You're trying to sign an element (BST containing the certificate)
that hasn't been created yet.
This is a bit of an odd use-case -- typically, you'd sign the body of
the message with the private key associated with the public key in
the certificate you are sending, and then do some kin dof cert
validation on the receiving side (e.g., to verify that the cert sent
in the message is singed by a trustworthy authority). But now you
want to add a signature on top of that. What key are you planning to
use to do that? The same one?
I think the only way you're going to get this to work will be to
chain 2 WSS4JOutInterceptors. Make the first one sign the body, and
the second the BST.
-Fred
On Oct 9, 2007, at 8:57 AM, Mayank Mishra wrote:
jbendsen wrote:
Hi,
I'm using CXF and WSS4J to develop consumers and providers that
exchange
signed soap messages. Signing the body and timestamp elements
works just fine. However, I also
need to sign the x509 certificate that is included in the security
header
(using the direct reference strategy).
Below I've outlined the structure of the soap message that I would
like to
produce.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
<soapenv:Header>
<wsse:Security xmlns:wsse="..." soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken ... wsu:Id="CertId-24950043">
MIIE...<!--an x509v3 certificate-->
</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#";>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1";>
</ds:SignatureMethod>
<ds:Reference URI="#id-10168913"> <!--reference to body.
Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#Timestamp-30487154"> <!--reference to
timestamp.
Works OK!-->
...
</ds:Reference>
<ds:Reference URI="#CertId-24950043"> <!-- Reference to
certificate.
This is the reference I want to generate-->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MkA...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-19714461">
<wsse:SecurityTokenReference...>
<wsse:Reference URI="#CertId-24950043"
...></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp...>
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body ... wsu:Id="id-10168913">
...
</soapenv:Body>
</soapenv:Envelope>
I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS
property
to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd}BinarySecurityToken",
but it doesn't work.
Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!
Hi Jakob,
I also tried, but it gave following error, I guess the same,
General security error (WSEncryptBody/WSSignEnvelope: Element to
encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken)
Surprisingly, SecurityTokenReference can refer to the
BinarySecurityToken using wsu:id, then why ds:Reference can't refer
to the token.
With Regards,
Mayank
best regards,
Jakob Bendsen
BEC, Denmark
www.bec.dk
