Genivia Home Documentation
wsseapi.c File Reference

updated Mon May 13 2024 by Robert van Engelen
 
Classes | Macros | Functions | Variables
wsseapi.c File Reference
#include "wsseapi.h"
#include "threads.h"
Include dependency graph for wsseapi.c:

Classes

struct  soap_wsse_session
 Digest authentication session data. More...
 

Macros

#define SOAP_WSSE_MAX_REF   (100)
 
#define SOAP_WSSE_CLKSKEW   (300)
 
#define SOAP_WSSE_NONCELEN   (20)
 
#define SOAP_WSSE_NONCETIME   (SOAP_WSSE_CLKSKEW + 240)
 

Functions

static char * soap_wsse_ids (struct soap *soap, const char *tags, int sub)
 converts tag name(s) to id name(s). More...
 
static int soap_wsse_session_verify (struct soap *soap, const char hash[SOAP_SMD_SHA1_SIZE], const char *created, const char *nonce)
 Verifies and updates the digest, nonce, and creation time against the digest authentication session database to prevent replay attacks. More...
 
static void soap_wsse_session_cleanup (struct soap *soap)
 Removes expired authentication data from the digest authentication session database. More...
 
static void calc_digest (struct soap *soap, const char *created, const char *nonce, int noncelen, const char *password, char hash[SOAP_SMD_SHA1_SIZE])
 Calculates digest value SHA1(created, nonce, password). More...
 
static int soap_wsse_init (struct soap *soap, struct soap_wsse_data *data, const void *(*arg)(struct soap *, int *, const char *, const unsigned char *, int, int *))
 
static int soap_wsse_copy (struct soap *soap, struct soap_plugin *dst, struct soap_plugin *src)
 Copies plugin data to localize plugin data for threads. More...
 
static void soap_wsse_delete (struct soap *soap, struct soap_plugin *p)
 Deletes plugin data. More...
 
static int soap_wsse_preparesend (struct soap *soap, const char *buf, size_t len)
 Takes a piece of the XML message (tokenized) to compute digest. More...
 
static int soap_wsse_preparefinalsend (struct soap *soap)
 Collects the digests of all the wsu:Id elements and populates the SignedInfo. More...
 
static void soap_wsse_preparecleanup (struct soap *soap, struct soap_wsse_data *data)
 Restores engine state. More...
 
static int soap_wsse_preparefinalrecv (struct soap *soap)
 Verify signature and SignedInfo digests initiated with soap_wsse_verify_auto. More...
 
static int soap_wsse_element_begin_in (struct soap *soap, const char *tag)
 This callback is invoked as soon as a starting tag of an element is received by the XML parser. More...
 
static int soap_wsse_element_end_in (struct soap *soap, const char *tag1, const char *tag2)
 This callback is invoked as soon as an ending tag of an element is received by the XML parser. More...
 
static int soap_wsse_element_begin_out (struct soap *soap, const char *tag, int id, const char *type)
 This callback is invoked as soon as a starting tag of an element is to be sent by the XML generator. More...
 
static int soap_wsse_element_end_out (struct soap *soap, const char *tag)
 This callback is invoked as soon as an ending tag of an element is to be sent by the XML generator. More...
 
static size_t soap_wsse_verify_nested (struct soap *soap, struct soap_dom_element *dom, const char *URI, const char *tag)
 Counts signed matching elements from the dom node and down. More...
 
static int soap_p_hash (struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, int alg, char HA[], size_t HA_len, char temp[], char *phash, size_t phashlen)
 Computes hash(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], HA[0..HA_len-1]) given algorithm alg. More...
 
SOAP_FMAC1 struct _wsse__Security *SOAP_FMAC2 soap_wsse_add_Security (struct soap *soap)
 Adds Security header element. More...
 
SOAP_FMAC1 struct _wsse__Security *SOAP_FMAC2 soap_wsse_add_Security_actor (struct soap *soap, const char *actor)
 Adds Security header element with actor or role attribute. More...
 
