Login/Register
Support for X509PKIPathv1 in xws-security for Spring-WS
Asked Answered
javaspringspring-wsx509
S

3

48

I'm trying to send a request to an existing webservice. This webservice is not governed by me. The security policy of this webservice requires me to send my complete certificate chain in my SOAP request. My certificate chain contains 3 certificates. There are no issues with the setup of the certificate chain, as I'm able to test it's validity (and have done so).

The security configuration for this setup (= sending the complete certificate chain in the request), is:

<xwss:Sign id="signature">
   <xwss:X509Token 
        certificateAlias="alias" 
        keyReferenceType="Direct"
        valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" />
</xwss:Sign>

I'm trying to achieve this through Spring-WS. Spring-WS uses spring-ws-security for security. Spring-ws-security delegates to xws-security. 

    <dependency>
        <groupId>org.springframework.ws</groupId>
        <artifactId>spring-ws-security</artifactId>
        <version>2.1.0.RELEASE</version>
        <exclusions>
            <exclusion>
                <groupId>org.apache.ws.security</groupId>
                <artifactId>wss4j</artifactId>
            </exclusion>            
            <exclusion>
                <groupId>com.sun.xml.wsit</groupId>
                <artifactId>xws-security</artifactId>
            </exclusion>            
        </exclusions>
     </dependency>

Xws-security comes in 2 flavors:

    <dependency>
        <groupId>com.sun.xml.wsit</groupId>
        <artifactId>xws-security</artifactId>
        <version>1.3.1</version>
    </dependency>

and

    <dependency>
        <groupId>com.sun.xml.wss</groupId>
        <artifactId>xws-security</artifactId>
        <version>3.0</version>
    </dependency>

The first one is used by Spring WS Security. The second is legacy.

Applying my XWSS configuration in xws-security is done in a class called BinarySecurityToken. BinarySecurityToken has a field called

valueType

The JavaDoc of valueType says it has support for X509PKIPathv1 (among others). However, it does not, as stated by this setter:

    protected void setValueType(String valueType) {
    if (!(MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType))) { 
        log.log(Level.SEVERE,"WSS0342.valtype.invalid");
        throw new RuntimeException("Unsupported value type: " + valueType);
    }
    this.valueType = valueType;
}

The class MessageConstants does not (even) have a static for X509PKIPathv1. When I run my code, I get the expected result:

Unsupported value type: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

I was able to look at the source code of the legacy com.sun.xml.wss.xws-security:3.0. Despite my efforts, I have not found the source code of com.sun.xml.wsit.xws-security-1.3.1. However I believe the code is the same. I tried both libraries and both give me the same exception. I tried it, using the default spring-ws-security and using explicit dependency declarations to both libraries (one at a time).

My questions:

  1. Has anyone been able to use xws-security for generating an X509 signature with a valueType of X509PKIPathv1 and a keyReferenceType that is Direct?
  2. Do other xws-security implementations exist that offer this? Or should I look at a completely different approach like Wss4j?

I have considered re-writing BinarySecurityToken, but that would probably also imply rewriting the X509 signing of SignatureProcessor in DSIG.

Schauer answered 26/9, 2012 at 7:19 Comment(1)
not clear and required self learning and findingAmeba
B
3

Interesting problem you got there.

As far as I could tell with my Google-fu, there exists support for #X509PKIPathv1 in some projects (e.g., Oracle's XMLSec or Open SAML), however it is not widespread and even application like Soap UI don't support it for SOAP-WS.

Not only that, but other languages/frameworks have the same lack of support, like Delphi and .NET, IBM JRE.

What you could do, based on this SO and especially this SO is implementing your own WebServiceTemplate / WebServiceMessageSender.

Bobstay answered 5/1, 2017 at 7:50 Comment(1)
That's right, I've spent a long time looking a way to make .NET generate the X509PKIPathV1, and in this page they are very clear with the no-compatibility. msdn.microsoft.com/es-es/library/bb885188(v=vs.110).aspx "WSS X509 Token Profile 1.0 and 1.1 define also #X509PKIPathv1 and #PKCS7 as value types. WCF does not support these types."Mimosaceous
G
0

The valueType can be #X509v3, #X509PKIPathv1

That is found here XWS-SecurityIntro4 Have you tried those values specifically instead of a URL?

Guaiacol answered 2/6, 2015 at 5:55 Comment(1)
The documentation (and JavaDoc) states that .. The setter obviously doens't.Schauer
V
0

This pull request will enable the ability to use X509PKIPathv1.

Virgo answered 18/2, 2020 at 8:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.