RE: Soap Envelope part signature verification

[Martin Gainty]

this Rampart example might help
assume has the following parameters:

requestService(resp.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12,
                                                              
RahasConstants.LocalNames.
                                                                      
REQUEST_SECURITY_TOKEN_RESPONSE)).getFirstChildWithName(new 
QName(RahasConstants.WST_NS_05_12,
                                                             
RahasConstants.IssuanceBindingLocalNames.
                                                                     
REQUESTED_SECURITY_TOKEN)).getFirstChildWithName(new 
QName(RahasConstants.SAML_NS, "Assertion")),   //First param is the OMElement 
to send to service
WSSecurityUtil.generateNonce(16),   //byte[] requestEntity
Base64.decode(respEntrB64)            //byte [] responseEntity
);
 
    private void requestService(org.apache.axiom.om.OMElement assertion, byte[] 
reqEnt, byte[] respEnt) throws Exception {
//StaxBuilder
        org.apache.axiom.om.impl.builder.StAXOMBuilder builder = new 
org.apache.axiom.om.impl.builder.StAXOMBuilder(new 
org.apache.axiom.om.impl.dom.factory .OMDOMFactory(), 
assertion.getXMLStreamReader());
//get the Element which corresponds to Document
        Element domAssertionElem = (Element)builder.getDocumentElement();
//set factory to Document Object Not linkedList
        DocumentBuilderFactoryImpl.setDOOMRequired(true);
//get the dom_doc
        org.w3c.dom.Document dom_doc = 
javax.xml.parsers.DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
//SOAP11 Specific doc
        org.apache.axiom.soap.SOAPFactory soap11_fac = new 
org.apache.axiom.soap.impl.dom.soap11.SOAP11Factory((org.apache.xerces.dom.DocumentImpl)dom_doc);
//get the SOAP11 specific envelope
  org.apache.axiom.soap.SOAPEnvelope soap11_envelope = 
soap11_fac.getDefaultEnvelope();
//add the envelope to the SOAP11 doc
  this.addPayload(soap11_envelope);
//acquire a secure Header
        org.apache.ws.security.message.WSSecHeader secHeader = new 
org.apache.ws.security.message.WSSecHeader();
//add the DOM doc to the Secure Header
     secHeader.insertSecurityHeader(dom_doc);
//acquire Secure timestamp
        org.apache.ws.security.message.WSSecTimestamp ts = new 
org.apache.ws.security.message.WSSecTimestamp();
//timestamp is usually a point in time capture
//secure_timestamp specific doc
        ts.prepare(dom_doc);
//timestamp specific securityHeader
        ts.prependToHeader(secHeader);
//get the secure signature
        org.apache.ws.security.message.WSSecDKSign secure_dk_sig = new 
org.apache.ws.security.message.WSSecDKSign();
//set the algorithm for the signature
  secure_dk_sig.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
//Secure_Handshake v1
  org.apache.ws.security.conversation.dkalgo.P_SHA1 p_sha1 = new 
org.apache.ws.security.conversation.dkalgo.P_SHA1();
//the secure_token from the doc
         org.apache.ws.security.message.token.SecurityTokenReference 
security_token_ref = new 
org.apache.ws.security.message.token.SecurityTokenReference(dom_doc);
//set the key of the SecurityTokenReference to be attribute of assertion_id
         
