EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing Soap Message

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#27301
Posted: 11/22/2013 09:27:42
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Hi,

We are evaluating BB XML and managed to create a signature on a soap message but we have 3 questions:

1. We are unable to add the mandatory SecurityTokenReference element in KeyInfo:
Code
</ds:SignatureValue>
   <ds:KeyInfo Id="KI-C02BACE87EBEC29CFA1385031617047155">
      <wsse:SecurityTokenReference wsu:Id="STRC02BAC47156">
         <wsse:Reference URI="#X509-C02BACE87EBEC29CFA1385031617047154" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
      </wsse:SecurityTokenReference>
   </ds:KeyInfo>
</ds:Signature>

In the forum another topic described KeyInfo.Add but unfortunately this does not work for us. Signer.save(SigNode) complaines about CloneNode when we use this:

Code
Dim SecurityTokenReference As New TElXMLDOMDocument
        SecurityTokenReference.CreateElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "SecurityTokenReference")
        Dim KeyInfoNode As New TElXMLKeyInfoNode(True)
        
        KeyInfoNode.Value = SecurityTokenReference
        Signer.Signature.KeyInfo.Add(KeyInfoNode)


2. We see <ec:InclusiveNamespaces .... have a ec namespace in from of it, can we get rid of that? We need it to be like this:
Code
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
  <InclusiveNamespaces PrefixList="cor mod" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>


3. Further we do see there are TElXMLSOAPSignatureHandler classes and TElXMLWSSEBinarySecurityToken but there's no info or examples in the helpfile or forum so we are curious if this would help us. The BASICSoapSignatureHandler produces a signature but it is also not exactly as we need it.

Many thanks,
Marco
#27302
Posted: 11/22/2013 12:47:27
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
1. We are unable to add the mandatory SecurityTokenReference element in KeyInfo: Code

Last versions has TElXMLWSSESecurityTokenReference class in SBXMLWSSCore namespace/unit that you can use to add SecurityTokenReference element in KeyInfo element.
For example:
Code
Signer.GenerateSignature();
//...
TElXMLWSSESecurityTokenReference tokenRef = new TElXMLWSSESecurityTokenReference();
tokenRef.ReferenceType = SBXMLWSSCore.Unit.wsrtReference;
tokenRef.Reference.URI = "#X509...";
tokenRef.Reference.ValueType = SBXMLDefs.Unit.xmlWSSBinaryTokenX509v3;
Signer.Signature.KeyInfo.Add(tokenRef);

But I suggest to use SOAP components directly.
Quote
2. We see <ec:InclusiveNamespaces .... have a ec namespace in from of it, can we get rid of that?

There is no property for this at the moment. It could be changed using OnFormatElement event handler, but it might be complicated.
I think, we can add additional property for this for the next build.
Quote

3. Further we do see there are TElXMLSOAPSignatureHandler classes and TElXMLWSSEBinarySecurityToken but there's no info or examples in the helpfile or forum so we are curious if this would help us. The BASICSoapSignatureHandler produces a signature but it is also not exactly as we need it.

Please check Samples\C#\XMLBlackbox\SecureSOAP sample.
#27303
Posted: 11/22/2013 13:36:10
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

First of all thanks for the quick reply !!

Quote

Please check Samples\C#\XMLBlackbox\SecureSOAP sample.


Excellent (I've never looked outside the vb.net examples).....

Now I only need to add a Signature ID and a KeyInfo ID. Then convert/import all into my vb.net project but got a whole weekend to do so ;-)

Quote

I think, we can add additional property for this for the next build.


That would be awesome but of course we are in a hurry... The onformat element would require a whole new xmldoc with cloning since changing nodenames is not possible right? Hmm it's looks like our last obstacle, wonder how often you deliver builds ;-)

Thanks again,
Marco
#27304
Posted: 11/22/2013 15:13:46
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Now I only need to add a Signature ID and a KeyInfo ID.

If you are using TElXMLSigner class, then call a following code after GenerateSignature() method. If you are decided to use SOAP components, then place this code in OnBeforeSign event handler of the signature handler.
Code
Signer.Signature.ID =
Signer.Signature.KeyInfo.ID =


Quote
The onformat element would require a whole new xmldoc with cloning since changing nodenames is not possible right?

