Hi All,
I'm trying to use the 'DoAll' handlers with a Security Token Service
(STS) and stumbled upon a few problems. :-(
The requesters of the STS will be sending messages, where parts will
be signed by their respective private keys and the signature element
and the soap:body element is encrypted by a random key. This random
key is an EncryptedKey which is encrypted by the public key of the
STS. I believe this can be achieved by deploying the WSDoAllSender at
the request path of the request message. The public key certificates
of the requester and the STS are sent in the message.
I have two problems from this point onwards:
1.) Can the DoAllReceiver be configured to decrypt the incoming
message and verify the signatures - provided that the only place where
the handler has access to the public key of the requester (for sig
varification) is from the requester's cert that is sent in the message
security header it self, which can only be accessed after decryption
of the signature element. I think signaturePropFile will not be set in
this instance since the public key cert of the requester is not with
the service.
2.) When the STS responds to the RST message with a
RequestSecurityTokenResponse (RSTR) the DoAllSender in the response
path of the STS is expected to encrypt the message with the public key
of the requester that the message was intended to. For this purpose
how can I communicate the appropriate public key to the DoAllSender to
use. I don't see how this is possible using the encryptionPropFile :-(
,since there are multiple requesters.
Please let me know if I have made a mistake in my above statements or
if there are any workarounds of these problems. Sample RST and RSTR
messages are attached with this. (Extracted from the WS-RM-SC-T
interop scenarios)
Thank you very much,
Ruchith
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:wst='http://schemas.xmlsoap.org/ws/2005/XX/trust'
xmlns:wsc='http://schemas.xmlsoap.org/ws/2005/XX/sc'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd'
xmlns:wsa='http://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wsrm='http://schemas.xmlsoap.org/ws/2005/XX/rm'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<soap:Header>
<wsa:MessageID wsu:Id='msgid' >
http://Fabrikam.com/guid/0baaf88d-483b-4ecf-a6d8-a7c2eb546817
</wsa:MessageID>
<wsa:To wsu:Id='to' >http://fabrikam.com/serviceB/123</wsa:To>
<wsa:Action wsu:Id='action' >
http://schemas.xmlsoap.org/ws/2005/XX/security/trust/RST/SCT</wsa:Action>
<wsa:ReplyTo wsu:Id='replyto' >
<wsa:Address>
http://fabrikam.com/Client
</wsa:Address>
</wsa:ReplyTo>
<wsse:Security>
<wsu:Timestamp wsu:Id='timestamp' >
<wsu:Created>2004-06-17T18:41:14Z</wsu:Created>
<wsu:Expires>2004-06-17T18:46:14Z</wsu:Expires>
</wsu:Timestamp>
<!-- BEGIN: X509 certificate for CLIENT -->
<wsse:BinarySecurityToken wsu:Id='Me'
ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3'
EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
'>
V7Xvvx ......WGfXhjeviiAsA==
</wsse:BinarySecurityToken>
<!-- END: X509 certificate for CLIENT -->
<!-- BEGIN: 128-bit key K encrypted using public key of SERVICE -->
<xenc:EncryptedKey Id='K' >
<xenc:EncryptionMethod
Algorithm=' http://www.w3.org/2001/04/xmlenc#rsa-1_5' />
<ds:KeyInfo>
<!-- BEGIN: Reference to X509 certificate for SERVICE -->
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType='
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'
EncodingType='
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' >
4rq1TGFRUPUjzrkJ09UQQQ==
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<!-- END: Reference to X509 certificate for SERVICE -->
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
WdibbBitnC4x0wROs3fkqQ==
</xenc:CipherValue>
</xenc:CipherData>
<!-- BEGIN: Reference list for items encrypted with K -->
<xenc:ReferenceList>
<xenc:DataReference URI='#BodyContent' />
<xenc:DataReference URI='#SignatureElement' />
</xenc:ReferenceList>
<!-- END: Reference list for items encrypted with K -->
</xenc:EncryptedKey>
<!-- END: 128-bit key K encrypted using public key of SERVICE -->
<!-- BEGIN: Signature element encrypted with K -->
<xenc:EncryptedData Id='SignatureElement'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element' >
<!-- Commented out is unencrypted form of the Signature element
over the message body,
wsa: headers and timestamp using private key of CLIENT
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
<ds:SignatureMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
<ds:Reference URI='#msgid' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>qTPI5bC+HGcUG6j83wjDAQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#to' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Y87Uxv6h5wNaQxQXImEySQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#action' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Kd4ap+K3julehb5VR0FbWQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#replyto' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Kd4ap+K3julehb5VR0FbWQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#from' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>BS87O3ZSGBzfkth6attmcQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#timestamp' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>p89RQXAzHNOIGZl5gjpnJQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#Body' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>hBKXo1+XDIIdLRt1++7CTQ==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
21u8QnwVaagEoeA2Dh+VAg==
</ds:SignatureValue>
<ds:KeyInfo>
<!-- BEGIN: Reference to X509 certificate for CLIENT
<wsse:SecurityTokenReference>
<wsse:Reference URI='#Me'
ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3' />
</wsse:SecurityTokenReference>
<!-- END: Reference to X509 certificate for CLIENT
</ds:KeyInfo>
</ds:Signature>
END of unencrypted form of the Signature element with
Signature over the message body, wsa: headers and timestamp -->
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' />
<xenc:CipherData>
<xenc:CipherValue>
...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<!-- END: Signature element encrypted with K -->
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id='body' >
<!-- Message body is actually encrypted with K.
