Encrypt the sign and the body
Hi,
i've a problem with the encryption of both sign and body of a soap message.
What i want to do is:
Includes a timestamp
All headers are signed along with the timestamp
Signature encrypted
Body encrypted
But i'm stuck with an error..
The others examples with only Username Token, Timestamp+signature, Timestamp+signature+encrypt works fine.
I use SOAPUI 5.0, and i've configured it with this Outgoing WS-Security Config:
- Timestamp (time to live 60)
- Signature ( Keystore = client.keystore Alias = client )
- Encryption ( Keystore = client.keystore Alias = server
Part:
Name = Signature
NameSpace = http://www.w3.org/2000/09/xmldsig
Encode = element
- Encryption ( Keystore = client.keystore Alias = server
Part:
Name = Body
NameSpace = http://www.w3.org/2003/05/soap-envelope/
Encode = content
There are 2 keystore, client.kestore and server.keystore.
For the creation of the keystore i've follow this script:
This is the reply from the web services:
If i change the namespace of the body into "http://schemas.xmlsoap.org/soap/envelope/" then i get:
This is my request:
If you need additional log/printscreen answer me, I'll upload them immediately.
Kind Regards,
Stefano.
i've a problem with the encryption of both sign and body of a soap message.
What i want to do is:
But i'm stuck with an error..
The others examples with only Username Token, Timestamp+signature, Timestamp+signature+encrypt works fine.
I use SOAPUI 5.0, and i've configured it with this Outgoing WS-Security Config:
- Timestamp (time to live 60)
- Signature ( Keystore = client.keystore Alias = client )
- Encryption ( Keystore = client.keystore Alias = server
Part:
Name = Signature
NameSpace = http://www.w3.org/2000/09/xmldsig
Encode = element
- Encryption ( Keystore = client.keystore Alias = server
Part:
Name = Body
NameSpace = http://www.w3.org/2003/05/soap-envelope/
Encode = content
There are 2 keystore, client.kestore and server.keystore.
For the creation of the keystore i've follow this script:
#!/bin/sh
KEYTOOL=$JAVA_HOME/bin/keytool
echo Generating the Server KeyStore in file server.keystore
# The value of CN should be the IP address or host name on which web application will be deployed. Avoid specifying 'localhost'
$KEYTOOL -genkey -alias tomcat-sv -dname "CN=tomcat-sv, OU=X, O=Y, L=Z, S=XY, C=YZ" -keyalg RSA -keypass *_KeyPass_* -storepass *_KeyPass_* -keystore server.keystore
echo Exporting the certificate from keystore to an external file server.cer
$KEYTOOL -export -alias tomcat-sv -storepass *_KeyPass_* -file server.cer -keystore server.keystore
echo Generating the Client KeyStore in file client.keystore
$KEYTOOL -genkey -alias tomcat-cl -dname "CN=tomcat-cl, OU=X, O=Y, L=Z, S=XY, C=YZ" -keyalg RSA -keypass *_KeyPass_* -storepass *_KeyPass_* -keystore client.keystore
echo Exporting the certificate from keystore to external file client.cer
$KEYTOOL -export -alias tomcat-cl -storepass *_KeyPass_* -file client.cer -keystore client.keystore
echo metto la chiave pubblica del server nel keystore del client
$KEYTOOL -import -alias tomcat-sv -file server.cer -keystore client.keystore -keypass *_KeyPass_* -storepass *_KeyPass_*
echo metto la chiave pubblica del client nel keystore del server
$KEYTOOL -import -alias tomcat-cl -file client.cer -keystore server.keystore -keypass *_KeyPass_* -storepass *_KeyPass_*
This is the reply from the web services:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Expected encrypted part missing</faultstring>
<detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
If i change the namespace of the body into "http://schemas.xmlsoap.org/soap/envelope/" then i get:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>axis2ns2:FailedCheck</faultcode>
<faultstring>The signature or decryption was invalid</faultstring>
<detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
This is my request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wam="http://wam.evil.it">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-CEF851598E4FD165791401812036719135" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv wam" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-CEF851598E4FD165791401811316502106">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wam" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jmmralKJDd9Ijc8J3FtmfZUzMOU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>MHPlIcmkOb3HbE/uOnTBl3RtoNF0QvYU9vA1diUMTpjwTW+AxzROfwcte9qHb1yyTLtoOj1Wft+t
aEmtfBG7igW1U/sF5RAOJY8w+Kkl1adueR5WFqoPAZafJEUFQ5qrYTPLqbSvpf/kGQOqdxHZ4J18
Pxu0px4qieAo+ZEa1ZBwuS82zURCtYZ7ZzGfB4u1KgX8VRRO48bTF76LZdmWD3nMSzPjE/W/dux+
XsM16GRLXw67zt8G3s4TjGV7UFL44Cvo+RBXoXwjknzSjIBuhrGnJUK2H6EsnTYL9d/ZeKqnsarQ
9zc6+tQOAQC3R0bzZLGc5hwp51pznzNUHuhInA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-CEF851598E4FD165791401812036718133">
<wsse:SecurityTokenReference wsu:Id="STR-CEF851598E4FD165791401812036718134">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=tomcat-cl,OU=X,O=Y,L=Z,ST=XY,C=YZ</ds:X509IssuerName>
<ds:X509SerialNumber>798547597</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-CEF851598E4FD165791401812036717131">
<wsu:Created>2014-06-03T16:13:56.716Z</wsu:Created>
<wsu:Expires>2014-06-03T17:53:56.716Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-CEF851598E4FD165791401811316502106" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="ED-CEF851598E4FD165791401812036741138" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#EK-CEF851598E4FD165791401812036740137"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>GRdNc2+Y94efqhBZz3BMNb9Cx792t5UdliCtTzKR4Q+aT4RCbwdrxa6bbQQ0MtM74FifCsk7IC5a2IKFTRiYn48VbnLqQ/RdRIjcy6gAEoRv0UtIU7eEHE/AXARXcRTC3ILydEe2KsEqggNNH8cpswCvxaFy2wFbL3mZryu6csWcHFnwhZTnvWd5mErRgKtUOCwrhpqFxrNPBWcmxMi6m9GQ2zyWOT7gKDOnbzKPqLo5NCfu10m+Nyjr5Kmc52puRohZzBe58Zks/5l2EtGrnKqKtWy+j9luRMQNw734aX950WTfW3++9dciLnS7XxojybTfkr9eoqlGaD1sQmlw9UNvzKgDf9rQdM/BAPhlhthI+O/DX+sJHKMFSAib3uuu4g3+eUE/EYk75qcJdxuEk0E6hk8z5WFFAnOci8y4cvdTRX0Ew3cAQ2SG4H7kCaGd</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
If you need additional log/printscreen answer me, I'll upload them immediately.
Kind Regards,
Stefano.
