• 1 reply
  • Latest Post - ‏2012-11-06T17:45:52Z by Barbara_Jensen
1677 Posts

Pinned topic WSDL field level digital signature

‏2011-02-16T21:25:43Z |

Given RAD v8, WAS v7 and a simple enterprise application project with a single WebService.

How this WebService can be protected with a field level digital signature (list of XPATHs) according to a given certificate/keystore?
Updated on 2012-11-06T17:45:52Z at 2012-11-06T17:45:52Z by Barbara_Jensen
  • Barbara_Jensen
    3 Posts

    Re: WSDL field level digital signature

    These two information center articles will help you configure digital signature to sign a specific element in a SOAP message:

    The first describes how to configure digital signature in general, and the second will help you build your XPATH expression. Where to use the XPATH expression that you build is in step 2e-iii of the first article.

    Just for reference: For the 'thing' that you are signing, only the digest value is calculated for that element and doing that calculation is relatively inexpensive. The expensive part of dsig is calculating the signature value across the SignedInfo element and you are going to incur that expense no matter how many things and of what size you sign.

    1) If you intend to drill down to something in the body to sign it, I suggest that you just sign the entire body.
    2) Don't sign the BinarySecurityToken that is used to evaluate the signature. That's a waste since if it were changed in transit, the signature validation would fail anyway. This is usually only done when you want to test your dsig config and actually WANT to replace all parts of the message around the compartmentalized SignedInfo and BinarySecurityToken set in the SOAP Security header.

    Encryption, however, is another matter. Encrypt as little of the message as you can and still be secure.