE: Soap Envelope part signature verification
Posted by Martin Gainty <mg...@hotmail.com>.
this Rampart example might help
assume has the following parameters:
requestService(resp.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12,
RahasConstants.LocalNames.
REQUEST_SECURITY_TOKEN_RESPONSE)).getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12,
RahasConstants.IssuanceBindingLocalNames.
REQUESTED_SECURITY_TOKEN)).getFirstChildWithName(new QName(RahasConstants.SAML_NS, "Assertion")), //First param is the OMElement to send to service
WSSecurityUtil.generateNonce(16), //byte[] requestEntity
Base64.decode(respEntrB64) //byte [] responseEntity
);
private void requestService(org.apache.axiom.om.OMElement assertion, byte[] reqEnt, byte[] respEnt) throws Exception {
//StaxBuilder
org.apache.axiom.om.impl.builder.StAXOMBuilder builder = new org.apache.axiom.om.impl.builder.StAXOMBuilder(new org.apache.axiom.om.impl.dom.factory .OMDOMFactory(), assertion.getXMLStreamReader());
//get the Element which corresponds to Document
Element domAssertionElem = (Element)builder.getDocumentElement();
//set factory to Document Object Not linkedList
DocumentBuilderFactoryImpl.setDOOMRequired(true);
//get the dom_doc
org.w3c.dom.Document dom_doc = javax.xml.parsers.DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
//SOAP11 Specific doc
org.apache.axiom.soap.SOAPFactory soap11_fac = new org.apache.axiom.soap.impl.dom.soap11.SOAP11Factory((org.apache.xerces.dom.DocumentImpl)dom_doc);
//get the SOAP11 specific envelope
org.apache.axiom.soap.SOAPEnvelope soap11_envelope = soap11_fac.getDefaultEnvelope();
//add the envelope to the SOAP11 doc
this.addPayload(soap11_envelope);
//acquire a secure Header
org.apache.ws.security.message.WSSecHeader secHeader = new org.apache.ws.security.message.WSSecHeader();
//add the DOM doc to the Secure Header
secHeader.insertSecurityHeader(dom_doc);
//acquire Secure timestamp
org.apache.ws.security.message.WSSecTimestamp ts = new org.apache.ws.security.message.WSSecTimestamp();
//timestamp is usually a point in time capture
//secure_timestamp specific doc
ts.prepare(dom_doc);
//timestamp specific securityHeader
ts.prependToHeader(secHeader);
//get the secure signature
org.apache.ws.security.message.WSSecDKSign secure_dk_sig = new org.apache.ws.security.message.WSSecDKSign();
//set the algorithm for the signature
secure_dk_sig.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
//Secure_Handshake v1
org.apache.ws.security.conversation.dkalgo.P_SHA1 p_sha1 = new org.apache.ws.security.conversation.dkalgo.P_SHA1();
//the secure_token from the doc
org.apache.ws.security.message.token.SecurityTokenReference security_token_ref = new org.apache.ws.security.message.token.SecurityTokenReference(dom_doc);
//set the key of the SecurityTokenReference to be attribute of assertion_id
security_token_ref.setSAMLKeyIdentifier(assertion.getAttributeValue(new org.xmlsoap.schemas.soap.encoding.QName("AssertionID")));
//show the requestEntropy and responseEntropy
System.out.println("\nRequest Entropy: " + Base64.encode(reqEnt));
System.out.println("Response Entropy: " + Base64.encode(respEnt));
//create sha1_key using request_Entropy and response_Entropy using SHA1 algo
byte[] sha1_ephmeralKey = p_sha1.createKey(reqEnt, respEnt, 0, 32);
//display the ephemeral key
System.out.println( ephmeralKey.length * 8 + " bit Key: " + Base64.encode(sha1_ephmeralKey));
//associate sha1_key to security_token_ref
secure_dk_sig.setExternalKey(sha1_ephmeralKey, security_token_ref.getElement());
//create Encrypted_timestamp
WSEncryptionPart timestamp_encrypted_part = new WSEncryptionPart(WSConstants.TIMESTAMP_TOKEN_LN, WSConstants.WSU_NS, "Element");
//create a vector
Vector partsVector = new Vector();
//add timestamp_encrypted_part to vector
partsVector.add(timestamp_encrypted_part);
//associate dk sig to partsVector
secure_dk_sig.setParts(partsVector);
//use the dk_sig to put a secureHeader on the dom_doc
secure_dk_sig.prepare(dom_doc, secHeader);
//which parts to sign..timestamp in partsVector and secHeader
secure_dk_sig.addReferencesToSign(partsVector, secHeader);
//compute the signature
secure_dk_sig.computeSignature();