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_Security (struct soap *soap)
 Deletes Security header element. More...
 
SOAP_FMAC1 struct _wsse__Security *SOAP_FMAC2 soap_wsse_Security (struct soap *soap)
 Returns Security header element if present. More...
 
SOAP_FMAC1 struct ds__SignatureType *SOAP_FMAC2 soap_wsse_add_Signature (struct soap *soap)
 Adds Signature header element. More...
 
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_Signature (struct soap *soap)
 Deletes Signature header element. More...
 
SOAP_FMAC1 struct ds__SignatureType *SOAP_FMAC2 soap_wsse_Signature (struct soap *soap)
 Returns Signature header element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_Timestamp (struct soap *soap, const char *id, time_t lifetime)
 Adds Timestamp element with optional expiration date+time (lifetime). More...
 
SOAP_FMAC1 struct _wsu__Timestamp *SOAP_FMAC2 soap_wsse_Timestamp (struct soap *soap)
 Returns Timestamp element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Timestamp (struct soap *soap)
 Verifies the Timestamp/Expires element against the current time. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenText (struct soap *soap, const char *id, const char *username, const char *password)
 Adds UsernameToken element with optional clear-text password. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenDigest (struct soap *soap, const char *id, const char *username, const char *password)
 Adds UsernameToken element for digest authentication. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenDigest_at (struct soap *soap, const char *id, const char *username, const char *password, time_t when)
 Adds UsernameToken element for digest authentication. More...
 
SOAP_FMAC1 struct _wsse__UsernameToken *SOAP_FMAC2 soap_wsse_UsernameToken (struct soap *soap, const char *id)
 Returns UsernameToken element if present. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_Username (struct soap *soap)
 Returns UsernameToken/username string or wsse:FailedAuthentication fault. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Password (struct soap *soap, const char *password)
 Verifies the supplied password or sets wsse:FailedAuthentication fault. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityToken (struct soap *soap, const char *id, const char *valueType, const unsigned char *data, int size)
 Adds BinarySecurityToken element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityTokenX509 (struct soap *soap, const char *id, X509 *cert)
 Adds BinarySecurityToken element with X509 certificate. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityTokenPEM (struct soap *soap, const char *id, const char *filename)
 Adds BinarySecurityToken element from a PEM file. More...
 
SOAP_FMAC1 struct _wsse__BinarySecurityToken *SOAP_FMAC2 soap_wsse_BinarySecurityToken (struct soap *soap, const char *id)
 Returns BinarySecurityToken element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_get_BinarySecurityToken (struct soap *soap, const char *id, char **valueType, unsigned char **data, int *size)
 Get wsse:BinarySecurityToken element token data in binary form. More...
 
SOAP_FMAC1 X509 *SOAP_FMAC2 soap_wsse_get_BinarySecurityTokenX509 (struct soap *soap, const char *id)
 Get X509 wsse:BinarySecurityToken certificate and verify its content. This call must be followed by an X509_free to deallocate the X509 certificate data. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_X509 (struct soap *soap, X509 *cert)
 Verifies X509 certificate against soap->cafile, soap->capath, and soap->crlfile. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SecurityContextToken (struct soap *soap, const char *id, const char *identifier)
 Adds wsc:SecurityContextToken/Identifier and SecurityTokenReference to it. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_SecurityContextToken (struct soap *soap)
 Returns wsc:SecurityContextToken/Identifier string value or NULL. More...
 
SOAP_FMAC1 struct ds__SignedInfoType *SOAP_FMAC2 soap_wsse_add_SignedInfo (struct soap *soap)
 Adds SignedInfo element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignedInfo_Reference (struct soap *soap, const char *URI, unsigned int level, const char *transform, const char *prefixlist, int alg, const char *HA)
 Adds SignedInfo element with Reference URI, transform algorithm used, and digest value. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignedInfo_SignatureMethod (struct soap *soap, const char *method, int canonical)
 Adds SignedInfo element with SignatureMethod. More...
 