Yes, you can't change NodeName. You would require to rebuild this (InclusiveNamespaces) element and replace existent one. OnFormatElement event is fired for each element in the signature, so you should filter it to modify the specific element.
Quote
Hmm it's looks like our last obstacle, wonder how often you deliver builds ;-)

Usually the new build is released within a month. But we can't add this feature in the upcoming build (scheduled for this Saturday)
#27305
Posted: 11/22/2013 15:49:14
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Thank you, within a month would be perfect ....

One last question about the signature.id and keyinfo.id, I'm using TElXMLWSSSignatureHandler since it nicely adds the BinarySecurityToken however I don't seem to be able to find the OnbeforeSign event. Perhaps it's me getting used to the C# code ;-)

Can you please give an example? I assumes it goes before the below:

Code
  ((TElXMLWSSSignatureHandler)handler).Sign(Cert, SignatureHandlerFinalOptionsForm.Instance.EmbedCertificate);


FYI: I'm glad we found this product because in the mean time we have created a nice XML dual sign enveloping signature application with SBXML which works like a charm :-)

Thanks again,
Marco
#27323
Posted: 11/24/2013 06:41:32
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Alright it was me struggling with C#, found it:

Code
    handler.OnBeforeSign += new TSBXMLSOAPSignEvent(handler_OnBeforeSign);


Code
        void handler_OnBeforeSign(object Sender, SBXMLSig.TElXMLSigner Signer)
        {
            Signer.Signature.ID = "YYYYYYYYY";
            Signer.Signature.KeyInfo.ID = "XXXXXXXXXXXXXXX";

         }


So it's just the InclusiveNamespaces left:
Code
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <InclusiveNamespaces PrefixList="cor mod" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>


Any hints to have this on tackled ?

Cheers,
Marco
#27361
Posted: 11/25/2013 05:24:23
by Dmytro Bogatskyy (EldoS Corp.)

Hello Marco,

Quote
So it's just the InclusiveNamespaces left:
...
Any hints to have this on tackled ?

In OnBeforeSign event handler you need to add:
Code
Signer.OnFormatElement += new TSBXMLFormatElementEvent(FormatElement);

and then implement OnFormatElement event handler in the similar way:
Code
private void FormatElement(object Sender, TElXMLDOMElement Element, int Level, string Path, ref string StartTagWhitespace, ref string EndTagWhitespace)
{
            if (Element.LocalName == "InclusiveNamespaces")
            {
                Element.RemoveAttribute("xmlns:ec");
                Element.SetAttributeNS("", "xmlns", Element.NamespaceURI);
            }
}
#27376
Posted: 11/25/2013 12:06:28
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Great, that works beautifully but sorry I got one last question.

How can I change the Transform when using the TElXMLWSSSignatureHandler? When I add a new one in OnBeforeSign I get the transforms element double.


Many thanks for your help....
Marco

Code
     TElXMLC14NTransform C14N = new TElXMLC14NTransform();
     C14N.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
     C14N.InclusiveNamespacesPrefixList = ("cor mod");
#27377
Posted: 11/25/2013 15:10:59
by Dmytro Bogatskyy (EldoS Corp.)

Quote
How can I change the Transform when using the TElXMLWSSSignatureHandler?

By default AddReference method for TElXMLWSSSignatureHandler class creates a reference with exclusive canonicalization transform. To modify existent transform you would need:
Code
TElXMLC14NTransform C14N = handler.get_References(index).TransformChain.get_Transforms(0) as TElXMLC14NTransform;
C14N.InclusiveNamespacesPrefixList = "cor mod";
#27379
Posted: 11/25/2013 17:12:52
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Thanks....

Very nice, some minor adjustments made since C14N is protected.

Code
TElXMLC14NTransform TRANS = handler.References.get_Reference(0).TransformChain.get_Transforms(0) as TElXMLC14NTransform;

TRANS.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
TRANS.InclusiveNamespacesPrefixList = "cor mod";


Looks like there's also a connection between KeyInfo Id and wsse:Reference URI id but will look at that tomorrow.

Many thanks again,
Marco
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 3984 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!