//import the document_element into dom_doc
Element importedAssertionElement = (Element) dom_doc.importNode(domAssertionElem, true);
//use WSSecurity to append the secHeader and the importedAssertionElement into dom_doc
WSSecurityUtil.appendChildElement(dom_doc, secHeader.getSecurityHeader(), importedAssertionElement);
//append the secHeader to secure_dk_sig
secure_dk_sig.appendDKElementToHeader(secHeader);
//append the Signature
secure_dk_sig.appendSigToHeader(secHeader);
//Display the SOAP 11 envelope
System.out.println(soap11_envelope);
//
//
// //Create a service client and send the request to 'ping' service (ping.aar)
AxisService service = new AxisService("ping");
// get the Ping Operation
AxisOperation op = new OutInAxisOperation(new QName("Ping"));
// add the ping operation to the service
service.addChild(op);
// create new ServiceClient from existing configurationContext
ServiceClient client = new ServiceClient(ConfigurationContextFactory.createConfigurationContextFromFileSystem(Constants.TESTING_PATH + "rahas_client_repo", null), service);
//
// new opClient this is what we'll use to set Endpoints
OperationClient opClient = client.createClient(new QName("Ping"));
// new MessageContext
MessageContext mc = new MessageContext();
// add the envelope to MessageContext
mc.setEnvelope(envelope);
// engage addressing Module
client.engageModule(new QName("addressing"));
// engage rampart security module
client.engageModule(new QName("rampart"));
//add the MessageContext to the opClient
opClient.addMessageContext(mc);
//secure site which conforms to OASIS
opClient.getOptions().setTo(new EndpointReference("https://131.107.72.15/PingService/OasisScenario1"));
// Regular secure site
opClient.getOptions().setTo(new EndpointReference("https://207.200.37.116/Ping/Scenario1"));
// set the action
opClient.getOptions().setAction("http://example.org/Ping");
// set the Addressing Version
opClient.getOptions().setProperty(AddressingConstants.WS_ADDRESSING_VERSION, AddressingConstants.Submission.WSA_NAMESPACE);
//this will execute the client and block opClient until we get a Message back
opClient.execute(true);
// get the MessageContext response
MessageContext response = opClient.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE);
// print out the envelope
System.out.println("------------------------------RESPONSE------------------------------\n" + response.getEnvelope());
}
//
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Ez az
üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
Date: Wed, 15 May 2013 16:28:19 +0100
Subject: Re: Soap Envelope part signature verification
From: coheigea@apache.org
To: dev@ws.apache.org
It doesn't make any sense to sign the entire SOAP Envelope. You typically sign the SOAP Body and a number of SOAP Headers such as WS-Addressing (if using), along with some specific security headers (Timestamp, UsernameToken, etc.).
Colm.
On Wed, May 15, 2013 at 4:03 PM, Oleg Korneychuk <al...@gmail.com> wrote:
Hello,
I have created two tests. One of them signs Soap Body part and successfully verifies them. Another one signs Soap Envelope part and fails during verification.
Tests are identical at all except of WSEncryptionPart instances creation.
Please, advise me what I am doing wrong.Sources are attached.
Thank you.
Oleg Korneychuk.Java Developer.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Soap Envelope part signature verification
Posted by Colm O hEigeartaigh <co...@apache.org>.
It doesn't make any sense to sign the entire SOAP Envelope. You typically
sign the SOAP Body and a number of SOAP Headers such as WS-Addressing (if
using), along with some specific security headers (Timestamp,
UsernameToken, etc.).
Colm.
On Wed, May 15, 2013 at 4:03 PM, Oleg Korneychuk <al...@gmail.com> wrote:
> Hello,
>
> I have created two tests. One of them signs Soap Body part and
> successfully verifies them. Another one signs Soap Envelope part and fails
> during verification.
> Tests are identical at all except of WSEncryptionPart instances creation.
>
> Please, advise me what I am doing wrong.
> Sources are attached.
>
> Thank you.
>
> Oleg Korneychuk.
> Java Developer.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com