Forum Discussion

JimL's avatar
JimL
Contributor
16 years ago

Why does Signature have SecurityTokenReference (vs. X509Data)?

Hi,

This is somewhat related to my other post/thread:

http://www.eviware.com/component/option ... pic,1327.0

but it's a little off-topic from that.

I noticed that when, for example, I configure SOAPUI to generate a Signature, in the , there's this for the :



MIIDMDCCApmgAwIB....



i.e:


 
      MIIDMDCCApmgAwIB....
 


But, in the messages that I'm working with (generated by WebLogic webservice client), there is this:


 
      MIIDMDCCApmgA....
 


We utilize an XML appliance in some of our systems, and I also noted that if I use that to try to validate the signature generated by SOAPUI, the validation fails, because it cannot find the key that it needs to validate the signature.

Now, I don't really understand a lot of this stuff, and I'm not quite sure what the significance of vs. in the , so I can't say whether one or the other is "right" or "wrong", but, at least with two of the things (WebLogic, and the XML appliance) that we use, they cannot validate the signatures created by SOAPUI.

Does anyone have any insight into this?

Thanks,
Jim

3 Replies

Sort By
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Hi,

    FYI, the way that I got SOAPUI to generate the Signature with the:


     
          MIIDMDCCApmgAwIB....
     


    is that in the WS-Security configuration, I had selected "X509 Certificate" in the dropdown.

    However, I've been doing more research and testing, and, while I'm myself still learning about this stuff, I believe that what SOAPUI is generating, when the "X509 Certificate" is selected in the dropdown, is not correct.

    Rather, I think that what it should be generating in this case is something like what is shown on slide #25 at:

    https://prof.hti.bfh.ch/fileadmin/home/ ... curity.pdf

    i.e., it should be something like:


     
         
           
    MIIDMDCCApmgAwIB....
                 
       
     


    Earlier, when I ran the output from SOAPUI into one of our appliances, I was getting an error that it couldn't find a key.

    I just did a test, where I manually modified the SOAP message that was generated by SOAPUI to follow the above format (instead of using the ), and while I was still not able to get a successful core validation, I now no longer get the "no key" message, but instead get an error indicating that the signature verification failed (i.e., so the appliance is at least able to find the key/certificate now in the ).

    Jim
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    16 years ago
    Hi Jim,

    just to check; did you try the "Binary Security Token" option in the Key Identifier Type drop-down? Perhaps in combination with the "Use Single Certificate" option?

    regards!

    /Ole
    eviware.com
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Ole,

    Yes, I did try using "Binary Security Token" (rather than "X509 Certificate"), and when I did that, the appliance was able to verify the signature.

    I had already kind of guessed that that would have worked before my test , but the reason I was trying the "X509 Certificate" in the dropdown was that I was trying to get a signature where the cert was embedded in the in the signature.  That was originally when I found what I mentioned in the first message in this thread, i.e., I had actually been expecting something like:


     
          MIIDMDCCApmgA....
     


    As I also said earlier in the thread, I'm still learning about all of this, so I don't know what the reasons (pros or cons) would be for:


     
          MIIDMDCCApmgA....
     


    vs. something like:


     
         
           
    MIIDMDCCApmgAwIB....
                 
       
     


    both which work with the appliance, i.e., I don't know why one would be used vs. the other, but I was just trying to point out what did, and didn't work.

    Jim