signing the Binary Security Token (BST)

Tue, 09 Oct 2007 05:04:51 -0700 

Hi, 

I'm using CXF and WSS4J to develop consumers and providers that exchange
signed soap messages. 
Signing the body and timestamp elements works just fine. However, I also
need to sign the x509 certificate that is included in the security
header (using the direct reference strategy). 

Below I've outlined the structure of the soap message that I would like
to produce. 

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
        <soapenv:Header>
                <wsse:Security xmlns:wsse="..."
soapenv:mustUnderstand="1">
                        <wsse:BinarySecurityToken ...
wsu:Id="CertId-24950043">
                                MIIE...<!--an x509v3 certificate-->
                        </wsse:BinarySecurityToken>
                
                        <ds:Signature>
                                <ds:SignedInfo>
                                        <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-excc14n#";>
                                        </ds:CanonicalizationMethod>
                                        <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1";>
                                        </ds:SignatureMethod>
                                        <ds:Reference
URI="#id-10168913"> <!--reference to body. Works OK!-->
                                        ...
                                        </ds:Reference>
                                        <ds:Reference
URI="#Timestamp-30487154"> <!--reference to timestamp. Works OK!-->
                                        ...     
                                        </ds:Reference>
                                        <ds:Reference
URI="#CertId-24950043"> <!-- Reference to certificate. This is the
reference I want to generate-->
                                        </ds:Reference>
                                </ds:SignedInfo>
                                <ds:SignatureValue>
                                        MkA...
                                </ds:SignatureValue>
                                <ds:KeyInfo Id="KeyId-19714461">
                                        <wsse:SecurityTokenReference...>
                                                <wsse:Reference
URI="#CertId-24950043" ...></wsse:Reference>
                                        </wsse:SecurityTokenReference>
                                </ds:KeyInfo>
                        </ds:Signature>
                        <wsu:Timestamp...>
        
<wsu:Created>2007-09-11T12:49:35.499Z</wsu:Created>
        
<wsu:Expires>2007-09-11T12:54:35.499Z</wsu:Expires>
                        </wsu:Timestamp>
                </wsse:Security>
        </soapenv:Header>
        <soapenv:Body ... wsu:Id="id-10168913">
        ...
        </soapenv:Body>
</soapenv:Envelope>

I've tried to get it to work by configuring setting the
org.apache.ws.security.handler.WSHandlerConstants.SIGNATURE_PARTS
property to this value:
"{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-s
ecext-1.0.xsd}BinarySecurityToken",
but it doesn't work.

Has anyone tried to sign the BinarySecurityToken? Any help will be
appreciated!

best regards,
Jakob Bendsen

BEC, Denmark
www.bec.dk

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to