Validating ds:Signature with X.509 Certificate

This section provides a tutorial example on how the SOAP message receiver should validate the digital signatures included in the ds:Signature elements. Digital signatures should be decrypted using public keys included in X.509 certificates passed in the wsse:BinarySecurityToken element.

Now let's take a closer look at the SOAP request message generated by SoapUI from the previous tutorial. The full request message listed below was copied from the "Raw" tab on the request screen. Note that extra line breaks are added for formatting purpose.

<soapenv:Envelope 
 xmlns:ser="http://www.herongyang.com/Service/" 
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01
    /oasis-200401-wss-wssecurity-secext-1.0.xsd"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01
    /oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
 >
<soapenv:Header>
 <wsse:Security>
  <wsse:BinarySecurityToken 
   EncodingType="http://docs.oasis-open.org/wss/2004/01
      /oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   ValueType="http://docs.oasis-open.org/wss/2004/01
      /oasis-200401-wss-x509-token-profile-1.0#X509v3" 
   wsu:Id="X509-2F79CD0E07E6607321140352609015051">
MIIDIjCCAt6gAwIBAgIEZjRlNTALBgcqhkjOOAQDBQAwYjELMAkGA1UEBhMCVU4x
EDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15Q2l0eTEOMAwGA1UEChMFTXlP
cmcxDzANBgNVBAsTBk15VW5pdDEPMA0GA1UEAxMGSGVyb25nMB4XDTE0MDYyMzAx
NTc0OVoXDTE0MDkyMTAxNTc0OVowYjELMAkGA1UEBhMCVU4xEDAOBgNVBAgTB015
U3RhdGUxDzANBgNVBAcTBk15Q2l0eTEOMAwGA1UEChMFTXlPcmcxDzANBgNVBAsT
Bk15VW5pdDEPMA0GA1UEAxMGSGVyb25nMIIBtzCCASwGByqGSM44BAEwggEfAoGB
AP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6
MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E
+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmC
ouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeO
utRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/
C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQA
AoGAKoaW7/qUTPzq8sV+2k7QTEWatwi383gecu2lDI/XPBsj+Yw29cE3NKOt4eU7
Wv9iLyIJJtnXvj6LqtR7z/oQ3l8w5POIjBeYgZsqI6HyfsmEKSOYoZZd96r3RHAj
HZ5/l1SLH9+E9HCSRSCJMQRC31GVobzEV2Pp4TA6Ufdq0EWjITAfMB0GA1UdDgQW
BBTWM7uRsyGOxz2DFxa9KzA5kX81DjALBgcqhkjOOAQDBQADMQAwLgIVAIf/Hk49
C4wxFfMc6tuHul2L9dHHAhUAhIEbBrqBKn9A99IXZtHFvE/uPbw=
  </wsse:BinarySecurityToken>
  <ds:Signature Id="SIG-2F79CD0E07E6607321140352609015155">
   <ds:SignedInfo>
    <ds:CanonicalizationMethod
     Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
     <ec:InclusiveNamespaces PrefixList="ser soapenv"/>
    </ds:CanonicalizationMethod>
    <ds:SignatureMethod 
     Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <ds:Reference URI="#id-2F79CD0E07E6607321140352609015154">
     <ds:Transforms>
      <ds:Transform 
       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
       <ec:InclusiveNamespaces PrefixList="ser"/>
      </ds:Transform>
     </ds:Transforms>
     <ds:DigestMethod 
      Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <ds:DigestValue>+dmiLg4FAyul6dyl3bjbnHp8Ltc=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>
      UJAULZZZP74msDP377qxbT0tH8YoCUj9wgR9hEh4IsPz0Fk0QkmE9g==
   </ds:SignatureValue>
   <ds:KeyInfo Id="KI-2F79CD0E07E6607321140352609015052">
    <wsse:SecurityTokenReference
     wsu:Id="STR-2F79CD0E07E6607321140352609015053">
     <wsse:Reference URI="#X509-2F79CD0E07E6607321140352609015051"
      ValueType="http://docs.oasis-open.org/wss/2004/01
         /oasis-200401-wss-x509-token-profile-1.0#X509v3" 
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
  </ds:Signature>
 </wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-2F79CD0E07E6607321140352609015154">
 <ser:HelloRequest>Hello</ser:HelloRequest>
</soapenv:Body>
</soapenv:Envelope>

The receiver of this request should validate the X.509 certificate first:

The receiver of this request should then validate the DSA-SHA1 signature. The first step is to retrieve the original digest encrypted in signature:

The second step is for the receiver to recalculate the digest to see it matches originalDigestBytes or not:

Last update: 2014.

Table of Contents

 About This Book

 Introduction to Web Service

 Introduction to SOAP (Simple Object Access Protocol)

 SOAP Message Structure

 SOAP Message Transmission and Processing

 SOAP Data Model

 SOAP Encoding

 SOAP RPC Presentation

 SOAP Properties Model

 SOAP Message Exchange Patterns

 SOAP HTTP Binding

 SOAP Perl Implementations

 SOAP PHP Implementations

 SOAP Java Implementations

 Perl SOAP::Lite - SOAP Server-Client Communication Module

 Perl Socket Test Program for HTTP and SOAP

 Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service

 Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services

 Perl SOAP::Lite 0.710 for WSDL

 PHP SOAP Extension Client Programs

 PHP SOAP Extension Server Programs

 Java Socket and HttpURLConnection for SOAP

 SAAJ - SOAP with Attachments API for Java

 SoapUI - SOAP Web Service Testing Tool

 WS-Security - SOAP Message Security Extension

WS-Security X.509 Certificate Token

 What Is WS-Security X.509 Certificate Token Profile?

 What Is XML Signature Syntax and Processing?

 Generating a Self-Signed Certificate with "keytool"

 SoapUI Configuration for Messaging Signing

 Generating Digital Signature with SoapUI

Validating ds:Signature with X.509 Certificate

 Digital Signature Options Supported in SoapUI

 What Is XML Encryption Syntax and Processing?

 SoapUI Configuration for Messaging Encryption

 "not an RSA key" - Encryption Failed in SoapUI

 Encryption using RSA Public Key with SoapUI

 2-Step Message Encryption - Symmetric and RSA

 Decrypting Encrypted SOAP Message

 Message Encryption Options Supported in SoapUI

 Web Services and SOAP Terminology

 References

 PDF Printing Version