This refheap link <https://www.refheap.com/85304> is, so far, the Clojure code that generates the XML in fig.3.
Tim Washington Interruptsoftware.com <http://interruptsoftware.com> On Fri, May 9, 2014 at 5:29 PM, Timothy Washington <twash...@gmail.com>wrote: > Hi all, > > I've noticed there's no Clojure library for doing XML Digital signatures. > So I'll probably put one out there, if I can completely solve this problem. > Using Java's *XML Digital Signature API > <http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html>*, > I'm trying to get the source XML (*fig.1*) to look like a certain output ( > *fig.2*). However, I'm getting stuck with another output (*fig.3*). > > Now, XML Signatures come in 3 forms i) detached, ii) enveloping and iii) > enveloped. But the XML in *fig.2* has the signature in the Header path > [*soapenv:Envelope > / soapenv:Header / wsse:Security*]. I imagine that's using XML > Signature's XPath Reference Processing > Model<http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel>. > So I mainly want to put the xml Signature in the Header. But there are a > lot of other things that need to get ironed out, in order to arrive at the > XML in fig.2. > > > - Using the Java > API<http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#wp511436>, > how would I put the <soapenv:Signature> into the Header [*soapenv:Header > / wsse:Security*] > - Using the same API, into [*soapenv:Header / wsse:Security*] how > would I add > - [wsse:Security / wsse:BinarySecurityToken] ;; Binary Security Token > Direct Reference > - [wsu:Timestamp / ws:Created] > - [wsu:Timestamp / ws:Expires] > > > - <dg:Signature> (and child tags) are namespaced. Using the same API, > how do I add the namespace and prefix (generated tags are not namespaced by > default). > - Is the <ds:Reference {URI}> attribute meaningful? (must it be > populated). > - Is it significant, the fact that <ds:SignedInfo> has 2 > <ds:Reference> tags > - [*ds:KeyInfo / wsse:SecurityTokenReference*] and [*ds:KeyInfo / > wsse:SecurityTokenReference / wsse:Reference*] in fig.2 is different > from [*KeyInfo / KeyValue / DSAKeyValue*] tags in fig.3. > > > > *Materials * > > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope xmlns:mod=' > http://www.hewitt.com/hro/benefits/fndt/hasbro/model' > xmlns:soapenv=' > http://schemas.xmlsoap.org/soap/envelope/'> > <soapenv:Header></soapenv:Header> > <soapenv:Body wsu:Id='id-3' > xmlns:wsu=' > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> > > <mod:submitServiceRequest> > <mod:userId>3XATH</mod:userId> > <mod:serviceId>Genesys.addExceptionForAgent</mod:serviceId> > > <mod:inputXml></mod:inputXml> > </mod:submitServiceRequest> > </soapenv:Body> > </soapenv:Envelope> > > > fig.1 - source XML > > <?xml version="1.0 <http://www.w3.org/TR/REC-xml/>"?> > <soapenv:Envelope > xmlns:mod="http://www.hewitt.com/hro/benefits/fndt/hasbro/model"; > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > <wsse:BinarySecurityToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > wsu:Id="CertId-fubar">fubar</wsse:BinarySecurityToken> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="Signature-6"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-70"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>fubar</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#fubar"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>fubar=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > fubar > </ds:SignatureValue> > <ds:KeyInfo Id="fubar"> > <wsse:SecurityTokenReference > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="fubar"> > <wsse:Reference URI="#fubar" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature><wsu:Timestamp > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="Timestamp-5"> > <wsu:Created>fubar</wsu:Created> > <wsu:Expires>fubar</wsu:Expires> > </wsu:Timestamp> > </wsse:Security></soapenv:Header> > <soapenv:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="id-70"> > <mod:submitServiceRequest> > <mod:userId>fubar</mod:userId> > <mod:serviceId>fubar</mod:serviceId> > > > > <mod:inputXml> > <![CDATA[<HA-TBA-INPUT> > <HA-SIGNON> > <CLNT-ID>fubar</CLNT-ID> > <EE-ID>fubar</EE-ID> > > > > <MODEL-ID>fubar</MODEL-ID> > <DTD-LBL-CD>fubar</DTD-LBL-CD> > > > > </HA-SIGNON> > <SERVICE-REQUEST> > <SERVICE-NAME>fubar</SERVICE-NAME> > <SERVICE-INPUT> > <PRSN-CDH> > <TRNS-LBL-CD>fubar</TRNS-LBL-CD> > <CDD-FLD-INTN-ID>fubar</CDD-FLD-INTN-ID> > > > > <EFBEGDT>fubar</EFBEGDT> > <EFENDDT>fubar</EFENDDT> > <CDD-FLD-VL-TX>fubar</CDD-FLD-VL-TX> > <CDD-TS>fubar</CDD-TS> > </PRSN-CDH> > </SERVICE-INPUT> > </SERVICE-REQUEST> > </HA-TBA-INPUT>]]> > </mod:inputXml> > </mod:submitServiceRequest> > </soapenv:Body> > </soapenv:Envelope> > > fig.2. - The target (signed) XML we want to reach > > <?xml version="1.0 <http://www.w3.org/TR/REC-xml/>" encoding="UTF-8" > standalone="no"?><soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:mod="http://www.hewitt.com/hro/benefits/fndt/hasbro/model";>*<soapenv:Header/>* > <soapenv:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="id-3"> > <mod:submitServiceRequest> > <mod:userId></mod:userId> > <mod:serviceId></mod:serviceId> > <mod:inputXml/> > </mod:submitServiceRequest> > </soapenv:Body><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>fubar</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>fubar</SignatureValue> > <KeyInfo> > <KeyValue> > <DSAKeyValue> > <P>fubar</P> > <Q>fubar</Q> > > > <G>fubar</G> > <Y>fubar</Y> > > > </DSAKeyValue> > </KeyValue> > </KeyInfo> > </Signature> > </soapenv:Envelope> > > *fig.3 - Signed XML as it currently exists * > > > > Anyone have expertise with this? Or even if there's a library out there. > > Thanks > > > Tim Washington > Interruptsoftware.com <http://interruptsoftware.com/> > > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
