Re: WS Security for Apigee - Configurable Referenc...

desarrollo · 07-21-2021 08:06 AM

Please can you help me, I am currently working on a service that requires sending the WS Security signature, so I used your contribution Java Callout for WS-Security Digital Signature, I could see that the structure is formed but I have a doubt, since the legacy is very strict with the signature and this requires to send the prefixes (ds:), additional in CanonicalizationMethod add the InclusiveNamespaces tag and in Reference send a single one with the URI="#id-", how can I do to configure them.?

Thank you very much for your help.

Expected request:

<soapenv:Envelope xmlns:inf="http://infocomercial.cifin.asobancaria.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soapenv:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
			<wsu:Timestamp wsu:Id="TS-2DB8826BD201DD76E6162687525300611">
				<wsu:Created>2021-07-21T13:47:33.006Z</wsu:Created>
				<wsu:Expires>2021-07-21T16:34:13.006Z</wsu:Expires>
			</wsu:Timestamp>
			<ds:Signature Id="SIG-2DB8826BD201DD76E6162687525281110" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces PrefixList="inf soapenv xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<ds:Reference URI="#id-2DB8826BD201DD76E616268752527979">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces PrefixList="inf xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>y5/U7+kQMDKKOPaa5jZNywlbzg8=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>MRdB63h8QAa0N8tV+/j78UBMmTAPc4O7RpxNeujPdbDHamn/7DDxRDwv6+/ML6h8IZKlXG7Mdm1Q
O92LwakBruldIEKmysWRvoAX2x2HQ6oyvYVZjaiF8geBaIofc+iFIA8/05jZ+dfkazSlzusCJbNh
AfYDGU6U2bcs+v7TMa+btOG8sf/qLrRTz5l2KJjWeKK/ysY70w5bkiQDJ6XvmH759u1Sz00YMggS
QoAN4gcLv0ZhN+HPxlR4PtTDKclF5Vt68DAvx7I+CFlHirFmALmAQP3I+zuIwkB+X1uazOFOolGP
8sFzfu9Lac18/uGMGTnm1IYM8yqL4TG3jBMn/Q==</ds:SignatureValue>
				<ds:KeyInfo Id="KI-2DB8826BD201DD76E616268752527737">
					<wsse:SecurityTokenReference wsu:Id="STR-2DB8826BD201DD76E616268752527828">
						<ds:X509Data>
							<ds:X509IssuerSerial>
								<ds:X509IssuerName>CN=cifinInfoComerTest2020</ds:X509IssuerName>
								<ds:X509SerialNumber>1524942345</ds:X509SerialNumber>
							</ds:X509IssuerSerial>
						</ds:X509Data>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soapenv:Header>
</soapenv:Envelope>

I am using the policy with the following parameters:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="true" name="JCRequestSegurity">
    <DisplayName>JCRequestSegurity</DisplayName>
    <Properties>
        <Property name="source">message.content</Property>
        <Property name="expiry">60s</Property>
        <Property name="private-key">{private.vCertificateKey}</Property>
        <Property name="certificate">{property.vCertitficate}</Property>
        <Property name="key-identifier-type">issuer_serial</Property>
    </Properties>
    <ClassName>com.google.apigee.edgecallouts.wssecdsig.Sign</ClassName>
    <ResourceURL>java://edge-wssecdsig-20200219.jar</ResourceURL>
</JavaCallout>

Petition built in apigee:

<soapenv:Envelope xmlns:inf="http://infocomercial.cifin.asobancaria.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wssec="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soapenv:Header>
		<wssec:Security soapenv:mustUnderstand="1">
			<wsu:Timestamp wsu:Id="Timestamp-7f2c86a3-a0d5-4756-852c-a19b2b53a824">
				<wsu:Created>2021-07-21T15:03:16Z</wsu:Created>
				<wsu:Expires>2021-07-21T23:23:16Z</wsu:Expires>
			</wsu:Timestamp>
			<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
				<SignedInfo>
					<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<Reference URI="#Body-a8986fa8-9938-4712-825f-b57e885dfb3d">
						<Transforms>
							<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						</Transforms>
						<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<DigestValue>BOO9alfKssLv41eyIjFLpp30I9Y=</DigestValue>
					</Reference>
					<Reference URI="#Timestamp-7f2c86a3-a0d5-4756-852c-a19b2b53a824">
						<Transforms>
							<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						</Transforms>
						<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<DigestValue>zLEzFm/mXAAs0728kxavYn6zOQA=</DigestValue>
					</Reference>
				</SignedInfo>
				<SignatureValue>LaanOIcNwqreKsxfsEeDMF8MDnlCRnso8mKqUUc3nALphOJjxKs9yekNDU3ZFegvD/WnIJGOr/LRsVqB3a+BWYt257+yrzTU/RskghS73UO4zdq4OQlZoBXiw7fW5WY224+9kZHfDf/i1ePb8Kyox5x4Mgq3iSNEXYRDULFiK0j9CU6HkTnDlTH8NtRBbELcHSh7YBzYjJE4lodvzX7UGdkksQJzIlV7t6XXOMOYQo1imY7swlfknLSTOBj7svrzE8lConln1Gf1grOivpsfhYsaKWuVnsAAAsPResFl/Okuv1YlFUdcFIPeyA10JT8sL3elmTujVgjj7RC56Rl4dw==</SignatureValue>
				<KeyInfo>
					<wssec:SecurityTokenReference>
						<X509Data>
							<X509IssuerSerial>
								<X509IssuerName>CN=cifinInfoComerTest2020</X509IssuerName>
								<X509SerialNumber>1524942345</X509SerialNumber>
							</X509IssuerSerial>
						</X509Data>
					</wssec:SecurityTokenReference>
				</KeyInfo>
			</Signature>
		</wssec:Security>
	</soapenv:Header>
</soapenv:Envelope>

