Derived Key support

[robrichards]

Hello!

I know that you maintain this wonderful xmlseclib library which I am currently using.

And I have a question about it, maybe you could help me with finding a proper soultion.

Here is a problem:

This is the WS-POLICY for the service:

<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
  <wsp:All>
    <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:ProtectionToken>
          <wsp:Policy>
            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
              <wsp:Policy>
                <sp:RequireDerivedKeys/>
                <sp:RequireThumbprintReference/>
                <sp:WssX509V3Token10/>
              </wsp:Policy>
            </sp:X509Token>
          </wsp:Policy>
        </sp:ProtectionToken>
        <sp:AlgorithmSuite>
          <wsp:Policy>
            <sp:Basic128Rsa15/>
          </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
          <wsp:Policy>
            <sp:Strict/>
          </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
        <sp:OnlySignEntireHeadersAndBody/>
      </wsp:Policy>
    </sp:SymmetricBinding>
    <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
            <sp:RequireThumbprintReference/>
            <sp:WssX509V3Token10/>
          </wsp:Policy>
        </sp:X509Token>
      </wsp:Policy>
    </sp:EndorsingSupportingTokens>
    <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:MustSupportRefThumbprint/>
        <sp:MustSupportRefEncryptedKey/>
        <sp:RequireSignatureConfirmation/>
      </wsp:Policy>
    </sp:Wss11>
    <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:MustSupportIssuedTokens/>
        <sp:RequireClientEntropy/>
        <sp:RequireServerEntropy/>
      </wsp:Policy>
    </sp:Trust10>
    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
        <sp:TransportToken>
          <wsp:Policy>
            <sp:HttpsToken RequireClientCertificate="false"/>
          </wsp:Policy>
        </sp:TransportToken>
        <sp:AlgorithmSuite>
          <wsp:Policy>
            <sp:Basic256/>
          </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
          <wsp:Policy>
            <sp:Strict/>
          </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
      </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing/>
  </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

The problem is following:

According to POLICY (RequireDerivedKeys), user needs 2 DerivedKeyTokens (one for signing, other for encrypting). And soap-wsse.php, unfortunatelly, lacks this functionality. Therefore I added my own functions to cover that. To create keys, I use following p-sha1 function: http://stackoverflow.com/questions/19590675/implementation-of-p-sha1-algorithm-in-php

According to POLICY (EndorsingSupportingTokens), we need to sign already created signature. This implementation is also missing in soap-wssse.php. I created my own function for that, but I'm not sure if it works correctly.

As a result, I receive following response after I send generated XML:

CryptographicException: Unable to resolve the '#...' URI in the signature to compute the digest.

Can you please help me with those tokens? Do you find it reasonable to add such support for DerivedKeyToken into your class?

Thank you!

[robrichards]

@griga3k Can you try the code from the derived_key branch. For your function can you add the following directly after the call to $objWSSE->finalChangesDKT();

file_put_contents("derivkey.xml", $objWSSE->saveXML());

tar that up and send it to me. I need to see what your document looks like before transmission to work on the URI issue. If you happen to have the raw XML which you can get doing similar but at the beginning of the function, that would also be helpful

[griga3k]

@robrichards I did as requested. Here is a generated by me XML and working sample XML, that I received from their support team: https://gist.github.com/anonymous/3075eb734ef408240a39

Thank you!

[griga3k]

Maybe You need more information?

[robrichards]

@griga3k hoping to get some time this week to look more into it

[griga3k]

@robrichards Can I help you somehow to speed up the process?

[robrichards]

@griga3k I just need to find some time. 3 more weeks until I free up a little

[griga3k]

@robrichards Hey! How it is going? :) Any progress on this or news? Thanks!

[griga3k]

@robrichards Hello! Sorry to bother you again, but do you know if my problem can be solved? Maybe you can give me some hints how to accomplish this with your library.

[griga3k]

@robrichards Hi! Is there any chance that we will achieve results? Thanks!

[christiandavilakoobin]

@robrichards Hi! Is there any plans to implement the DerivedKeyTokens support? Thanks!

[robrichards]

I need to find a working system that uses derived keys it to be able to move forward on this