Wednesday, July 7, 2010

Anatomy of a signed SOAP message

I will explain a WSS signed web service SOAP message,signed using a X509 certificate.

The sample signed message is:

The following illustrates the anatomy of the message
1. SignedInfo

The SignedInfo element describes the signed content of the message.

1.1. CanonicalizationMethod
The element CanonicalizationMethod is used to describe the canonicalization algorithm used on the xml for the generation of the digest.
1.2. SignatureMethod
The element SignatureMethod is used to describe the algorithm used for the generation of the SignatureValue from the output of the canonicalization algorithm.
1.3. Reference
The optional URI attribute for Reference element identifies the data object that was signed.

In the above case the body is being signed thus the URI attribute refers to the soap body.
Transform Algorithm indicates the transformation algorithm. I still need to understand why do we need a duplicate of the canonicalization algortithm?
DigestMethod Algorithm indicates the algorithm used to generate the digest value and DigestValue contains the computed digest value.
SignatureValue contain the signature value, which is actually the encrypted digest value. This value is the output of the Signature Method Algorithm indicated

The signed data contain a core bare name reference (as defined by the XPointer specification [XPointer]) to the element that contains the security token referenced, or a core reference to the external data source containing the security token.
In this example the BinarySecurityToken contains the Base64Encoded public key that can be used for verification.

The signed content was created using a Microsoft file (.pfx) containing x509 certificates. The public key can be regenerated using the BinarySecurityToken element.
Sample code to generate .cer from BinarySecurityToken

// from tag BinarySecurityToken

public static int decode(char c) {
if (c >= 'A' && c <= 'Z')
return c - 65;
else if (c >= 'a' && c <= 'z')
return c - 97 + 26;
else if (c >= '0' && c <= '9')
return c - 48 + 26 + 26;
switch (c) {
case '+':
return 62;
case '/':
return 63;
case '=':
return 0;
throw new RuntimeException(
new StringBuffer("unexpected code: ").append(c)

public static byte[] decode(String s) {

int i = 0;
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int len = s.length();

while (true) {
while (i < len && s.charAt(i) <= ' ')

if (i == len)

int tri = (decode(s.charAt(i)) << 18)
+ (decode(s.charAt(i + 1)) << 12)
+ (decode(s.charAt(i + 2)) << 6)
+ (decode(s.charAt(i + 3)));

bos.write((tri >> 16) & 255);
if (s.charAt(i + 2) == '=')
bos.write((tri >> 8) & 255);
if (s.charAt(i + 3) == '=')
bos.write(tri & 255);

i += 4;
return bos.toByteArray();

public static void main(String[] args) throws Exception {
byte[] back = decode(b64Str);
OutputStream out = new FileOutputStream("aa.cer");
//perform your exception handling

4. KeyInfo

In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message
Security, the element specify all references to X.509 token types in signature or encryption elements that comply with this profile.
The element contains a element that specifies the token data by means of a X.509 SubjectKeyIdentifier reference.


Abiye said...

The informations are so lovely and so usefull so thank you very much. Be sure i will use all of them keeping in my mind.Have a goog luck.

Angelo said...

Hello, Look at this blog, we provide another example of how to do that.