Re: signing the Binary Security Token (BST)

Tue, 09 Oct 2007 05:54:01 -0700 

jbendsen wrote:
Hi, 
I'm using CXF and WSS4J to develop consumers and providers that exchange
signed soap messages. Signing the body and timestamp elements works just fine. However, I also 
need to sign the x509 certificate that is included in the security header
(using the direct reference strategy). 
Below I've outlined the structure of the soap message that I would like to
produce. 
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
        <soapenv:Header>
                <wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
                        <wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
                                MIIE...<!--an x509v3 certificate-->
                        </wsse:BinarySecurityToken>
                
                        <ds:Signature>
                                <ds:SignedInfo>
                                        <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#";>
                                        </ds:CanonicalizationMethod>
                                        <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1";>
                                        </ds:SignatureMethod>
                                        <ds:Reference URI="#id-10168913"> 
<!--reference to body. Works OK!-->
                                        ...
                                        </ds:Reference>
                                        <ds:Reference URI="#Timestamp-30487154"> 
<!--reference to timestamp.
Works OK!-->
                                        ...     
                                        </ds:Reference>
                                        <ds:Reference URI="#CertId-24950043"> 
<!-- Reference to certificate.
This is the reference I want to generate-->
                                        </ds:Reference>
                                </ds:SignedInfo>
                                <ds:SignatureValue>
                                        MkA...
                                </ds:SignatureValue>
                                <ds:KeyInfo Id="KeyId-19714461">
                                        <wsse:SecurityTokenReference...>
                                                <wsse:Reference URI="#CertId-24950043" 
...></wsse:Reference>
                                        </wsse:SecurityTokenReference>
                                </ds:KeyInfo>
                        </ds:Signature>
                        <wsu:Timestamp...>
                                
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
                                
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
                        </wsu:Timestamp>
                </wsse:Security>
        </soapenv:Header>
        <soapenv:Body ... wsu:Id="id-10168913">
        ...
        </soapenv:Body>
</soapenv:Envelope>

I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS property
to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken";,
but it doesn't work.

Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!


Hi Jakob,

I also tried, but it gave following error, I guess the same,
General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken)
Surprisingly, SecurityTokenReference can refer to the BinarySecurityToken using wsu:id, then why ds:Reference can't refer to the token. 

With Regards,
Mayank


best regards,
Jakob Bendsen

BEC, Denmark
www.bec.dk

Reply via email to