EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Token Type #X509PKIPathv1

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#31867
Posted: 01/12/2015 06:57:37
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

Hallo,
I'm developing with Delphi XE5 and i need help!
In the Header of my Request must be:
Code
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-...">MIIC1.........=</wsse:BinarySecurityToken>

Is there a Signature-Component that supports this Token Type #X509PKIPathv1?
Can you give me an Example in Delphi?
Even now, many thanks!
Ralf
#31868
Posted: 01/12/2015 07:56:34
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

First please check Samples\VCL\XMLBlackbox\Desktop\SecureSOAP sample. It allows to create WS-Security digital signature and place a signer certificate in BinarySecurityToken (use "WSS Signature Handler" in signature option and "In Binary Security Token" for embed certificate option).
Unfortunately, #X509PKIPathv1 token type is not supported at the moment, the sample above will use #X509v3 token type. But, it is possible to change the binary security token to match your requirements, to do this you would need to handle OnBeforeSign event and modify BinarySecurityToken properties, for example:
Code
TElXMLWSSSignatureHandler(Handler).OnBeforeSign := DoBeforeSign;
...
procedure TfrmMain.DoBeforeSign(Sender: TObject; Signer : TElXMLSigner);
var
  Header : TElXMLWSSESecurity;
  BinToken : TElXMLWSSEBinarySecurityToken;
  i : Integer;
begin
  Header := TElXMLWSSSignatureHandler(Sender).SecurityHeader;
  for i := 0 to Header.TokenCount - 1 do
    if Header.Tokens[i] is TElXMLWSSEBinarySecurityToken then
    begin
      BinToken := TElXMLWSSEBinarySecurityToken(Header.Tokens[i]);
      BinToken.ValueType := '#X509PKIPathv1';
      BinToken.Data := 'MIIC1...';
    end;
end;
#31869
Posted: 01/12/2015 08:30:14
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

Dear Dmytro Bogatskyy
Thanks, I'll try
Have a nice day
Ralf
#31870
Posted: 01/12/2015 12:06:25
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

...
OK, that works!
The BinarySecurityToken is beautiful:
Code
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="id-..." xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIC1.........=</wsse:BinarySecurityToken>

But the Signature-KeyInfo is still wrong: the ValueType is #X509v3 and thus the X509Certificate is also wrong:
Code
<ds:KeyInfo>.........<wsse:SecurityTokenReference .........><wsse:Reference URI="#id-..." ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference><ds:X509Data><ds:X509Certificate>MIIC0.........==</ds:X509Certificate></ds:X509Data></ds:KeyInfo>

Is there a similar procedure?
Please give me another example in Delphi!
Greetings
Ralf
#31871
Posted: 01/12/2015 12:51:19
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote
But the Signature-KeyInfo is still wrong: the ValueType is #X509v3 and thus the X509Certificate is also wrong:
Is there a similar procedure?

Yes, please add the following code to OnBeforeSign event handler:
Code
  for i := 0 to Signer.Signature.KeyInfo.Count - 1 do
    if Signer.Signature.KeyInfo[i] is TElXMLWSSESecurityTokenReference then
    begin
      TElXMLWSSESecurityTokenReference(Signer.Signature.KeyInfo[i]).Reference.ValueType := '#X509PKIPathv1';
    end;
#31875
Posted: 01/13/2015 03:59:52
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

Wonderful, thank you!
Now I am testing the sample AdvancedSigner and I have a similar Problem.
Here is the Signer and no handler:
Code
var
  Signer : TElXMLSigner;

And here is the function:
Code
Signer.GenerateSignature;

How can I set the TokenType #X509PKIPathv1 and the X509Certificate here?
This is incorrect:
Code
<ds:X509Data>.........<ds:X509Certificate>MIIC0.........==</ds:X509Certificate></ds:X509Data>

It must be:
Code
<ds:X509Data>.........<ds:X509Certificate>MIIC1.........=</ds:X509Certificate></ds:X509Data>

Please give me another example in Delphi!
So many thanks
Ralf
#31877
Posted: 01/13/2015 04:58:33
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
How can I set the TokenType #X509PKIPathv1 and the X509Certificate here?

This token type couldn't be used in the XML-DSig signature. From the XMLDsig specification:
Quote

The X509Certificate element, which contains a base64-encoded [X509v3] certificate

Do you have some other standard that use #X509PKIPathv1 for X509Certificate element?

P.S. You can change a binary data for the certificate in OnFormatText event handler, but it is not recommended (please see AdvancedSigner sample for OnFormatText event handler implementation, it mainly used to format a text).
#31884
Posted: 01/13/2015 06:45:06
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

I think i need to change the binary data before i call GenerateSignature, but OnFormatText is called after GenerateSignature.
Do you have an idea?
So many thanks!
Ralf
#31886
Posted: 01/13/2015 07:12:16
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote
I think i need to change the binary data before i call GenerateSignature, but OnFormatText is called after GenerateSignature.
Do you have an idea?

GenerateSignature() method generates signature structure (DOM like), but it doesn't save it to the xml tree or perform signing. So, the modification in OnFormatText event handler will not corrupt a signature.
#31890
Posted: 01/13/2015 08:46:40
by Ralf Leidenberger (Standard support level)
Joined: 01/12/2015
Posts: 8

Dear Dmytro Bogatskyy,
My concretely Problem:
I have a Java Keystore and a XML-Request generated from a WSDL-File.
In SoapUI everything works perfectly.
If I give exactly this SoapUI-Request to a HttpRio-component that everything still works exactly.
But as soon as I want to construct the header without SoapUI I get a wrong BinarySecurityToken and a wrong SignatureValue.
But I think the problem is the TokenType.
What do you think?
Excuse my bad English, but my German is almost perfect ;-)
Thanks!
Ralf
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 1901 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!