[xmlsec] WS-Security SOAP signing using xmlsec1
Davor Perkovac
davor.perkovac at gmail.com
Tue Jun 11 17:45:01 PDT 2019
Thanks Aleksey, that was helpful!
Alright, so now I'm trying to sign such and XML file...
When I prepare template with prefilled <wsse:BinarySecurityToken>
containing key info, having KeyInfo element in there as well (and
basically pre-fill all the elements except DigestValue and
SignatureValue) and provide xmlsec with the signing key and the correct
--id-attr parmaters, I can sign it!
And I can verify it provided I give it either .p12 file or
--pubkey-cert-der file.der (base64 decoded from BinarySecurityToken)
Now the only remaining problem I have is how to generate correct
<wsse:BinarySecurityToken> based on existing .p12 file.
:-)
BTW - for the example I provided, the correct --id-attr syntax is:
--id-attr:Id http://schemas.xmlsoap.org/soap/envelope/:Body
Davor.
On 11.06.2019 21:52, Aleksey Sanin wrote:
> You can extract the certificate manually and pass it to xmlsec
> for verification. Or you can add a custom KeyInfo element support.
> Both are possible but not through xmlsec1 command line utility.
>
> Aleksey
>
> On 6/11/19 11:08 AM, Davor Perkovac wrote:
>> I see.
>> Are you aware of other options available to sign/verify SOAP XML file
>> like this one?
>> Would xmlsec need to be extended somehow, or could it still be used if
>> an appropriate template file is prepared for it?
>>
>> Thanks!
>>
>> Davor.
>>
>> On 11.06.2019 19:56, Aleksey Sanin wrote:
>>> Well, another thing that you have is wsse:SecurityTokenReference
>>> extension for the certificate. It is not supported by xmlsec
>>> directly.
>>>
>>> Aleksey
>>>
>>> On 6/11/19 4:51 AM, Davor Perkovac wrote:
>>>> I tried many different combinations similar to the one you suggested,
>>>> but neither worked.
>>>> Could it be because Id attribute in <soapenv:Body> has a namespace
>>>> prefix?
>>>>
>>>> wsu:Id="..."
>>>>
>>>> Is this causing problems?
>>>>
>>>> Davor.
>>>>
>>>> On 10.06.2019 22:51, Davor Perkovac wrote:
>>>>> This requires more parameters to xmlsec1
>>>>>
>>>>> I'm using version 1.2.20 for win32:
>>>>>
>>>>> xmlsec1.exe --version
>>>>> xmlsec1 1.2.20 (openssl)
>>>>>
>>>>> and it results in:
>>>>> xmlsec1.exe --verify
>>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>>
>>>>>
>>>>> Example_SOAP_PKI_Echo_1_sent.xml
>>>>> Error: <file> parameter is required for this command
>>>>> Usage: xmlsec <command> [<options>] [<files>]
>>>>>
>>>>> I've pasted again this full/unchanged xml file, so it should be
>>>>> possible
>>>>> for you to try to verify it as well:
>>>>> https://pastebin.com/u7SqZTLB
>>>>>
>>>>> Davor.
>>>>>
>>>>> On 10.06.2019 19:22, Aleksey Sanin wrote:
>>>>>> Try something like this:
>>>>>>
>>>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 6/10/19 9:13 AM, Davor Perkovac wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I assume it should be possible possible to verify and sign SOAP
>>>>>>> message
>>>>>>> using WS-Security standard with xmlsec1 command line tool.
>>>>>>> I see there was already discussion about this or something
>>>>>>> similar -
>>>>>>> referring to Section 3.2 from the FAQ and I was reading it but
>>>>>>> somehow
>>>>>>> failed to apply it to my actual example.
>>>>>>>
>>>>>>> From what I can see the problem is with setting the correct
>>>>>>> --id-attr
>>>>>>> parameter.
>>>>>>>
>>>>>>> Can someone please advise on how to verify (and then later also
>>>>>>> sign)
>>>>>>> wss SOAP XML which looks like the example here:
>>>>>>> https://pastebin.com/5Q3mUtNJ
>>>>>>>
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Davor.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>
>>
More information about the xmlsec
mailing list