[xmlsec] WS-Security SOAP signing using xmlsec1

Aleksey Sanin aleksey at aleksey.com
Tue Jun 11 12:52:31 PDT 2019


You can extract the certificate manually and pass it to xmlsec
for verification. Or you can add a custom KeyInfo element support.
Both are possible but not through xmlsec1 command line utility.

Aleksey

On 6/11/19 11:08 AM, Davor Perkovac wrote:
> I see.
> Are you aware of other options available to sign/verify SOAP XML file
> like this one?
> Would xmlsec need to be extended somehow, or could it still be used if
> an appropriate template file is prepared for it?
> 
> Thanks!
> 
> Davor.
> 
> On 11.06.2019 19:56, Aleksey Sanin wrote:
>> Well, another thing that you have is wsse:SecurityTokenReference
>> extension for the certificate. It is not supported by xmlsec
>> directly.
>>
>> Aleksey
>>
>> On 6/11/19 4:51 AM, Davor Perkovac wrote:
>>> I tried many different combinations similar to the one you suggested,
>>> but neither worked.
>>> Could it be because Id attribute in <soapenv:Body> has a namespace
>>> prefix?
>>>
>>> wsu:Id="..."
>>>
>>> Is this causing problems?
>>>
>>> Davor.
>>>
>>> On 10.06.2019 22:51, Davor Perkovac wrote:
>>>> This requires more parameters to xmlsec1
>>>>
>>>> I'm using version 1.2.20 for win32:
>>>>
>>>> xmlsec1.exe --version
>>>> xmlsec1 1.2.20 (openssl)
>>>>
>>>> and it results in:
>>>> xmlsec1.exe --verify
>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>
>>>> Example_SOAP_PKI_Echo_1_sent.xml
>>>> Error: <file> parameter is required for this command
>>>> Usage: xmlsec <command> [<options>] [<files>]
>>>>
>>>> I've pasted again this full/unchanged xml file, so it should be
>>>> possible
>>>> for you to try to verify it as well:
>>>> https://pastebin.com/u7SqZTLB
>>>>
>>>> Davor.
>>>>
>>>> On 10.06.2019 19:22, Aleksey Sanin wrote:
>>>>> Try something like this:
>>>>>
>>>>> --id-attr:Id:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>>
>>>>>
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 6/10/19 9:13 AM, Davor Perkovac wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I assume it should be possible possible to verify and sign SOAP
>>>>>> message
>>>>>> using WS-Security standard with xmlsec1 command line tool.
>>>>>> I see there was already discussion about this or something similar -
>>>>>> referring to Section 3.2 from the FAQ and I was reading it but
>>>>>> somehow
>>>>>> failed to apply it to my actual example.
>>>>>>
>>>>>>    From what I can see the problem is with setting the correct
>>>>>> --id-attr
>>>>>> parameter.
>>>>>>
>>>>>> Can someone please advise on how to verify (and then later also sign)
>>>>>> wss SOAP XML which looks like the example here:
>>>>>> https://pastebin.com/5Q3mUtNJ
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Davor.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>
> 


More information about the xmlsec mailing list