Using Java's XML Digital Signature API -> Clojure

576 views
Skip to first unread message

Timothy Washington

unread,
May 9, 2014, 5:29:18 PM5/9/14
to clo...@googlegroups.com
Hi all, 

I've noticed there's no Clojure library for doing XML Digital signatures. So I'll probably put one out there, if I can completely solve this problem. Using Java's XML Digital Signature API, I'm trying to get the source XML (fig.1) to look like a certain output (fig.2). However, I'm getting stuck with another output (fig.3). 

Now, XML Signatures come in 3 forms i) detached, ii) enveloping and iii) enveloped. But the XML in fig.2 has the signature in the Header path [soapenv:Envelope / soapenv:Header / wsse:Security]. I imagine that's using XML Signature's XPath Reference Processing Model. So I mainly want to put the xml Signature in the Header. But there are a lot of other things that need to get ironed out, in order to arrive at the XML in fig.2.

  • Using the Java API, how would I put the <soapenv:Signature> into the Header [soapenv:Header / wsse:Security]
  • Using the same API, into [soapenv:Header / wsse:Security] how would I add
    • [wsse:Security / wsse:BinarySecurityToken] ;; Binary Security Token Direct Reference
    • [wsu:Timestamp / ws:Created]
    • [wsu:Timestamp / ws:Expires]
  • <dg:Signature> (and child tags) are namespaced. Using the same API, how do I add the namespace and prefix (generated tags are not namespaced by default). 
  • Is the <ds:Reference {URI}> attribute meaningful? (must it be populated). 
  • Is it significant, the fact that <ds:SignedInfo> has 2 <ds:Reference> tags 
  • [ds:KeyInfo / wsse:SecurityTokenReference] and [ds:KeyInfo / wsse:SecurityTokenReference / wsse:Reference] in fig.2 is different from [KeyInfo / KeyValue / DSAKeyValue] tags in fig.3. 


Materials 


<?xml version="1.0" encoding="UTF-8"?> 
  <soapenv:Envelope xmlns:mod='http://www.hewitt.com/hro/benefits/fndt/hasbro/model
                    xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/'> 
     <soapenv:Header></soapenv:Header> 
     <soapenv:Body wsu:Id='id-3' 
             xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>                   
        <mod:submitServiceRequest> 
           <mod:userId>3XATH</mod:userId> 
           <mod:serviceId>Genesys.addExceptionForAgent</mod:serviceId>           
           <mod:inputXml></mod:inputXml> 
        </mod:submitServiceRequest> 
     </soapenv:Body> 
  </soapenv:Envelope> 

fig.1 - source XML 

<?xml version="1.0"?>
<soapenv:Envelope xmlns:mod="http://www.hewitt.com/hro/benefits/fndt/hasbro/model" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-fubar">fubar</wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-6">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#id-70">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>fubar</ds:DigestValue>
        </ds:Reference>
        <ds:Reference URI="#fubar">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>fubar=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        fubar
    </ds:SignatureValue>
    <ds:KeyInfo Id="fubar">
        <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="fubar">
        <wsse:Reference URI="#fubar" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-5">
<wsu:Created>fubar</wsu:Created>
<wsu:Expires>fubar</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-70">
<mod:submitServiceRequest>
    <mod:userId>fubar</mod:userId>
    <mod:serviceId>fubar</mod:serviceId>


    <mod:inputXml>
        <![CDATA[<HA-TBA-INPUT>
        <HA-SIGNON>
            <CLNT-ID>fubar</CLNT-ID>
            <EE-ID>fubar</EE-ID>


            <MODEL-ID>fubar</MODEL-ID>
            <DTD-LBL-CD>fubar</DTD-LBL-CD>


        </HA-SIGNON>
        <SERVICE-REQUEST>
            <SERVICE-NAME>fubar</SERVICE-NAME>
            <SERVICE-INPUT>
                <PRSN-CDH>
                    <TRNS-LBL-CD>fubar</TRNS-LBL-CD>
                    <CDD-FLD-INTN-ID>fubar</CDD-FLD-INTN-ID>


                    <EFBEGDT>fubar</EFBEGDT>
                    <EFENDDT>fubar</EFENDDT>
                    <CDD-FLD-VL-TX>fubar</CDD-FLD-VL-TX>
                    <CDD-TS>fubar</CDD-TS>
                </PRSN-CDH>
            </SERVICE-INPUT>
        </SERVICE-REQUEST>
    </HA-TBA-INPUT>]]>
</mod:inputXml>
</mod:submitServiceRequest>
</soapenv:Body>
</soapenv:Envelope>
fig.2. - The target (signed) XML we want to reach 

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mod="http://www.hewitt.com/hro/benefits/fndt/hasbro/model">
<soapenv:Header/>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3">
<mod:submitServiceRequest>
    <mod:userId></mod:userId>
    <mod:serviceId></mod:serviceId>
    <mod:inputXml/>
</mod:submitServiceRequest>
</soapenv:Body>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <Reference URI="">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>fubar</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue>fubar</SignatureValue>
<KeyInfo>
    <KeyValue>
        <DSAKeyValue>
            <P>fubar</P>
            <Q>fubar</Q>


            <G>fubar</G>
            <Y>fubar</Y>


        </DSAKeyValue>
    </KeyValue>
</KeyInfo>
</Signature>
</soapenv:Envelope>
fig.3 - Signed XML as it currently exists


Anyone have expertise with this? Or even if there's a library out there. 

Thanks


Tim Washington 

Timothy Washington

unread,
May 9, 2014, 7:55:48 PM5/9/14
to clo...@googlegroups.com
This refheap link is, so far, the Clojure code that generates the XML in fig.3. 


Tim Washington 

Reply all
Reply to author
Forward
0 new messages