SOAP_FMAC1 struct ds__SignedInfoType *SOAP_FMAC2 soap_wsse_SignedInfo (struct soap *soap)
 Returns SignedInfo element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_get_SignedInfo_SignatureMethod (struct soap *soap, int *alg, int *bits)
 Get SignatureMethod algorithm. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignatureValue (struct soap *soap, int alg, const void *key, int keylen)
 Adds SignedInfo/SignatureMethod element, signs the SignedInfo element, and adds the resulting SignatureValue element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Signature (struct soap *soap)
 Verifies the Signature and the signed elements. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_SignatureValue (struct soap *soap, int alg, const void *key, int keylen)
 Verifies the SignatureValue of a SignedInfo element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_SignedInfo (struct soap *soap)
 Verifies the digest values of the XML elements referenced by the SignedInfo References. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_digest (struct soap *soap, int alg, int canonical, const char *id, unsigned char hash[SOAP_SMD_MAX_SIZE])
 Verifies the digest value of an XML element referenced by id against the hash. More...
 
SOAP_FMAC1 struct ds__KeyInfoType *SOAP_FMAC2 soap_wsse_add_KeyInfo (struct soap *soap)
 Adds KeyInfo element. More...
 
SOAP_FMAC1 struct ds__KeyInfoType *SOAP_FMAC2 soap_wsse_KeyInfo (struct soap *soap)
 Returns KeyInfo element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_KeyName (struct soap *soap, const char *name)
 Adds KeyName element. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_KeyInfo_KeyName (struct soap *soap)
 Returns KeyName element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceURI (struct soap *soap, const char *URI, const char *valueType)
 Adds KeyInfo element with SecurityTokenReference URI. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceX509 (struct soap *soap, const char *URI)
 Adds KeyInfo element with SecurityTokenReference URI to an X509 cert. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceURI (struct soap *soap)
 Returns a SecurityTokenReference URI if present. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceValueType (struct soap *soap)
 Returns a SecurityTokenReference ValueType if present. More...
 
SOAP_FMAC1 X509 *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceX509 (struct soap *soap)
 Returns a X509 certificate when referenced and present as a BinarySecurity token or when embedded in the signature KeyIdentifier or KeyInfo element. This call must be followed by an X509_free to deallocate the X509 certificate data. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_X509Certificate (struct soap *soap, X509 *cert)
 Adds KeyInfo/X509Data/X509Certificate. More...
 
SOAP_FMAC1 struct ds__X509IssuerSerialType *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceX509Data (struct soap *soap)
 Returns ds__X509IssuerSerialType with non-NULL X509IssuerName and non-NULL X509SerialNumber of a X509Data element when present and set. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceKeyIdentifier (struct soap *soap, const char *id, const char *valueType, unsigned char *data, int size)
 Adds KeyInfo element with SecurityTokenReference/KeyIdentifier binary data. More...
 
SOAP_FMAC1 const char *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceKeyIdentifierValueType (struct soap *soap, ds__KeyInfoType *keyInfo)
 Returns KeyInfo/SecurityTokenReference/KeyIdentifier/ValueType if present. More...
 
SOAP_FMAC1 const unsigned char *SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceKeyIdentifier (struct soap *soap, ds__KeyInfoType *keyInfo, int *size)
 Returns KeyInfo/SecurityTokenReference/KeyIdentifier binary data. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceEmbedded (struct soap *soap, const char *id, const char *valueType)
 Adds KeyInfo element with Embedded SecurityTokenReference. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey (struct soap *soap, int alg, const char *URI, X509 *cert, const char *subjectkeyid, const char *issuer, const char *serial)
 Adds EncryptedKey header element and initiates the encryption of the SOAP Body. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey_encrypt_only (struct soap *soap, int alg, const char *URI, X509 *cert, const char *subjectkeyid, const char *issuer, const char *serial, const char *tags)
 Adds EncryptedKey header element and initiates encryption of the given XML elements specified in the tags string. Should be used in combination with soap_wsse_set_wsu_id to set wsu:Id for given XML element tags. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_EncryptedKey (struct soap *soap)
 Verifies the EncryptedKey header information (certificate validity requires soap->cafile to be set). Retrieves the decryption key from the token handler callback to decrypt the decryption key. More...
 
