Order of elements in the Security Header when signing

["Harris, Andrew" <An...@adp.com>]

I am using WSS4J to sign a SOAP message. I currently add a timestamp to the WSSecHeader and add it as one of the Parts to sign and then sign the message.

When I sign the message the BST and Security Elements are prepended to the WSSecHeader and therefore I end up with :

<wsse:BinarySecurityToken />
<ds:Signature />
<wsu:Timestamp />

But I am being told an error I am getting may be because it should be:

<wsu:Timestamp />
<wsse:BinarySecurityToken />
<ds:Signature />

I have traced the code to the line "sig.sign(signContext);" in the computeSignature method in WSSecSignature. The sig object is an Apache implementation (org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature) of javax.xml.crypto.dsig. XMLSignature which appears to always insert the signature as the first item in the Security element.

Any thoughts on how to get what I am after?


Regards

Andrew Harris | Architecture & Design Manager
andrew.harris@adp.com<ma...@adp.com> | +61 3 9566 7125 | +61 4 1859 9547
Level 1,6 Nexus Crt, Mulgrave Vic 3170
[Description: Description: Description: Description: Description: email-logo]<http://www.adppayroll.com.au/>[Description: Description: Description: Description: Description: LinkedIn]<https://www.linkedin.com/company/adpaustralia?trk=biz-companies-cym>[Description: Description: Description: Description: Description: Twitter]<https://twitter.com/adp_anz>[Description: Description: Description: Description: Description: YouTube]<https://www.youtube.com/user/ADPANZ>

CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Automatic Data Processing Limited immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Automatic Data Processing Limited. If this email contains marketing material and you do not wish to receive any email marketing material from us in the future, please forward this email to unsubscribe@adp.com

RE: Order of elements in the Security Header when signing

["Harris, Andrew" <An...@adp.com>]

Thank you Colm.

One additional issue. I need to add a namespace to the signature element. Only way I can figure to do it is AFTER the signing:

builder.computeSignature(partsToSign, false, null);
SOAPElement sig = (SOAPElement) builder.getSignatureElement();
sig.addNamespaceDeclaration("wsc", "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" );
WSSecurityEngine secEngine = new WSSecurityEngine();
WSHandlerResult result = secEngine.processSecurityHeader(unsignedDocument, null, null, crypto);

Is this valid? It produces the required output but I don’t know what to look for in the “result” to know if its valid or not.

Regards

Andrew Harris | Architecture & Design Manager
andrew.harris@adp.com<ma...@adp.com> | +61 3 9566 7125 | +61 4 1859 9547
Level 1,6 Nexus Crt, Mulgrave Vic 3170
[Description: Description: Description: Description: Description: email-logo]<http://www.adppayroll.com.au/>[Description: Description: Description: Description: Description: LinkedIn]<https://www.linkedin.com/company/adpaustralia?trk=biz-companies-cym>[Description: Description: Description: Description: Description: Twitter]<https://twitter.com/adp_anz>[Description: Description: Description: Description: Description: YouTube]<https://www.youtube.com/user/ADPANZ>

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, 13 July 2017 7:00 PM
To: users@ws.apache.org
Subject: Re: Order of elements in the Security Header when signing


You could look at this test (testSignedTimestamp)

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignatureTest.java#L628
It signs a Timestamp, and the Timestamp is placed above the Signature in the message.
Colm.

On Thu, Jul 13, 2017 at 4:41 AM, Harris, Andrew <An...@adp.com>> wrote:
I am using WSS4J to sign a SOAP message. I currently add a timestamp to the WSSecHeader and add it as one of the Parts to sign and then sign the message.

When I sign the message the BST and Security Elements are prepended to the WSSecHeader and therefore I end up with :

<wsse:BinarySecurityToken />
<ds:Signature />
<wsu:Timestamp />

But I am being told an error I am getting may be because it should be:

<wsu:Timestamp />
<wsse:BinarySecurityToken />
<ds:Signature />

I have traced the code to the line “sig.sign(signContext);” in the computeSignature method in WSSecSignature. The sig object is an Apache implementation (org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature) of javax.xml.crypto.dsig. XMLSignature which appears to always insert the signature as the first item in the Security element.

