Why Crypto is needed at the server side when a Signature needs to be verified ?

Fri, 25 Mar 2005 01:19:15 -0800

Hi,
 
I have a soap message signed at the client side using the client's private key. Client's public key is passed over the wire to the server.
This certificate is available in the BinarySecurityToken element and contains a reference in SecurityTokenReference of KeyInfo element.(Please see attached file)
 
What is the purpose of providing a crypto file to the WSSecurityEngine.getCertificatesTokenReference(element, crypto) method? What certificates does the crypto file have?  Does this mean we should upload Client's keystore(contains public key) at the server side? If Yes, what is the purpose of the public key thats comes in the wire? Interop1-draft-06 states that signature should be verified using the public key passed on wire.

Regards,
Sathish Kumar T.K.
      <wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                     soapenv:mustUnderstand="1">
         <wsse:BinarySecurityToken                              
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
                          
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
           
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
                               wsu:Id="CertId-9310158"> 
                        cert goes here...
        </wsse:BinarySecurityToken>

         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:SignedInfo>
               <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                  <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; 
                                PrefixList="soapenv xsd 
xsi"></ec:InclusiveNamespaces>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
               <ds:Reference URI="#id-30308427">
                  <ds:Transforms>
                     <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                        <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; 
                                PrefixList="xsd xsi"></ec:InclusiveNamespaces>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
                  <ds:DigestValue>UQLNiUqLVV5qA5ljMCFncAbBM+8=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>signature goes here....</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-24392121">
               <wsse:SecurityTokenReference                                     
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
                                  wsu:Id="STRId-23894119">
                  <wsse:Reference URI="#CertId-9310158"></wsse:Reference>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>

      </wsse:Security>

Reply via email to