The unencrypted form of the following is:
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.xmlsoap.org/ws/2005/XX/security/sc/sct
</wst:TokenType>
<wst:RequestType>
http://schemas.xmlsoap.org/ws/2005/XX/security/trust/Issue
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp='http://schemas.xmlsoap.org/ws/2002/12/policy' >
<wsa:EndpointReference>
<wsa:Address>http://fabrikam.com/serviceB/123</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret Type='http://schemas.xmlsoap.org/ws/2005/XX/security/trust/Nonce'>nQUYxn7fQaQJkzMZHJIzjA==</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityToken>
-->
<xenc:EncryptedData Id='BodyContent'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/03/xmlenc#Content' >
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' />
<xenc:CipherData>
<xenc:CipherValue>
K7ywZyhoZzG0uOg20aXztLqnM1xaHBx3e92OMSjioqv9ZIhF0o0CRAGdfaH9r9EcgTj
qLObP8A6gOOtK2jYJ0hY8OGwdreEtpe5avJ96ecsMcq/v+HXFLnR5pZmht2rLk6uKwX
dk/tRXvIf3dDNvJb8g
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope><soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-secext-1.0.xsd'
xmlns:wsse11='http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-wssecurity-secext-1.1.xsd'
xmlns:wst='http://schemas.xmlsoap.org/ws/2005/XX/trust'
xmlns:wsc='http://schemas.xmlsoap.org/ws/2005/XX/sc'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-
utility-1.0.xsd'
xmlns:wsa='http://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wsrm='http://schemas.xmlsoap.org/ws/2005/XX/rm'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<soap:Header>
<wsa:MessageID wsu:Id='msgid' >
http://fabrikam.com/guid/8f2072ac-7dee-4f26-ad51-966d0c6e7563
</wsa:MessageID>
<wsa:To wsu:Id='to' >
http://fabrikam.com/Client
</wsa:To>
<wsa:Action wsu:Id='action' >
http://schemas.xmlsoap.org/ws/2005/XX/security/trust/RSTR/SCT
</wsa:Action>
<wsa:RelatesTo wsu:Id='relatesto' >
http://Fabrikam.com/guid/0baaf88d-483b-4ecf-a6d8-a7c2eb546817
</wsa:RelatesTo>
<wsse:Security>
<wsu:Timestamp wsu:Id='timestamp' >
<wsu:Created>2004-06-17T18:42:14Z</wsu:Created>
<wsu:Expires>2004-06-17T18:47:14Z</wsu:Expires>
</wsu:Timestamp>
<!-- BEGIN: 128-bit key K2 encrypted using public key of CLIENT -->
<xenc:EncryptedKey Id='K' >
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' />
<ds:KeyInfo>
<!-- BEGIN: Reference to X509 certificate for CLIENT -->
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'
EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' >
4rq1TGFRUPUjzrkJ09UQQQ==
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<!-- END: Reference to X509 certificate for CLIENT -->
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
WdibbBitnC4x0wROs3fkqQ==
</xenc:CipherValue>
</xenc:CipherData>
<!-- BEGIN: Reference list for items encrypted with K -->
<xenc:ReferenceList>
<xenc:DataReference URI='#BodyContent' />
<xenc:DataReference URI='#SignatureElement' />
<xenc:DataReference URI='#SignatureConfirmationElement' />
</xenc:ReferenceList>
<!-- END: Reference list for items encrypted with K2 -->
</xenc:EncryptedKey>
<!-- END: 128-bit key K encrypted using public key of CLIENT -->
<!-- BEGIN: Signature element encrypted with K2 -->
<xenc:EncryptedData Id='SignatureElement'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element' >
<!-- Commented out is unencrypted form of the Signature element
over the message body,
wsa: headers and timestamp using SX1
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
<ds:SignatureMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
