You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-dev@ws.apache.org by hiran n <hi...@gmail.com> on 2007/10/25 20:57:03 UTC

Message integrity and non-repudiation with signature (sample04)

Hi All,
In the sample04 of the basic samples in the Rampart1.3 binary download. I
could not get what parts are acutually signed by client or service.
If nothing is specified means entire soap message is signed?
What is the usage of signatureparts elements in OutflowSecurity parameters.

Any input is of great help.

Regards,
hiran

Re: Message integrity and non-repudiation with signature (sample04)

Posted by Nandana Mihindukulasooriya <na...@gmail.com>.

Hi Hiran,
           If you look at the soap message you can see what parts are
actually signed. For each of the parts
signed, we get a Reference in the signature.

soapenv:Envelope/soapenv:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference

So the URI  <ds:Reference URI="#id-6109469"> points to parts that are
actually signed. In this case, it is
id-6109469 which is the body of the soap message.

<soapenv:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-6109469">

So it seems that when nothing is specified, the body of the soap message is
signed.
SignedParts can be used to sign any additional parts to be signed outside
the security header
such as addressing headers and any other headers.

Regards,
Nandana

<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
         <wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
            <wsse:BinarySecurityToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-148082">MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</wsse:BinarySecurityToken>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-7143488">
               <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
                  <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                  <ds:Reference URI="#id-6109469">
                     <ds:Transforms>
                        <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
                     </ds:Transforms>
                     <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>mnvkHZYZEhnhVXpNUmXTuQIUkCg=</ds:DigestValue>
                  </ds:Reference>
               </ds:SignedInfo>

<ds:SignatureValue>NrlqF2hCzoywSPjDEIi/Q8ynaIPKdqdQTVOcQoCB5XsdlWjKFcpA8bTlV0gvLUDxaWcpahr/iom3bUAb0j2mX1oblAVs7eCXTpuK77vCTWjgkaORKj1UVSvRf/QE9K15C3Aw+Tg+DAUXI5RzVausLuI9xMZsCtLZ+g5YTX+wC8M=</ds:SignatureValue>
               <ds:KeyInfo Id="KeyId-16994425">
                  <wsse:SecurityTokenReference xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-15926420">
                     <wsse:Reference URI="#CertId-148082" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
                  </wsse:SecurityTokenReference>
               </ds:KeyInfo>
            </ds:Signature>
            <wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-23602584">
               <wsu:Created>2007-10-26T02:44:19.687Z</wsu:Created>
               <wsu:Expires>2007-10-26T02:49:19.687Z</wsu:Expires>
            </wsu:Timestamp>
         </wsse:Security>
      </soapenv:Header>
      <soapenv:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-6109469">
         <ns1:echo xmlns:ns1="http://sample04.samples.rampart.apache.org">
            <param0>Hello world</param0>
         </ns1:echo>
      </soapenv:Body>
   </soapenv:Envelope>


On 10/26/07, hiran n <hi...@gmail.com> wrote:
>
> Hi All,
> In the sample04 of the basic samples in the Rampart1.3 binary download. I
> could not get what parts are acutually signed by client or service.
> If nothing is specified means entire soap message is signed?
> What is the usage of signatureparts elements in OutflowSecurity
> parameters.
>
> Any input is of great help.
>
> Regards,
> hiran
>