Help with mutual authentication

42 views
Skip to first unread message

Juan Carlos Alvarez

unread,
Sep 13, 2022, 2:36:46 PM9/13/22
to wse-php
Hi Rob, i need to add two binary security token in headers, the first one signed with my certificate,  and the second one encrypted with other service certificate (public key cert), like this:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-940C69BCA72B981B6D166300998040260">MIIDLjCCA...uAI=</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-940C69BCA72B981B6D166300998040364"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa com inic soap"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-940C69BCA72B981B6D166300998040363"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="com inic"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>rhfYoiNUVCz5yYtOmI3ox43ySH0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Fl...Lig==</ds:SignatureValue> <ds:KeyInfo Id="KI-940C69BCA72B981B6D166300998040361"> <wsse:SecurityTokenReference wsu:Id="STR-940C69BCA72B981B6D166300998040362"> <wsse:Reference URI="#X509-940C69BCA72B981B6D166300998040260" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="940C69BCA72B981B6D166300998040158">MIIDhTCC...RaE=</wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-940C69BCA72B981B6D166300998040157"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#940C69BCA72B981B6D166300998040158" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>gabV51...KsKlA==</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-940C69BCA72B981B6D166300998040259"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>

In the first binary security token should be signed with my cert and key and the contents is my cert.

So it would be ...
<wsse:BinarySecurityToken>MIIDLjCCA...uAI= (my cert)</wsse:BinarySecurityToken>
<ds:Signature>
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa com inic soap"/>
      </ds:CanonicalizationMethod>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#id-940C69BCA72B981B6D166300998040363">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="com inic"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>rhfYoiNUVCz5yYtOmI3ox43ySH0=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Flweb...==</ds:SignatureValue>
    <ds:KeyInfo Id="KI-940C69BCA72B981B6D166300998040361">
      <wsse:SecurityTokenReference wsu:Id="STR-940C69BCA72B981B6D166300998040362">
        <wsse:Reference URI="#X509-940C69BCA72B981B6D166300998040260" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
      </wsse:SecurityTokenReference>
    </ds:KeyInfo>
  </ds:Signature>

and then should appear the second security token from service cert.
Here i have a public key cert (not mine from other service).

So it would be similar to this:

<wsse:BinarySecurityToken>MIIDhTCC...E= (service cert)</wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-940C69BCA72B981B6D166300998040157"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#940C69BCA72B981B6D166300998040158" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>gab...lA==</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-940C69BCA72B981B6D166300998040259"/> </xenc:ReferenceList> </xenc:EncryptedKey>

Juan Carlos Alvarez

unread,
Oct 20, 2022, 10:15:36 AM10/20/22
to wse-php
I have resolved this with the commit that vewee propose in : https://github.com/robrichards/wse-php/pull/67

Thanks

Reply all
Reply to author
Forward
0 new messages