Any thoughts on how to get what I am after?


Regards

Andrew Harris | Architecture & Design Manager
andrew.harris@adp.com<ma...@adp.com> | +61 3 9566 7125<tel:+61%203%209566%207125> | +61 4 1859 9547
Level 1,6 Nexus Crt, Mulgrave Vic 3170
[Description: Description: Description: Description: Description: email-logo]<http://www.adppayroll.com.au/>[Description: Description: Description: Description: Description: LinkedIn]<https://www.linkedin.com/company/adpaustralia?trk=biz-companies-cym>[Description: Description: Description: Description: Description: Twitter]<https://twitter.com/adp_anz>[Description: Description: Description: Description: Description: YouTube]<https://www.youtube.com/user/ADPANZ>

CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Automatic Data Processing Limited immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Automatic Data Processing Limited. If this email contains marketing material and you do not wish to receive any email marketing material from us in the future, please forward this email to unsubscribe@adp.com<ma...@adp.com>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Automatic Data Processing Limited immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Automatic Data Processing Limited. If this email contains marketing material and you do not wish to receive any email marketing material from us in the future, please forward this email to unsubscribe@adp.com

Re: Order of elements in the Security Header when signing

[Colm O hEigeartaigh <co...@apache.org>]

You could look at this test (testSignedTimestamp)

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignatureTest.java#L628

It signs a Timestamp, and the Timestamp is placed above the Signature in
the message.

Colm.

On Thu, Jul 13, 2017 at 4:41 AM, Harris, Andrew <An...@adp.com>
wrote:

> I am using WSS4J to sign a SOAP message. I currently add a timestamp to
> the WSSecHeader and add it as one of the Parts to sign and then sign the
> message.
>
>
>
> When I sign the message the BST and Security Elements are prepended to the
> WSSecHeader and therefore I end up with :
>
>
>
> <wsse:BinarySecurityToken />
>
> <ds:Signature />
>
> <wsu:Timestamp />
>
>
>
> But I am being told an error I am getting may be because it should be:
>
>
>
> <wsu:Timestamp />
>
> <wsse:BinarySecurityToken />
>
> <ds:Signature />
>
>
>
> I have traced the code to the line “sig.sign(signContext);” in the
> computeSignature method in WSSecSignature. The sig object is an Apache
> implementation (org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature) of
> javax.xml.crypto.dsig. XMLSignature which appears to always insert the
> signature as the first item in the Security element.
>
>
>
> Any thoughts on how to get what I am after?
>
>
>
>
>
>
>
> *Regards*
>
>
>
> *Andrew Harris *| Architecture & Design Manager
>
> andrew.harris@adp.com | +61 3 9566 7125 <+61%203%209566%207125> | +61 4
> 1859 9547
> Level 1,6 Nexus Crt, Mulgrave Vic 3170
>
> [image: Description: Description: Description: Description: Description:
> email-logo] <http://www.adppayroll.com.au/>[image: Description:
> Description: Description: Description: Description: LinkedIn]
> <https://www.linkedin.com/company/adpaustralia?trk=biz-companies-cym>[image:
> Description: Description: Description: Description: Description: Twitter]
> <https://twitter.com/adp_anz>[image: Description: Description:
> Description: Description: Description: YouTube]
> <https://www.youtube.com/user/ADPANZ>
>
>
> CAUTION - This message may contain privileged and confidential information
> intended only for the use of the addressee named above. If you are not the
> intended recipient of this message you are hereby notified that any use,
> dissemination, distribution or reproduction of this message is prohibited.
> If you have received this message in error please notify Automatic Data
> Processing Limited immediately. Any views expressed in this message are
> those of the individual sender and may not necessarily reflect the views of
> Automatic Data Processing Limited. If this email contains marketing
> material and you do not wish to receive any email marketing material from
> us in the future, please forward this email to unsubscribe@adp.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com