Derived Keys + 2. Signature Problem
Closed this issue · 3 comments
Hello!
I know that you maintain this wonderful xmlseclib library which I am currently using.
And I have a question about it, maybe you could help me with finding a proper soultion.
Here is a problem:
This is the WS-POLICY for the service:
<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>The problem is following:
- According to POLICY (RequireDerivedKeys), user needs 2 DerivedKeyTokens (one for signing, other for encrypting).
And soap-wsse.php, unfortunatelly, lacks this functionality.
Therefore I added my own functions to cover that.
To create keys, I use following p-sha1 function: http://stackoverflow.com/questions/19590675/implementation-of-p-sha1-algorithm-in-php - According to POLICY (EndorsingSupportingTokens), we need to sign already created signature.
This implementation is also missing in soap-wssse.php.
I created my own function for that, but I'm not sure if it works correctly.
As a result, I receive following response after I send generated XML:
CryptographicException: Unable to resolve the '#...' URI in the signature to compute the digest.
Can you please help me with those tokens? Do you find it reasonable to add such support for DerivedKeyToken into your class?
Thank you!
Can you send me the code you added as well as the full code from you example so I can see why you might be getting that error. I have been meaning to add support for derived keys but haven't had the time so whatever you might have for code would be helpful
Can you please have a look at my code: https://gist.github.com/griga3k/14234656f1ff1c2d8dd8 .
I marked sections that were modified by me as “ADDED BY ME”
and there is a test code that I run.
Thank you!
Marking this as resolved here as I did add an option for specifying which signature to pull. Will handle the remaining over in the wse-php issues:
robrichards/wse-php#9