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_EncryptedKey (struct soap *soap)
 Deletes EncryptedKey header element. More...
 
SOAP_FMAC1 struct xenc__EncryptedKeyType *SOAP_FMAC2 soap_wsse_EncryptedKey (struct soap *soap)
 Returns EncryptedKey header element if present. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey_DataReferenceURI (struct soap *soap, const char *URI)
 Adds a DataReference URI to the EncryptedKey header element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_DataReferenceURI (struct soap *soap, const char *URI)
 Adds a DataReference URI to the Security header element. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedData_KeyInfo_KeyName (struct soap *soap, const char *keyname)
 Adds EncryptedData/ds:KeyInfo/Keyname elements. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sender_fault_subcode (struct soap *soap, const char *faultsubcode, const char *faultstring, const char *faultdetail)
 Sets sender SOAP Fault (sub)code for server fault response. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_receiver_fault_subcode (struct soap *soap, const char *faultsubcode, const char *faultstring, const char *faultdetail)
 Sets receiver SOAP Fault (sub)code for server fault response. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sender_fault (struct soap *soap, const char *faultstring, const char *faultdetail)
 Sets sender SOAP Fault for server fault response. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_receiver_fault (struct soap *soap, const char *faultstring, const char *faultdetail)
 Sets receiver SOAP Fault for server fault response. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_fault (struct soap *soap, wsse__FaultcodeEnum fault, const char *detail)
 Sets SOAP Fault (sub)code for server response. More...
 
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_rand_nonce (char *nonce, size_t noncelen)
 Calculates randomized nonce. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_pmd5 (struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, char *pmd5, size_t pmd5len)
 Computes PMD5(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], pmd5[0..pmd5len-1]). More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_psha1 (struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, char *psha1, size_t psha1len)
 Computes PSHA1(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], psha1[0..psha1len-1]). More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_psha256 (struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, char *psha256, size_t psha256len)
 Computes PSHA256(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], psha256[0..psha256len-1]). More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse (struct soap *soap, struct soap_plugin *p, void *arg)
 Plugin registry function, used with soap_register_plugin. More...
 
static int soap_wsse_init (struct soap *soap, struct soap_wsse_data *data, const void *(*arg)(struct soap *, int *alg, const char *keyname, const unsigned char *keyid, int keyidlen, int *keylen))
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_security_token_handler (struct soap *soap, const void *(*callback)(struct soap *, int *alg, const char *keyname, const unsigned char *keyid, int keyidlen, int *keylen))
 Sets the security token handler callback that is optionaly used to retrieve keys for signature verification and decryption. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_wsu_id (struct soap *soap, const char *tags)
 Sets the elements that are to be extended with wsu:Id attributes. The wsu:Id attribute values are set to the string value of the tag's QName by replacing colons with hyphens to produce an xsd:ID value. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_InclusiveNamespaces (struct soap *soap, const char *prefixlist)
 Sets the C14N InclusiveNamespaces Prefix List property. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign_only (struct soap *soap, const char *tags)
 Filters only the specified wsu:Id names for signing. Can be used with soap_wsse_set_wsu_id() and if so should use the element tag names. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign (struct soap *soap, int alg, const void *key, int keylen)
 Uses the wsse plugin to sign all wsu:Id attributed elements. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign_body (struct soap *soap, int alg, const void *key, int keylen)
 Uses the wsse plugin to sign all wsu:Id attributed elements, including the SOAP Body (by adding a wsu:Id="Body" attribute). More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_init (struct soap *soap)
 Uses the wsse plugin to initiate the verification of the signature and SignedInfo Reference digests. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_auto (struct soap *soap, int alg, const void *key, size_t keylen)
 Uses the wsse plugin to initiate the automatic verification of the signature and SignedInfo Reference digests. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_done (struct soap *soap)
 Terminates the automatic verification of signatures. More...
 
