SOAP Web Service Tutorials - Herong's Tutorial Examples - Version 5.02, by Dr. Herong Yang
Validating ds:Signature with X.509 Certificate
This section provides a tutorial example on how the SOAP message receiver should validate the digital signatures included in the ds:Signature elements. Digital signatures should be decrypted using public keys included in X.509 certificates passed in the wsse:BinarySecurityToken element.
Now let's take a closer look at the SOAP request message generated by SoapUI from the previous tutorial. The full request message listed below was copied from the "Raw" tab on the request screen. Note that extra line breaks are added for formatting purpose.
<soapenv:Envelope xmlns:ser="http://www.herongyang.com/Service/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" > <soapenv:Header> <wsse:Security> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-2F79CD0E07E6607321140352609015051"> MIIDIjCCAt6gAwIBAgIEZjRlNTALBgcqhkjOOAQDBQAwYjELMAkGA1UEBhMCVU4x EDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15Q2l0eTEOMAwGA1UEChMFTXlP cmcxDzANBgNVBAsTBk15VW5pdDEPMA0GA1UEAxMGSGVyb25nMB4XDTE0MDYyMzAx NTc0OVoXDTE0MDkyMTAxNTc0OVowYjELMAkGA1UEBhMCVU4xEDAOBgNVBAgTB015 U3RhdGUxDzANBgNVBAcTBk15Q2l0eTEOMAwGA1UEChMFTXlPcmcxDzANBgNVBAsT Bk15VW5pdDEPMA0GA1UEAxMGSGVyb25nMIIBtzCCASwGByqGSM44BAEwggEfAoGB AP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6 MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E +4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmC ouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeO utRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/ C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQA AoGAKoaW7/qUTPzq8sV+2k7QTEWatwi383gecu2lDI/XPBsj+Yw29cE3NKOt4eU7 Wv9iLyIJJtnXvj6LqtR7z/oQ3l8w5POIjBeYgZsqI6HyfsmEKSOYoZZd96r3RHAj HZ5/l1SLH9+E9HCSRSCJMQRC31GVobzEV2Pp4TA6Ufdq0EWjITAfMB0GA1UdDgQW BBTWM7uRsyGOxz2DFxa9KzA5kX81DjALBgcqhkjOOAQDBQADMQAwLgIVAIf/Hk49 C4wxFfMc6tuHul2L9dHHAhUAhIEbBrqBKn9A99IXZtHFvE/uPbw= </wsse:BinarySecurityToken> <ds:Signature Id="SIG-2F79CD0E07E6607321140352609015155"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ser soapenv"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ds:Reference URI="#id-2F79CD0E07E6607321140352609015154"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ser"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>+dmiLg4FAyul6dyl3bjbnHp8Ltc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> UJAULZZZP74msDP377qxbT0tH8YoCUj9wgR9hEh4IsPz0Fk0QkmE9g== </ds:SignatureValue> <ds:KeyInfo Id="KI-2F79CD0E07E6607321140352609015052"> <wsse:SecurityTokenReference wsu:Id="STR-2F79CD0E07E6607321140352609015053"> <wsse:Reference URI="#X509-2F79CD0E07E6607321140352609015051" ValueType="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-x509-token-profile-1.0#X509v3" </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-2F79CD0E07E6607321140352609015154"> <ser:HelloRequest>Hello</ser:HelloRequest> </soapenv:Body> </soapenv:Envelope>
The receiver of this request should validate the X.509 certificate first:
The receiver of this request should then validate the DSA-SHA1 signature. The first step is to retrieve the original digest encrypted in signature:
The second step is for the receiver to recalculate the digest to see it matches originalDigestBytes or not:
Last update: 2014.
Table of Contents
Introduction to SOAP (Simple Object Access Protocol)
SOAP Message Transmission and Processing
SOAP Message Exchange Patterns
Perl SOAP::Lite - SOAP Server-Client Communication Module
Perl Socket Test Program for HTTP and SOAP
Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service
Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services
Perl SOAP::Lite 0.710 for WSDL
PHP SOAP Extension Client Programs
PHP SOAP Extension Server Programs
Java Socket and HttpURLConnection for SOAP
SAAJ - SOAP with Attachments API for Java
SoapUI - SOAP Web Service Testing Tool
WS-Security - SOAP Message Security Extension
►WS-Security X.509 Certificate Token
What Is WS-Security X.509 Certificate Token Profile?
What Is XML Signature Syntax and Processing?
Generating a Self-Signed Certificate with "keytool"
SoapUI Configuration for Messaging Signing
Generating Digital Signature with SoapUI
►Validating ds:Signature with X.509 Certificate
Digital Signature Options Supported in SoapUI
What Is XML Encryption Syntax and Processing?
SoapUI Configuration for Messaging Encryption
"not an RSA key" - Encryption Failed in SoapUI
Encryption using RSA Public Key with SoapUI
2-Step Message Encryption - Symmetric and RSA
Decrypting Encrypted SOAP Message
Message Encryption Options Supported in SoapUI