signing the Binary Security Token (BST)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

signing the Binary Security Token (BST)

jbendsen
Hi,

I'm using CXF and WSS4J to develop consumers and providers that exchange signed soap messages.
Signing the body and timestamp elements works just fine. However, I also need to sign the x509 certificate that is included in the security header (using the direct reference strategy).

Below I've outlined the structure of the soap message that I would like to produce.

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
        <soapenv:Header>
                <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
                        <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
                                MIIE...
                        </wsse:BinarySecurityToken>
               
                        <ds:Signature>
                                <ds:SignedInfo>
                                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
                                        </ds:CanonicalizationMethod>
                                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
                                        </ds:SignatureMethod>
                                        <ds:Reference URI="#id-10168913"> 
                                        ...
                                        </ds:Reference>
                                        <ds:Reference URI="#Timestamp-30487154"> 
                                        ...
                                        </ds:Reference>
                                        <ds:Reference URI="#CertId-24950043"> 
                                        </ds:Reference>
                                </ds:SignedInfo>
                                <ds:SignatureValue>
                                        MkA...
                                </ds:SignatureValue>
                                <ds:KeyInfo Id="KeyId-19714461">
                                        <wsse:SecurityTokenReference...>
                                                <wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
                                        </wsse:SecurityTokenReference>
                                </ds:KeyInfo>
                        </ds:Signature>
                        <wsu:Timestamp...>
                                <wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
                                <wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
                        </wsu:Timestamp>
                </wsse:Security>
        </soapenv:Header>
        <soapenv:Body ... wsu:Id="id-10168913">
        ...
        </soapenv:Body>
</soapenv:Envelope>

I've tried to get it to work by configuring setting the org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken",
but it doesn't work.

Has anyone tried to sign the BinarySecurityToken? Any help will be appreciated!

best regards,
Jakob Bendsen

BEC, Denmark
www.bec.dk
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing the Binary Security Token (BST)

Mayank Mishra-2
jbendsen wrote:

> Hi,
>
> I'm using CXF and WSS4J to develop consumers and providers that exchange
> signed soap messages.
> Signing the body and timestamp elements works just fine. However, I also
> need to sign the x509 certificate that is included in the security header
> (using the direct reference strategy).
>
> Below I've outlined the structure of the soap message that I would like to
> produce.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope ...>
> <soapenv:Header>
> <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
> <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
> MIIE...<!--an x509v3 certificate-->
> </wsse:BinarySecurityToken>
>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
> </ds:SignatureMethod>
> <ds:Reference URI="#id-10168913"> <!--reference to body. Works OK!-->
> ...
> </ds:Reference>
> <ds:Reference URI="#Timestamp-30487154"> <!--reference to timestamp.
> Works OK!-->
> ...
> </ds:Reference>
> <ds:Reference URI="#CertId-24950043"> <!-- Reference to certificate.
> This is the reference I want to generate-->
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> MkA...
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-19714461">
> <wsse:SecurityTokenReference...>
> <wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp...>
> <wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
> <wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body ... wsu:Id="id-10168913">
> ...
> </soapenv:Body>
> </soapenv:Envelope>
>
> I've tried to get it to work by configuring setting the
> org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
> to this value:
> "{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken",
> but it doesn't work.
>
> Has anyone tried to sign the BinarySecurityToken? Any help will be
> appreciated!
>  

Hi Jakob,

I also tried, but it gave following error, I guess the same,

General security error (WSEncryptBody/WSSignEnvelope: Element to
encrypt/sign  not found:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
BinarySecurityToken)

Surprisingly, SecurityTokenReference can refer to the
BinarySecurityToken using wsu:id, then why ds:Reference can't refer to
the token.

With Regards,
Mayank

> best regards,
> Jakob Bendsen
>
> BEC, Denmark
> www.bec.dk
>  

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing the Binary Security Token (BST)

Fred Dushin-3
You're trying to sign an element (BST containing the certificate)  
that hasn't been created yet.

This is a bit of an odd use-case -- typically, you'd sign the body of  
the message with the private key associated with the public key in  
the certificate you are sending, and then do some kin dof cert  
validation on the receiving side (e.g., to verify that the cert sent  
in the message is singed by a trustworthy authority).  But now you  
want to add a signature on top of that.  What key are you planning to  
use to do that?  The same one?

I think the only way you're going to get this to work will be to  
chain 2 WSS4JOutInterceptors.  Make the first one sign the body, and  
the second the BST.

-Fred

On Oct 9, 2007, at 8:57 AM, Mayank Mishra wrote:

> jbendsen wrote:
>> Hi,
>> I'm using CXF and WSS4J to develop consumers and providers that  
>> exchange
>> signed soap messages. Signing the body and timestamp elements  
>> works just fine. However, I also
>> need to sign the x509 certificate that is included in the security  
>> header
>> (using the direct reference strategy).
>> Below I've outlined the structure of the soap message that I would  
>> like to
>> produce.
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope ...>
>> <soapenv:Header>
>> <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
>> <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
>> MIIE...<!--an x509v3 certificate-->
>> </wsse:BinarySecurityToken>
>>
>> <ds:Signature>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
>> </ds:CanonicalizationMethod>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
>> </ds:SignatureMethod>
>> <ds:Reference URI="#id-10168913"> <!--reference to body.  
>> Works OK!-->
>> ...
>> </ds:Reference>
>> <ds:Reference URI="#Timestamp-30487154"> <!--reference to  
>> timestamp.
>> Works OK!-->
>> ...
>> </ds:Reference>
>> <ds:Reference URI="#CertId-24950043"> <!-- Reference to  
>> certificate.
>> This is the reference I want to generate-->
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> MkA...
>> </ds:SignatureValue>
>> <ds:KeyInfo Id="KeyId-19714461">
>> <wsse:SecurityTokenReference...>
>> <wsse:Reference URI="#CertId-24950043" ...></wsse:Reference>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <wsu:Timestamp...>
>> <wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
>> <wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
>> </wsu:Timestamp>
>> </wsse:Security>
>> </soapenv:Header>
>> <soapenv:Body ... wsu:Id="id-10168913">
>> ...
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> I've tried to get it to work by configuring setting the
>> org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS  
>> property
>> to this value:
>> "{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
>> wssecurity-secext-1.0.xsd}BinarySecurityToken",
>> but it doesn't work.
>>
>> Has anyone tried to sign the BinarySecurityToken? Any help will be
>> appreciated!
>>
>
> Hi Jakob,
>
> I also tried, but it gave following error, I guess the same,
>
> General security error (WSEncryptBody/WSSignEnvelope: Element to  
> encrypt/sign  not found: http://docs.oasis-open.org/wss/2004/01/ 
> oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken)
>
> Surprisingly, SecurityTokenReference can refer to the  
> BinarySecurityToken using wsu:id, then why ds:Reference can't refer  
> to the token.
>
> With Regards,
> Mayank
>
>> best regards,
>> Jakob Bendsen
>>
>> BEC, Denmark
>> www.bec.dk
>>
>
>

Loading...