SOAP_FMAC1 size_t SOAP_FMAC2 soap_wsse_verify_element (struct soap *soap, const char *URI, const char *tag)
 Post-checks the presence of signed element(s), returns the number of matching elements signed or zero when none found or if one or more matching elements are not signed. Does not verify the signature of these elements, which is done with soap_wsse_verify_auto. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_body (struct soap *soap)
 Post-checks the presence of signed SOAP Body. Does not verify the signature of the Body, which is done with soap_wsse_verify_auto. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_with_signature (struct soap *soap, _ds__Signature *signature)
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_body (struct soap *soap, int alg, const void *key, int keylen)
 Initiates the encryption of the SOAP Body. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey for public key encryption. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_only (struct soap *soap, int alg, const void *key, int keylen, const char *tags)
 Initiates the encryption of XML elements specified in the tags string. Should be used in combination with soap_wsse_set_wsu_id to set wsu:Id for given XML element tags. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey_encrypt_only for public key encryption. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt (struct soap *soap, int alg, const void *key, int keylen)
 Start encryption. This function is supposed to be used internally only. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey for public key. encryption. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_auto (struct soap *soap, int alg, const void *key, int keylen)
 Start automatic decryption when needed using the specified key. This function should be used just once. The algorithm should be SOAP_MEC_ENV_DEC_DES_CBC etc. for public key encryption/decryption and SOAP_MEC_DEC_DES_CBC etc. for symmetric shared secret keys. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_begin (struct soap *soap, const char *id, int alg, const char *URI, const char *keyname, const unsigned char *key, const char *type)
 Emit XML encryption tags and start encryption of the XML element content. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_end (struct soap *soap)
 Emit XML encryption end tags and stop encryption of the XML element content. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_begin (struct soap *soap)
 Check for XML encryption tags and start decryption of the XML element content. If the KeyInfo element is present, the security_token_handler callback will be used to obtain a decryption key based on the key name. More...
 
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_end (struct soap *soap)
 Check for XML encryption ending tags and stop decryption of the XML element content. More...
 

Variables

const char soap_wsse_id [14] = SOAP_WSSE_ID
 
const char * wsse_PasswordTextURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
 
const char * wsse_PasswordDigestURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"
 
const char * wsse_Base64BinaryURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
 
const char * wsse_HexBinaryURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary"
 
const char * wsse_X509v3URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
 
const char * wsse_X509v3SubjectKeyIdentifierURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
 
const char * ds_envsigURI = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
 
const char * ds_sha1URI = "http://www.w3.org/2000/09/xmldsig#sha1"
 
const char * ds_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#sha224"
 
const char * ds_sha256URI = "http://www.w3.org/2001/04/xmlenc#sha256"
 
const char * ds_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#sha384"
 
const char * ds_sha512URI = "http://www.w3.org/2001/04/xmlenc#sha512"
 
const char * ds_hmac_sha1URI = "http://www.w3.org/2000/09/xmldsig#hmac-sha1"
 
const char * ds_hmac_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224"
 
const char * ds_hmac_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
 
const char * ds_hmac_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
 
const char * ds_hmac_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
 
const char * ds_dsa_sha1URI = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 
const char * ds_dsa_sha256URI = "http://www.w3.org/2009/xmldsig11#dsa-sha256"
 
const char * ds_rsa_sha1URI = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 
const char * ds_rsa_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"
 
const char * ds_rsa_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 
const char * ds_rsa_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
 
const char * ds_rsa_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
 
const char * ds_ecdsa_sha1URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
 
const char * ds_ecdsa_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"
 
