Thanks Aleksey, that was helpful! Alright, so now I'm trying to sign such and XML file...
When I prepare template with prefilled <wsse:BinarySecurityToken> containing key info, having KeyInfo element in there as well (and basically pre-fill all the elements except DigestValue and SignatureValue) and provide xmlsec with the signing key and the correct --id-attr parmaters, I can sign it! And I can verify it provided I give it either .p12 file or --pubkey-cert-der file.der (base64 decoded from BinarySecurityToken) Now the only remaining problem I have is how to generate correct <wsse:BinarySecurityToken> based on existing .p12 file. :-) BTW - for the example I provided, the correct --id-attr syntax is: --id-attr:Id http://schemas.xmlsoap.org/soap/envelope/:Body Davor. On 11.06.2019 21:52, Aleksey Sanin wrote: > You can extract the certificate manually and pass it to xmlsec > for verification. Or you can add a custom KeyInfo element support. > Both are possible but not through xmlsec1 command line utility. > > Aleksey > > On 6/11/19 11:08 AM, Davor Perkovac wrote: >> I see. >> Are you aware of other options available to sign/verify SOAP XML file >> like this one? >> Would xmlsec need to be extended somehow, or could it still be used if >> an appropriate template file is prepared for it? >> >> Thanks! >> >> Davor. >> >> On 11.06.2019 19:56, Aleksey Sanin wrote: >>> Well, another thing that you have is wsse:SecurityTokenReference >>> extension for the certificate. It is not supported by xmlsec >>> directly. >>> >>> Aleksey >>> >>> On 6/11/19 4:51 AM, Davor Perkovac wrote: >>>> I tried many different combinations similar to the one you suggested, >>>> but neither worked. >>>> Could it be because Id attribute in <soapenv:Body> has a namespace >>>> prefix? >>>> >>>> wsu:Id="..." >>>> >>>> Is this causing problems? >>>> >>>> Davor. >>>> >>>> On 10.06.2019 22:51, Davor Perkovac wrote: >>>>> This requires more parameters to xmlsec1 >>>>> >>>>> I'm using version 1.2.20 for win32: >>>>> >>>>> xmlsec1.exe --version >>>>> xmlsec1 1.2.20 (openssl) >>>>> >>>>> and it results in: >>>>> xmlsec1.exe --verify >>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>>>> >>>>> >>>>> Example_SOAP_PKI_Echo_1_sent.xml >>>>> Error: <file> parameter is required for this command >>>>> Usage: xmlsec <command> [<options>] [<files>] >>>>> >>>>> I've pasted again this full/unchanged xml file, so it should be >>>>> possible >>>>> for you to try to verify it as well: >>>>> https://pastebin.com/u7SqZTLB >>>>> >>>>> Davor. >>>>> >>>>> On 10.06.2019 19:22, Aleksey Sanin wrote: >>>>>> Try something like this: >>>>>> >>>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Aleksey >>>>>> >>>>>> On 6/10/19 9:13 AM, Davor Perkovac wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I assume it should be possible possible to verify and sign SOAP >>>>>>> message >>>>>>> using WS-Security standard with xmlsec1 command line tool. >>>>>>> I see there was already discussion about this or something >>>>>>> similar - >>>>>>> referring to Section 3.2 from the FAQ and I was reading it but >>>>>>> somehow >>>>>>> failed to apply it to my actual example. >>>>>>> >>>>>>> From what I can see the problem is with setting the correct >>>>>>> --id-attr >>>>>>> parameter. >>>>>>> >>>>>>> Can someone please advise on how to verify (and then later also >>>>>>> sign) >>>>>>> wss SOAP XML which looks like the example here: >>>>>>> https://pastebin.com/5Q3mUtNJ >>>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Davor. >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> xmlsec mailing list >>>>>>> [email protected] >>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>> >>>> >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
