jbendsen wrote:
Hi,
I'm using CXF and WSS4J to develop consumers and providers that exchange
signed soap messages.
Signing the body and timestamp elements works just fine. However, I also
need to sign the x509 certificate that is included in the security header
(using the direct reference strategy).
Below I've outlined the structure of the soap message that I would like to
produce.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
<soapenv:Header>
<wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
MIIE...<!--an x509v3 certificate-->
</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1">
</ds:SignatureMethod>
<ds:Reference URI="#id-10168913">
<!--reference to body. Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#Timestamp-30487154">
<!--reference to timestamp.
Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#CertId-24950043">
<!-- Reference to certificate.
This is the reference I want to generate-->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MkA...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-19714461">
<wsse:SecurityTokenReference...>
<wsse:Reference URI="#CertId-24950043"
...></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp...>
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body ... wsu:Id="id-10168913">
...
</soapenv:Body>
</soapenv:Envelope>
I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken",
but it doesn't work.
Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!
Hi Jakob,
I also tried, but it gave following error, I guess the same,
General security error (WSEncryptBody/WSSignEnvelope: Element to
encrypt/sign not found:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
BinarySecurityToken)
Surprisingly, SecurityTokenReference can refer to the
BinarySecurityToken using wsu:id, then why ds:Reference can't refer to
the token.
With Regards,
Mayank
best regards,
Jakob Bendsen
BEC, Denmark
www.bec.dk