<ds:Reference URI='#msgid' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>qTPI5bC+HGcUG6j83wjDAQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#to' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Y87Uxv6h5wNaQxQXImEySQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#action' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Kd4ap+K3julehb5VR0FbWQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#relatesto' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>Kd4ap+K3julehb5VR0FbWQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#timestamp' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>p89RQXAzHNOIGZl5gjpnJQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#SignatureConfirmation' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>p89RQXAzHNOIGZl5gjpnJQ==</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#Body' >
<ds:Transforms>
<ds:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
</ds:Transforms>
<ds:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>hBKXo1+XDIIdLRt1++7CTQ==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
21u8QnwVaagEoeA2Dh+VAg==
</ds:SignatureValue>
<!-- BEGIN: Reference to X509 certificate for SERVICE
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3'
EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' >
4rq1TGFRUPUjzrkJ09UQQQ==
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<!-- END: Reference to X509 certificate for SERVICE
</ds:KeyInfo>
</ds:Signature>
END of unencrypted form of the Signature element with
Signature over the message body, wsa: headers and timestamp -->
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' />
<xenc:CipherData>
<xenc:CipherValue>
...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<!-- END: Signature element encrypted with K2 -->
<!-- BEGIN: Signature Confirmation Element encrypted with K2 -->
<xenc:EncryptedData Id='SignatureConfirmationElement'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element' >
<!-- Commented out is unencrypted form of the SignatureConfirmation element, containing the value of the signature from the request
<wsse11:SignatureConfirmation wsu:Id=”SignatureConfirmation”
Value=”21u8QnwVaagEoeA2Dh+VAg==”/>
-->
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' />
<xenc:CipherData>
<xenc:CipherValue>
...
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<!-- END: Signature Confirmantion Element encrypted with K2 -->
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id='Body' >
<!-- Message body is actually encrypted with K2.
The unencrypted form of the following is:
<wst:RequestSecurityTokenResponse>
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken wsu:Id="This">
<wsc:Identifier>
uuid:b40816ed-0ff9-4293-9740-fe1253786069
</wsc:Identifier>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wst:TokenType>
http://schemas.xmlsoap.org/ws/2004/01/security/sc/sct
</wst:TokenType>
<wsp:AppliesTo
xmlns:wsp='http://schemas.xmlsoap.org/ws/2002/12/policy' >
<wsa:EndpointReference>
<wsa:Address>http://fabrikam.com/serviceB/123</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret Type='http://schemas.xmlsoap.org/ws/2005/XX/security/trust/Nonce'>kl2Dpg=</wst:BinarySecret>
</wst:Entropy>
<wst:RequestedProofToken>
<wst:ComputedKey>
http://schemas.xmlsoap.org/ws/2005/XX/security/trust/CK/PSHA1
</wst:ComputedKey>
</wst:RequestedProofToken>
<wst:Lifetime>
<wsu:Created>2004-06-18T17:41:07Z</wsu:Created>
<wsu:Expires>2004-06-19T05:41:07Z</wsu:Expires>
</wst:Lifetime>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityTokenResponse>
-->
<xenc:EncryptedData Id='BodyContent'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Content' >
<xenc:EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' />
<xenc:CipherData>
<xenc:CipherValue>
K7ywZyhoZzG0uOg20aXztLqnM1xaHBx3e92OMSjioqv9ZIhF0o0CRAGdfaH9r9EcgTj
qLObP8A6gOOtK2jYJ0hY8OGwdreEtpe5avJ96ecsMcq/v+HXFLnR5pZmht2rLk6uKwX
dk/tRXvIf3dDNvJb8g
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
