Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Derived Keys + 2. Signature Problem #44

Closed
griga3k opened this issue Jun 3, 2015 · 3 comments
Closed

Derived Keys + 2. Signature Problem #44

griga3k opened this issue Jun 3, 2015 · 3 comments

Comments

@griga3k
Copy link

griga3k commented Jun 3, 2015

Hello!

I know that you maintain this wonderful xmlseclib library which I am currently using.

And I have a question about it, maybe you could help me with finding a proper soultion.

Here is a problem:

This is the WS-POLICY for the service:

<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
  <wsp:All>
    <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:ProtectionToken>
          <wsp:Policy>
            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
              <wsp:Policy>
                <sp:RequireDerivedKeys/>
                <sp:RequireThumbprintReference/>
                <sp:WssX509V3Token10/>
              </wsp:Policy>
            </sp:X509Token>
          </wsp:Policy>
        </sp:ProtectionToken>
        <sp:AlgorithmSuite>
          <wsp:Policy>
            <sp:Basic128Rsa15/>
          </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
          <wsp:Policy>
            <sp:Strict/>
          </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
        <sp:OnlySignEntireHeadersAndBody/>
      </wsp:Policy>
    </sp:SymmetricBinding>
    <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
            <sp:RequireThumbprintReference/>
            <sp:WssX509V3Token10/>
          </wsp:Policy>
        </sp:X509Token>
      </wsp:Policy>
    </sp:EndorsingSupportingTokens>
    <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:MustSupportRefThumbprint/>
        <sp:MustSupportRefEncryptedKey/>
        <sp:RequireSignatureConfirmation/>
      </wsp:Policy>
    </sp:Wss11>
    <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:MustSupportIssuedTokens/>
        <sp:RequireClientEntropy/>
        <sp:RequireServerEntropy/>
      </wsp:Policy>
    </sp:Trust10>
    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:TransportToken>
          <wsp:Policy>
            <sp:HttpsToken RequireClientCertificate="false"/>
          </wsp:Policy>
        </sp:TransportToken>
        <sp:AlgorithmSuite>
          <wsp:Policy>
            <sp:Basic256/>
          </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
          <wsp:Policy>
            <sp:Strict/>
          </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
      </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing/>
  </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

The problem is following:

  1. According to POLICY (RequireDerivedKeys), user needs 2 DerivedKeyTokens (one for signing, other for encrypting).
    And soap-wsse.php, unfortunatelly, lacks this functionality.
    Therefore I added my own functions to cover that.
    To create keys, I use following p-sha1 function: http://stackoverflow.com/questions/19590675/implementation-of-p-sha1-algorithm-in-php
  2. According to POLICY (EndorsingSupportingTokens), we need to sign already created signature.
    This implementation is also missing in soap-wssse.php.
    I created my own function for that, but I'm not sure if it works correctly.

As a result, I receive following response after I send generated XML:

CryptographicException: Unable to resolve the '#...' URI in the signature to compute the digest.

Can you please help me with those tokens? Do you find it reasonable to add such support for DerivedKeyToken into your class?

Thank you!
@robrichards
Copy link
Owner

Can you send me the code you added as well as the full code from you example so I can see why you might be getting that error. I have been meaning to add support for derived keys but haven't had the time so whatever you might have for code would be helpful

@griga3k
Copy link
Author

griga3k commented Jun 12, 2015

Can you please have a look at my code: https://gist.github.com/griga3k/14234656f1ff1c2d8dd8 .
I marked sections that were modified by me as “ADDED BY ME”
and there is a test code that I run.
Thank you!

@robrichards
Copy link
Owner

Marking this as resolved here as I did add an option for specifying which signature to pull. Will handle the remaining over in the wse-php issues:
robrichards/wse-php#9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robrichards @griga3k