dchiesa1

Hi desarrollo

I think:

A compliant processor should not (MUST not) care about prefixes, whether ds: is used, or dino: or even a default namespace. If you have a processor that insists on a specific prefix, I would like to know what it is.
Similarly, the format of the URI attribute should not be a problem. You said it must be "#Id-xxxx"; I am very surprised to hear that, really I would say I doubt that it is true. Can you check that please?
The InclusiveNamespaces element may be important. I'll need to look into that.
Your "desired output" doesn't include the timestamp in the signature. The Apigee version does sign the timestamp. Not signing the timestamp, seems like a major security error. Are you sure that's what you need? There's a way to exclude the timestamp in the signature that Apigee generates.

EDIT

I have updated the Apigee-Java-WsSec-Signature-2 callout, to add support in the Sign class for:

specifying InclusiveNamespaces to include within the CanonicalizationMethod element
specifying InclusiveNamespaces to include within the Transform element
specifying the desired prefix for the XML DSIG namespace ("http://www.w3.org/2000/09/xmldsig#")

The result is, you can configure the callout to generate something like this:

<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ns1="http://ws.example.com/"
    xmlns:wssec="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wssec:Security soapenv:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-3af5186baa374e4eb6ed777275574baa">
        <wsu:Created>2021-07-21T18:29:50Z</wsu:Created>
        <wsu:Expires>2021-07-21T18:39:50Z</wsu:Expires>
      </wsu:Timestamp>
      <ds:Signature
          xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns1"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#Body-4cef38aef32d4acbb9c519a797d62556">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces
                    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns1"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Aywnn7bh5QWYTzd+4J/MfraCdlo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>PplZDKoGHlIg2tPjjihaKUJIAjIrPBbYVPsisiK2+IyBfiOC1D/O1TkcNo9Be1ltS0QBSmWTWOOr
        pUT0gq0x2MgNPn+N5QjP3TuIF8AMJjyaO5dFvWJxOBoPftjPK95n32Tz1DWuat2Z/FhkzXr8Txgc
        Yk6wyf32w3vXMs9ws90UkAO1pQX5bLQ7RVbgDGvOrL3l4HKNUU4s0f5etQbdsn7jW/s3vbl/bkGi
        2NKopdqwBFvuHcv+MveLEdIxXL3orjzjKVw7c/jrDNSJA0ApTq63Mos/ucwy8+gn1yySXpTYT8F2
        C3T2aV3tw4SOiQ1resWIBxzd5U3uZbldx52N3g==</ds:SignatureValue>
        <ds:KeyInfo>
          <wssec:SecurityTokenReference wsu:Id="STR-a7964a69b98c4f479d39ff85c90b6671">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=apigee.google.com</ds:X509IssuerName>
                <ds:X509SerialNumber>17032128222562009281</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wssec:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wssec:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="Body-4cef38aef32d4acbb9c519a797d62556">
    <ns1:sumResponse>
      <ns1:return>9</ns1:return>
    </ns1:sumResponse>
  </soapenv:Body>
</soapenv:Envelope>

Get the latest callout (20210721) to get these updates. Check the readme for the usage of the new properties.

Let me know if this sparks joy.

desarrollo

Hi Dino, thank you very much for your prompt reply.

I understand what you are telling me, I am testing the version (20210721), the prefixes adds them perfect, but I have added the properties (c14-inclusive-elements and transform-inclusive-elements) and it does not show me the InclusiveElements tag, please can you guide me with an example of the use of these properties.

