One more thing which might help is the 1.1 version of the username token profile (http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-o s-UsernameTokenProfile.pdf)
Section 4 describes the procedure to derive keys based on information in the token. The jist of it is that 2 additional elements are added to the token: Salt and iterations. These 2 are then used in the following algorithm: 386 The key is derived as follows. The password (which is UTF-8 encoded) and Salt are 387 concatenated in that order. Only the actual octets of the password are used, it is not padded or 388 zero terminated. This value is hashed using the SHA1 algorithm. The result of this operation is 389 also hashed using SHA1. This process is repeated until the total number of hash operations 390 equals the Iteration count. 391 392 In other words: K1 = SHA1( password + Salt) 393 K2 = SHA1( K1 ) 394 ... 395 Kn = SHA1 ( Kn-1) 396 Where + means concatenation and n is the iteration count. 397 398 The resulting 160 bit value is used in a MAC function or truncated to the appropriate length for 399 encryption HTH, A. > -----Original Message----- > From: Steve Shaw [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 02, 2008 1:20 PM > To: [email protected] > Subject: Re: WS-Security/UsernameToken signature with CXF > > On Fri, 2008-08-29 at 15:58 -0700, Glen Mazza wrote: > > > BTW, do you know of any web-available articles on signing with username > > tokens? I'd like to read up more on this so I can understand it better. > > That's an excellent question. I wasn't able to scrape together a > definitive resource, but here are some links that may be useful: > > Some stuff from MSDN: > http://msdn.microsoft.com/en-us/library/aa529558.aspx > > Article discussing how to do it with .NET: > http://www.codeproject.com/KB/XML/WSE30UsernameAssertion.aspx?display=Pr in > t > > Code sample that I used to generate my client code: > http://www.mail-archive.com/[EMAIL PROTECTED]/msg02035.html > > Beyond that, I looked through some of the CXF and WSS4J code to try to > determine what's going on. > org.apache.ws.security.action.UsernameTokenSignedAction is the WSS4J > class that does a lot of the gruntwork. > > I'd be happy to hear if you find any more references to using this sort > of digital signature. > > -Steve