const char * ds_ecdsa_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
 
const char * ds_ecdsa_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"
 
const char * ds_ecdsa_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
 
const char * xenc_3desURI = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
 
const char * xenc_aes128cbcURI = "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
 
const char * xenc_aes192cbcURI = "http://www.w3.org/2001/04/xmlenc#aes192-cbc"
 
const char * xenc_aes256cbcURI = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
 
const char * xenc_aes512cbcURI = "http://www.w3.org/2001/04/xmlenc#aes512-cbc"
 
const char * xenc_aes128gcmURI = "http://www.w3.org/2009/xmlenc11#aes128-gcm"
 
const char * xenc_aes192gcmURI = "http://www.w3.org/2009/xmlenc11#aes192-gcm"
 
const char * xenc_aes256gcmURI = "http://www.w3.org/2009/xmlenc11#aes256-gcm"
 
const char * xenc_aes512gcmURI = "http://www.w3.org/2009/xmlenc11#aes512-gcm"
 
const char * xenc_elementURI = "http://www.w3.org/2001/04/xmlenc#Element"
 
const char * xenc_contentURI = "http://www.w3.org/2001/04/xmlenc#Content"
 
const char * xenc_rsa15URI = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
 
const char * xenc_rsaesURI = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
 
const char * wsse_URI = SOAP_NAMESPACE_OF_wsse
 
const char * wsu_URI = SOAP_NAMESPACE_OF_wsu
 
const char * saml1_URI = SOAP_NAMESPACE_OF_saml1
 
const char * saml2_URI = SOAP_NAMESPACE_OF_saml2
 
const char * xenc_URI = "http://www.w3.org/2001/04/xmlenc#"
 
const char * ds_URI = "http://www.w3.org/2000/09/xmldsig#"
 
const char * c14n_URI = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
 
const char * c14n_wc_URI = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
 
const char * exc_c14n_URI = "http://www.w3.org/2001/10/xml-exc-c14n#"
 
const char * exc_c14n_wc_URI = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
 
static struct soap_wsse_sessionsoap_wsse_session = NULL
 
static MUTEX_TYPE soap_wsse_session_lock = MUTEX_INITIALIZER
 

Macro Definition Documentation

#define SOAP_WSSE_CLKSKEW   (300)

Clock skew between machines (in sec) to fit message expiration in window

#define SOAP_WSSE_MAX_REF   (100)

Maximum number of SignedInfo References

#define SOAP_WSSE_NONCELEN   (20)

Size of the random nonce

#define SOAP_WSSE_NONCETIME   (SOAP_WSSE_CLKSKEW + 240)

Digest authentication accepts messages that are not older than creation time + SOAP_WSSE_NONCETIME

Function Documentation

static void calc_digest ( struct soap *  soap,
const char *  created,
const char *  nonce,
int  noncelen,
const char *  password,
char  hash[SOAP_SMD_SHA1_SIZE] 
)
static

Calculates digest value SHA1(created, nonce, password).

Parameters
soapcontext
[in]createdstring (XSD dateTime format)
[in]noncevalue
[in]noncelenlength of nonce value
[in]passwordstring
[out]hashSHA1 digest
static int soap_p_hash ( struct soap *  soap,
const char *  hmac_key,
size_t  hmac_key_len,
const char *  secret,
size_t  secretlen,
int  alg,
char  HA[],
size_t  HA_len,
char  temp[],
char *  phash,
size_t  phashlen 
)
static

Computes hash(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], HA[0..HA_len-1]) given algorithm alg.

Parameters
soapcontext
[in]hmac_keyHMAC key (client secret) raw bytes
[in]hmac_key_lenHMAC key length
[in]secretseed (server secret) raw bytes
[in]secretlennumber of bytes
[in]alghash algorithm
HAbuffer to contain hash (internally used)
HA_lenbuffer length to contain hash (internally used)
tempbuffer to contain hash (internally used)
[out]phashpoints to phash raw bytes to fill with result
[in]phashlennumber of bytes to fill phash
Returns
SOAP_OK or SOAP_EOM
SOAP_FMAC1 int SOAP_FMAC2 soap_pmd5 ( struct soap *  soap,
const char *  hmac_key,
size_t  hmac_key_len,
const char *  secret,
size_t  secretlen,
char *  pmd5,
size_t  pmd5len 
)

Computes PMD5(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], pmd5[0..pmd5len-1]).

