Web Services Security - Yash-777/Axis1x_Soap GitHub Wiki
X509 certificateoracle.security.xmlsec.wss.x509. X509BinarySecurityToken WSS
| Variations | Keys |
|---|---|
| Single v3 certificate | Public key inside certificate |
| Chain of certificates in PKIPath format | Private key associated with certificate |
| Chain of certificates in PKCS7 format |
The wsse:SecurityTokenReference element contains a wsse:KeyIdentifier element that specifies the token data by means of a X.509 SubjectKeyIdentifier reference. A subject key identifier may only be used to reference an X.509v3 certificate.
Since the ds:KeyInfo element only contains a mutable reference to the certificate rather than the certificate itself, a transformation is specified which replaces the reference to the certificate with the certificate. The ds:KeyInfo element specifies the signing key by means of a wsse:SecurityTokenReference element which contains a wsse:KeyIdentifier element which specifies the X.509 subject key identifier of the signing certificate.
<ds:KeyInfo Id="keyinfo">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509SubjectKeyIdentifier">MIGfMa0GCSq…</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>3.2.2 Reference to a Security Token [public certificates must be included as BinarySecurityToken inside your message]
The wsse:SecurityTokenReference element contains a wsse:Reference element that references a local wsse:BinarySecurityToken element or a remote data source that contains the token data itself.
The wsse:Reference element is used to reference an X.509 security token value by means of a URI reference. The URI reference MAY be internal in which case the URI reference SHOULD be a bare name XPointer reference to a wsse:BinarySecurityToken element contained in a preceding message header that contains the binary X.509 security token data.
The certificate is included in the wsse:Security header as a wsse:BinarySecurityToken element with identifier X509BinaryToken. The scope of the signature defined by a ds:Reference element within the ds:SignedInfo element includes the signing certificate which is referenced by means of the URI bare name pointer #X509BinaryToken
<wsse:BinarySecurityToken wsu:Id="X509BinaryToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> ... public certificate ... </wsse:BinarySecurityToken>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#X509BinaryToken" />
</wsse:SecurityTokenReference>
</ds:KeyInfo> The wsse:SecurityTokenReference element contains a ds:X509Data element that contains a ds:X509IssuerSerial element that uniquely identifies an end entity certificate by its X.509 Issuer and Serial Number.
The ds:X509IssuerSerial element is used to specify a reference to an X.509 security token by means of the certificate issuer name and serial number. The ds:X509IssuerSerial element is a direct child of the ds:X509Data element that is in turn a direct child of the wsse:SecurityTokenReference element in which the reference is made.
The ds:KeyInfo element contains a wsse:SecurityTokenReference element which specifies the issuer and serial number of the specified certificate by means of the ds:X509IssuerSerial element.
<ds:KeyInfo Id="keyinfo">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>