Thank you very much.

dchiesa1

I think you need something like this:

<JavaCallout async="false" continueOnError="false" enabled="true" name="JCRequestSegurity">
    <DisplayName>JCRequestSegurity</DisplayName>
    <Properties>
        <Property name="source">message.content</Property>
        <Property name="c14n-inclusive-namespaces">http://infocomercial.cifin.asobancaria.com, http://schemas.xmlsoap.org/soap/envelope/, http://www.w3.org/2001/XMLSchema, http://www.w3.org/2001/XMLSchema-instance</Property>
        <Property name="transform-inclusive-namespaces">http://infocomercial.cifin.asobancaria.com, http://www.w3.org/2001/XMLSchema, http://www.w3.org/2001/XMLSchema-instance</Property>
        <Property name="elements-to-sign">body</Property>
        <Property name="ds-prefix">ds</Property>
        <Property name="key-identifier-type">issuer_serial</Property>
        <Property name="expiry">10m</Property>
        <Property name="private-key">{private.vCertificateKey}</Property>
        <Property name="certificate">{property.vCertitficate}</Property>
    </Properties>
    <ClassName>com.google.apigee.edgecallouts.wssecdsig.Sign</ClassName>
    <ResourceURL>java://edge-wssecdsig-20210721.jar</ResourceURL>
</JavaCallout>

...and also please be sure to remove the older JAR as a resource from your API proxy. And if you have loaded it as an organization or environment resource, then the same: remove the older jar from those places. (Delete the resource)

desarrollo

I replaced the resource and configured it as instructed but the JavaCallout is generating an exception.

JavaCallout

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="true" name="JCRequestSegurity">
	<DisplayName>JCRequestSegurity</DisplayName>
	<Properties>
		<Property name="source">message.content</Property>
		<Property name="expiry">30000s</Property>
		<Property name="c14n-inclusive-namespaces">http://infocomercial.cifin.asobancaria.com, http://schemas.xmlsoap.org/soap/envelope/, http://www.w3.org/2001/XMLSchema, http://www.w3.org/2001/XMLSchema-instance</Property>
		<Property name="transform-inclusive-namespaces">http://infocomercial.cifin.asobancaria.com, http://www.w3.org/2001/XMLSchema, http://www.w3.org/2001/XMLSchema-instance</Property>
		<Property name="elements-to-sign">body</Property>
		<Property name="ds-prefix">ds</Property>
		<Property name="key-identifier-type">issuer_serial</Property>
		<Property name="private-key-password">{private.vCertificatePassword}</Property>
		<Property name="private-key">{private.vCertificateKey}</Property>
		<Property name="certificate">{property.vCertitficate}</Property>
	</Properties>
	<ClassName>com.google.apigee.callouts.wssecdsig.Sign</ClassName>
	<ResourceURL>java://apigee-wssecdsig-20210721.jar</ResourceURL>
</JavaCallout>

Exception:

Thank you very much

dchiesa1

Thanks for that report; I was able to reproduce that problem, and then correct it.

Can you pull the latest and retry? The needed jar is

apigee-wssecdsig-20210721-2.jar

desarrollo

Good morning Dino,

Thank you very much for all your help, I managed to build the structure but I have only one doubt, regarding the Reference tag in the URI attribute, please guide me how can I do to generate it with "#id-".

Thank you very much.

API-Evangelist

I like the discussion..

Have used wss4j in past & looks like you are referring to body reference.

<Reference> elements in <SignatureInfo> element - one points at the message body of the SOAP Message and the other points at the timestamp.

In dino code you may want to adjust below if it is possible to new prefix..

==

// 1. get or set the Id of the Body element
Element body = (Element) nodes.item(0);
String bodyId =
(body.hasAttributeNS(Namespaces.WSU, "Id"))
? body.getAttributeNS(Namespaces.WSU, "Id")
: wsuId.apply(body, "Body");

==

// 4. embed a Timestamp element under the wssecHeader element
Element timestamp = doc.createElementNS(Namespaces.WSU, wsuPrefix + ":Timestamp");
String timestampId = wsuId.apply(timestamp, "TS");
wssecHeader.appendChild(timestamp);

Some good reads as you are dealing with signature and good to be aware of some of the internals 🙂

https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717124

https://medium.com/@robert.broeckelmann/dsig-part-1-xml-digital-signature-and-ws-security-integrity-...

dchiesa1

regarding the Reference tag in the URI attribute, please guide me how can I do to generate it with "#id-".

Yes, as @API-Evangelist mentioned, you could change the code to allow a different tag identifier for the body.

And, I think it should be unnecessary. The shape of those references is not prescribed by the standard. There is no correctly-behaving system that requires the prefix for the reference to be #id versus #body or anything else.

WS Security for Apigee - Configurable Reference