Parameters
soapcontext
[in]hmac_keyHMAC key (client secret) in raw bytes
[in]hmac_key_lenHMAC key length
[in]secretseed (server secret) raw bytes
[in]secretlennumber of bytes
[out]pmd5points to pmd5 raw bytes to fill with result
[in]pmd5lennumber of bytes to fill pmd5
Returns
SOAP_OK or SOAP_EOM

To compute PMD5 with base64 input and output a base64 encoded pmd5[0..pmd5len-1]:

1 int pmd5len = 32; // or greater
2 int n, m;
3 const char *client_secret = soap_base642s(soap, client_secret_base64, NULL, 0, &n);
4 const char *server_secret = soap_base642s(soap, server_secret_base64, NULL, 0, &m);
5 char pmd5[pmd5len];
6 char *pmd5_base64;
7 if (soap_pmd5(soap, client_secret, n, server_secret, m, pmd5, pmd5len))
8  .. error // insufficient memory
9 pmd5_base64 = soap_s2base64(soap, (unsigned char*)pmd5, NULL, pmd5len);
SOAP_FMAC1 int SOAP_FMAC2 soap_psha1 ( struct soap *  soap,
const char *  hmac_key,
size_t  hmac_key_len,
const char *  secret,
size_t  secretlen,
char *  psha1,
size_t  psha1len 
)

Computes PSHA1(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], psha1[0..psha1len-1]).

Parameters
soapcontext
[in]hmac_keyHMAC key (client secret) in raw bytes
[in]hmac_key_lenHMAC key length
[in]secretseed (server secret)
[in]secretlennumber of bytes
[out]psha1points to psha1 raw bytes to fill with result
[in]psha1lennumber of bytes to fill psha1
Returns
SOAP_OK or SOAP_EOM

To compute PSHA1 with base64 input and output a base64 encoded psha1[0..psha1len-1]:

1 int psha1len = 32; // or greater
2 int n, m;
3 const char *client_secret = soap_base642s(soap, client_secret_base64, NULL, 0, &n);
4 const char *server_secret = soap_base642s(soap, server_secret_base64, NULL, 0, &m);
5 char psha1[psha1len];
6 char *psha1_base64;
7 if (soap_psha1(soap, client_secret, n, server_secret, m, psha1, psha1len))
8  .. error // insufficient memory
9 psha1_base64 = soap_s2base64(soap, (unsigned char*)psha1, NULL, psha1len);
SOAP_FMAC1 int SOAP_FMAC2 soap_psha256 ( struct soap *  soap,
const char *  hmac_key,
size_t  hmac_key_len,
const char *  secret,
size_t  secretlen,
char *  psha256,
size_t  psha256len 
)

Computes PSHA256(hmac_key[0..hmac_key_len-1], secret[0..secretlen-1], psha256[0..psha256len-1]).

Parameters
soapcontext
[in]hmac_keyHMAC key (client secret) in raw bytes
[in]hmac_key_lenHMAC key length
[in]secretseed (server secret) raw bytes
[in]secretlennumber of bytes
[out]psha256points to psha256 raw bytes to fill with result
[in]psha256lennumber of bytes to fill psha256
Returns
SOAP_OK or SOAP_EOM

To compute PSHA256 with base64 input and output a base64 encoded psha256[0..psha256len-1]:

1 int psha256len = 32; // or greater
2 int n, m;
3 const char *client_secret = soap_base642s(soap, client_secret_base64, NULL, 0, &n);
4 const char *server_secret = soap_base642s(soap, server_secret_base64, NULL, 0, &m);
5 char psha256[psha256len];
6 char *psha256_base64;
7 if (soap_psha256(soap, client_secret, n, server_secret, m, psha256, psha256len))
8  .. error // insufficient memory
9 psha256_base64 = soap_s2base64(soap, (unsigned char*)psha256, NULL, psha256len);
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse ( struct soap *  soap,
struct soap_plugin *  p,
void *  arg 
)

Plugin registry function, used with soap_register_plugin.