security_token_ref.setSAMLKeyIdentifier(assertion.getAttributeValue(new 
org.xmlsoap.schemas.soap.encoding.QName("AssertionID")));
//show the requestEntropy and responseEntropy
        System.out.println("\nRequest Entropy: " + Base64.encode(reqEnt));
        System.out.println("Response Entropy: " + Base64.encode(respEnt));
//create sha1_key using request_Entropy and response_Entropy using SHA1 algo
        byte[] sha1_ephmeralKey = p_sha1.createKey(reqEnt, respEnt, 0, 32);
//display the ephemeral key
        System.out.println( ephmeralKey.length * 8 + " bit Key: " + 
Base64.encode(sha1_ephmeralKey));
//associate sha1_key to security_token_ref
        secure_dk_sig.setExternalKey(sha1_ephmeralKey, 
security_token_ref.getElement());
//create Encrypted_timestamp
        WSEncryptionPart timestamp_encrypted_part = new 
WSEncryptionPart(WSConstants.TIMESTAMP_TOKEN_LN, WSConstants.WSU_NS, "Element");
//create a vector
        Vector partsVector = new Vector();
//add timestamp_encrypted_part to vector
  partsVector.add(timestamp_encrypted_part);
//associate dk sig to partsVector
     secure_dk_sig.setParts(partsVector);
//use the dk_sig to put a secureHeader on the dom_doc
        secure_dk_sig.prepare(dom_doc, secHeader);
//which parts to sign..timestamp in partsVector and secHeader
        secure_dk_sig.addReferencesToSign(partsVector, secHeader);
//compute the signature
  secure_dk_sig.computeSignature();
//import the document_element into dom_doc
  Element importedAssertionElement = (Element) 
dom_doc.importNode(domAssertionElem, true);
//use WSSecurity to append the secHeader and the importedAssertionElement into 
dom_doc
  WSSecurityUtil.appendChildElement(dom_doc, secHeader.getSecurityHeader(), 
importedAssertionElement);
//append the secHeader to secure_dk_sig
  secure_dk_sig.appendDKElementToHeader(secHeader);
//append the Signature
  secure_dk_sig.appendSigToHeader(secHeader);
//Display the SOAP 11 envelope
        System.out.println(soap11_envelope);
//
//
//        //Create a service client and send the request to 'ping' service 
(ping.aar)
     AxisService service = new AxisService("ping");
//      get the Ping Operation
  AxisOperation op = new OutInAxisOperation(new QName("Ping"));
//      add the ping operation to the service
  service.addChild(op);
//      create new ServiceClient from existing configurationContext
  ServiceClient client = new 
ServiceClient(ConfigurationContextFactory.createConfigurationContextFromFileSystem(Constants.TESTING_PATH
 + "rahas_client_repo", null), service);
//
//      new opClient this is what we'll use to set Endpoints
        OperationClient opClient = client.createClient(new QName("Ping"));
//      new MessageContext
        MessageContext mc = new MessageContext();
//      add the envelope to MessageContext
        mc.setEnvelope(envelope);
//  engage addressing Module
  client.engageModule(new QName("addressing"));
//      engage rampart security module
  client.engageModule(new QName("rampart"));
//add the MessageContext to the opClient
  opClient.addMessageContext(mc);
//secure site which conforms to OASIS
        opClient.getOptions().setTo(new 
EndpointReference("https://131.107.72.15/PingService/OasisScenario1";));
//    Regular secure site
  opClient.getOptions().setTo(new 
EndpointReference("https://207.200.37.116/Ping/Scenario1";));
//      set the action
  opClient.getOptions().setAction("http://example.org/Ping";);
//       set the Addressing Version
  opClient.getOptions().setProperty(AddressingConstants.WS_ADDRESSING_VERSION, 
AddressingConstants.Submission.WSA_NAMESPACE);
//this will execute the client and block opClient until we get a Message back
          opClient.execute(true);
//        get the MessageContext response
    MessageContext response = 
opClient.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE);
//        print out the envelope
   
System.out.println("------------------------------RESPONSE------------------------------\n"
 + response.getEnvelope());
    }
//

Martin Gainty 
______________________________________________ 
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und 
Vertraulichkeitanmerkung/Note de déni et de confidentialité

 Ez az
üzenet bizalmas.  Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett.  Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs.  Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
Date: Wed, 15 May 2013 16:28:19 +0100
Subject: Re: Soap Envelope part signature verification
From: cohei...@apache.org
To: dev@ws.apache.org

It doesn't make any sense to sign the entire SOAP Envelope. You typically sign 
the SOAP Body and a number of SOAP Headers such as WS-Addressing (if using), 
along with some specific security headers (Timestamp, UsernameToken, etc.).


Colm.

On Wed, May 15, 2013 at 4:03 PM, Oleg Korneychuk <albus...@gmail.com> wrote:

Hello,
I have created two tests. One of them signs Soap Body part and successfully 
verifies them. Another one signs Soap Envelope part and fails during 
verification.

Tests are identical at all except of WSEncryptionPart instances creation.


Please, advise me what I am doing wrong.Sources are attached.

Thank you.
Oleg Korneychuk.Java Developer.




---------------------------------------------------------------------

To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org

For additional commands, e-mail: dev-h...@ws.apache.org


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com