Posted: Sun Jan 03, 2021 9:18 pm Post subject: Digital Signature with multiple signed parts
Novice
Joined: 18 Feb 2013 Posts: 11
Hi,
I am using IIB 10.0.0.15 on z/os and need to digitally sign the message body and ws-addressing fields in a SOAP message.
I have frequently used policysets to digitally sign the body of a message in IIB so i know how to do that and I read the manual and believe I worked out how to sign the various parts however the final SOAP message doesnt come out how i would expect and I am wondering if there is a specific way I need to set the policyset and policysetbinding in order to change that.
Normally when i sign a message (using something other than IIB) where more than one part needs to be signed I add that part as a reference. Each reference has a calculated digest and a single digital signature is created like this:
Code:
<Security>
<BinarySecurityToken>[Raw client certificate]
</BinarySecurityToken>
<Signature>
<SignedInfo>
<CanonicalizationMethod></CanonicalizationMethod>
<SignatureMethod/>
<Reference URI="#1">
various stuff....
</ds:Reference>
<Reference URI="#2">
various stuff....
</ds:Reference>
<Reference URI="#3">
various stuff....
</ds:Reference>
<Reference URI="#4">
various stuff....
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[Generated hash]</ds:SignatureValue>
<ds:KeyInfo Id="whatever">
various stuff...
</ds:KeyInfo>
</ds:Signature>
However what i am actually getting is very different. I get a binary security token entry for each part i am signing (they all use the same token so it is just the same one repeated) then i get a full signature element for each part that contains just one reference.
The way i did it was to define an alias in the SOAPRequest node for each part in the ws-extensions tab then refer to them in the MessagePart/Aliases section of the policyset. Then in the policysetbinding I added them into the Message Part Policy/Message Part Signature policies.
Since it asks for a sequence i tried setting them to unique values and also setting them the same in case this would put them into the same signature but it did not.
Can anyone that has done this succesfully point me in the right direction?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum