I am trying to send a request for an existing web service. This web service is not managed by me. The security policy of this web service requires me to send my complete certificate chain to my SOAP request. My certificate chain contains 3 certificates. There is no problem with setting up the certificate chain, as I can verify its authenticity (and did it).
The security configuration for this installation (= sending the entire certificate chain in the request):
<xwss:Sign id="signature"> <xwss:X509Token certificateAlias="alias" keyReferenceType="Direct" valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" /> </xwss:Sign>
I am trying to achieve this through Spring-WS . Spring-WS uses Spring-ws-security for security. Spring-ws-security delegates for xws-security.
<dependency> <groupId>org.springframework.ws</groupId> <artifactId>spring-ws-security</artifactId> <version>2.1.0.RELEASE</version> <exclusions> <exclusion> <groupId>org.apache.ws.security</groupId> <artifactId>wss4j</artifactId> </exclusion> <exclusion> <groupId>com.sun.xml.wsit</groupId> <artifactId>xws-security</artifactId> </exclusion> </exclusions> </dependency>
Xws-security comes in two flavors:
<dependency> <groupId>com.sun.xml.wsit</groupId> <artifactId>xws-security</artifactId> <version>1.3.1</version> </dependency>
and
<dependency> <groupId>com.sun.xml.wss</groupId> <artifactId>xws-security</artifactId> <version>3.0</version> </dependency>
The first is used by Spring WS Security. The second is heritage.
Applying my XWSS configuration to xws-security is done in the BinarySecurityToken class. BinarySecurityToken has a field called
valueType
The JavaDoc valueType says it supports X509PKIPathv1 (among others). However, this is not indicated as indicated by this installer:
protected void setValueType(String valueType) { if (!(MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType))) { log.log(Level.SEVERE,"WSS0342.valtype.invalid"); throw new RuntimeException("Unsupported value type: " + valueType); } this.valueType = valueType; }
The MessageConstants class does not have (even) a static value for X509PKIPathv1. When I run my code, I get the expected result:
Unsupported value type: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0
I was able to see the source code of the old com.sun.xml.wss.xws-security:3.0 . Despite my efforts, I did not find the source code for com.sun.xml.wsit.xws-security-1.3.1 . However, I think the code is the same. I tried both libraries and both give me the same exception. I tried this using the standard Spring-ws-security and using explicit dependency declarations for both libraries (one at a time).
My questions:
- Could anyone use xws-security to generate an X509 signature with value type X509PKIPathv1 and keyReferenceType, which is Direct?
- Are there other xws-security implementations that offer this? Or should I look at a completely different approach like Wss4j?
I considered rewriting the BinarySecurityToken, but this probably also involves rewriting the SignatureProcessor X509 signature in DSIG.