[xsd-users] xmldsig# signatures

Gerard O'Donnell gerard_odonnell at yahoo.co.uk
Mon Mar 3 17:33:59 EST 2014 

Not as straightforward as it sounds, Boris.

Santuario will generate an XMLDSig signature easily enough, but not with the wse:SecurityToken in it.
At least I can't see a way to make it do that. 
The KeyInfo code in Santuario requires X509Data to be an immediate child of KeyInfo.

<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo Id="issuerSerial">
        <wse:SecurityTokenReference>
                <ds:X509Data>
                        <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN="..."</ds:X509IssuerName>
                                <ds:X509SerialNumber>...</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                </ds:X509Data>
        </wse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
 
I've tried and failed to convince CryptXml (Windows SDK) and Santuario to work with WS-Security.
Aleksey's XMLSec library sounds like it might work but requires libXML2, so my solution would need that as well as Xerces (for CodeSynthesis).

Apache Rampart/C seems to be dead, even the download links don't work.
CryptXML appears dead as well - information-free documentation and not a single blog post since it was released.
I guess the XML Security standards are so convoluted that .NET and Java are the only players standing :)


Thanks for your help,
Ger O'Donnell



________________________________
 From: Gerard O'Donnell <gerard_odonnell at yahoo.co.uk>
To: "xsd-users at codesynthesis.com" <xsd-users at codesynthesis.com> 
Sent: Friday, 21 February 2014, 19:45:24
Subject: Re: [xsd-users] xmldsig# signatures
 


Thanks for the rapid response Boris, I'll try that out.


________________________________
 From: Boris Kolpackov <boris at codesynthesis.com>
To: Gerard O'Donnell <gerard_odonnell at yahoo.co.uk> 
Cc: "xsd-users at codesynthesis.com" <xsd-users at codesynthesis.com> 
Sent: Friday, 21 February 2014, 6:05:14
Subject: Re: [xsd-users] xmldsig# signatures
 

Hi Gerard,

Gerard O'Donnell <gerard_odonnell at yahoo.co.uk> writes:

> These schemas use ##any elements - would I be right in saying that
> I need to modify the XSD files locally, and replace ##any with
> references to the elements that the web service will actually use?

No, I would suggest that you do not modify the schema and instead
"assemble" your complete document from individually serialized
fragments, as shown in the 'messaging' example.


> From
 there though I'm stuck - does CodeSynthesis offer any help with
> calculating the SignatureValue and DigestValues for xmldsig?

No, XSD does not provide this functionality out of the box. The
recommended way is to serialize the document into DOM and then use
something like Apache XML Security to add the signature:

http://santuario.apache.org/


Boris

More information about the xsd-users mailing list