signing the Binary Security Token (BST)

Tue, 09 Oct 2007 04:59:33 -0700 

Hi, 

I'm using CXF and WSS4J to develop consumers and providers that exchange
signed soap messages. 
Signing the body and timestamp elements works just fine. However, I also
need to sign the x509 certificate that is included in the security header
(using the direct reference strategy). 

Below I've outlined the structure of the soap message that I would like to
produce. 

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
        <soapenv:Header>
                <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
                        <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
                                MIIE...<!--an x509v3 certificate-->
                        </wsse:BinarySecurityToken>
                
                        <ds:Signature>
                                <ds:SignedInfo>
                                        <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#";>
                                        </ds:CanonicalizationMethod>
                                        <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1";>
                                        </ds:SignatureMethod>
                                        <ds:Reference URI="#id-10168913"> 
<!--reference to body. Works OK!-->
                                        ...
                                        </ds:Reference>
                                        <ds:Reference 
URI="#Timestamp-30487154"> <!--reference to timestamp.
Works OK!-->
                                        ...     
                                        </ds:Reference>
                                        <ds:Reference URI="#CertId-24950043"> 
<!-- Reference to certificate.
This is the reference I want to generate-->
                                        </ds:Reference>
                                </ds:SignedInfo>
                                <ds:SignatureValue>
                                        MkA...
                                </ds:SignatureValue>
                                <ds:KeyInfo Id="KeyId-19714461">
                                        <wsse:SecurityTokenReference...>
                                                <wsse:Reference 
URI="#CertId-24950043" ...></wsse:Reference>
                                        </wsse:SecurityTokenReference>
                                </ds:KeyInfo>
                        </ds:Signature>
                        <wsu:Timestamp...>
                                
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
                                
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
                        </wsu:Timestamp>
                </wsse:Security>
        </soapenv:Header>
        <soapenv:Body ... wsu:Id="id-10168913">
        ...
        </soapenv:Body>
</soapenv:Envelope>

I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken";,
but it doesn't work.

Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!

best regards,
Jakob Bendsen

BEC, Denmark
www.bec.dk
-- 
View this message in context: 
http://www.nabble.com/signing-the-Binary-Security-Token-%28BST%29-tf4593716.html#a13114086
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to