Chapter 8 describes the SOAP protocol framework. The W3C Note [SOAP-Sec] specifies a method for including XML digital signatures in SOAP messages. As you might expect from the generality of the SOAP syntax, the method is also fairly general. Limitations would likely be found in further profiling for specific applications based on SOAP.

The [SOAP-Sec] document accomplishes this goal by providing a SOAP Signature element so that an application can freely include it as a SOAP Header Block. This element has as its content a single XML digital signature and may have the additional attributes of SOAP blocks as well. Also, SOAP defines a global "id" attribute that applications can use in elements to be signed; as a consequence, they can be conveniently cited in XMLDSIG Reference elements. See the following schema definition:

 Schema definition: <schema   xmlns="http://www.w3.org/1999/XMLSchema"   xmlns:SOAP-SEC=     "http://schemas.xmlsoap.org/soap/security/2000-12"   targetNamespace=     "http://schemas.xmlsoap.org/soap/security/2000-12"   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"   xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">   <import namespace="http://www.w3.org/2000/09/xmldsig#"/>   <import    namespace="http://schemas.xmlsoap.org/soap/envelope/"/>   <element name="Signature" final="restriction">     <complexType>       <sequence>         <element ref="ds:Signature" minOccurs="1"                                     maxOccurs="1"/>       </sequence>       <attribute name="id" type="ID" use="optional"/>       <attribute ref="env:actor" use="optional"/>       <attribute ref="env:mustUnderstand" use="optional"/>     </complexType>   </element>   <attribute name="id" type="ID"/> </schema> 

11.2.1 Processing Rules

The SOAP application signature profile provides the following rules and recommendations:

  1. Multiple SOAP signature blocks are permissible in a SOAP header and may sign separate or overlapping elements.

  2. All XMLDSIG Reference elements must point to material within the enclosing SOAP Envelope element or within the enclosing SOAP message package.

  3. A SOAP application receiving a SOAP message with SOAP signature blocks addressed to it either explicitly or because it is the final destination must examine the SOAP signature. If the "mustUnderstand" attribute is set or the application chooses to do so, it attempts to validate the signature. Depending on the particular application, SOAP may report a signature failure to the sender.

  4. Canonicalization is performed in context. That is, if inclusive canonicalization is carried out, SignedInfo will have at least the SOAP envelope and security namespace declarations.

  5. Because SOAP intermediaries can add to, delete from, or reorder blocks in a SOAP message, you must take care in using XPath or the like to avoid brittle signatures that will break due to insignificant changes of this sort.

11.2.2 SOAP Signature Example

Example 11-3 shows a SOAP Envelope with a signature in it.

Example 11-3 SOAP signature
 <env:Envelope   xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">   <env:Header>     <SOAP-SEC:Signature       xmlns:SOAP-SEC=         "http://schemas.xmlsoap.org/soap/security/2000-12"       env:actor="http://foo.example/bar"       env:mustUnderstand="1">       <ds:Signature         xmlns:ds="http://www.w3.org/2000/09/xmldsig#">         <ds:SignedInfo>           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>           <ds:Reference URI="#Body">             <ds:Transforms>               <ds:Transform Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>             </ds:Transforms>             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>             <ds:DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=             </ds:DigestValue>           </ds:Reference>         </ds:SignedInfo>         <ds:SignatureValue>           rMzv774yMoCLi8kHB23q6rva2hs5Ore           amqFwcFDg4AaXl0qhoYQGBg==         </ds:SignatureValue>       </ds:Signature>     </SOAP-SEC:Signature>   </env:Header>   <env:Body    SOAP-SEC:    xmlns:SOAP-SEC=    "http://schemas.xmlsoap.org/soap/security/2000-12">     <m:GetLastTradePrice       xmlns:m="http://example.com/trade">       <m:symbol>EXAMPLE</m:symbol>     </m:GetLastTradePrice>   </env:Body> </env:Envelope> 

Secure XML(c) The New Syntax for Signatures and Encryption
Secure XML: The New Syntax for Signatures and Encryption
ISBN: 0201756056
EAN: 2147483647
Year: 2005
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net