Parameters
soapcontext
[in,out]pplugin created in registry
[in]argpassed from soap_register_plugin_arg is an optional security token handler callback
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityToken ( struct soap *  soap,
const char *  id,
const char *  valueType,
const unsigned char *  data,
int  size 
)

Adds BinarySecurityToken element.

Parameters
soapcontext
[in]idstring for signature referencing or NULL
[in]valueTypestring
[in]datapoints to binary token data
[in]sizeis length of binary token
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityTokenPEM ( struct soap *  soap,
const char *  id,
const char *  filename 
)

Adds BinarySecurityToken element from a PEM file.

Parameters
soapcontext
[in]idstring for signature reference
[in]filename
Returns
SOAP_OK or SOAP_FAULT with wsse__InvalidSecurity fault when file cannot be read or does not contain a valid certificate

This function uses PEM_read_X509 from the the OpenSSL library to read a certificate from a PEM formatted file.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_BinarySecurityTokenX509 ( struct soap *  soap,
const char *  id,
X509 *  cert 
)

Adds BinarySecurityToken element with X509 certificate.

Parameters
soapcontext
[in]idstring for signature reference
[in]certpoints to the X509 certificate
Returns
SOAP_OK or SOAP_EOM

This function uses i2d_X509 from the the OpenSSL library to convert an X509 object to binary DER format.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_DataReferenceURI ( struct soap *  soap,
const char *  URI 
)

Adds a DataReference URI to the Security header element.

Parameters
soapcontext
[in]URIvalue of the URI ID
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedData_KeyInfo_KeyName ( struct soap *  soap,
const char *  keyname 
)

Adds EncryptedData/ds:KeyInfo/Keyname elements.

Parameters
soapcontext
[in]keynamename of the key
Returns
SOAP_OK or error code

This function adds the name of the key to each EncryptedData element to identify the shared secret key used for encryption.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey ( struct soap *  soap,
int  alg,
const char *  URI,
X509 *  cert,
const char *  subjectkeyid,
const char *  issuer,
const char *  serial 
)

Adds EncryptedKey header element and initiates the encryption of the SOAP Body.

Parameters
soapcontext
[in]algalgorithm to use, SOAP_MEC_ENV_ENC_DES_CBC etc.
[in]URIa unique identifier for the key, required for interoperability
[in]certthe X509 certificate with public key or NULL
[in]subjectkeyidstring identification of the subject which when set to non-NULL is used instead of embedding the public key in the message
[in]issuerstring to include SecurityTokenReference/X509Data
[in]serialstring to include SecurityTokenReference/X509Data
Returns
SOAP_OK or error code

This function adds the encrypted key or subject key ID to the WS-Security header and initiates encryption of the SOAP Body. An X509 certificate may be provided, or the subjectkeyid, or the issuer and serial number. The certificate is embedded in the WS-Security EncryptedKey header. If the subjectkeyid string is non-NULL the subject key ID is used in the EncryptedKey header instead of the X509 certificate content.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey_DataReferenceURI ( struct soap *  soap,
const char *  URI 
)

Adds a DataReference URI to the EncryptedKey header element.

Parameters
soapcontext
[in]URIvalue of the URI ID
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_EncryptedKey_encrypt_only ( struct soap *  soap,
int  alg,
const char *  URI,
X509 *  cert,
const char *  subjectkeyid,
const char *  issuer,
const char *  serial,
const char *  tags 
)

Adds EncryptedKey header element and initiates encryption of the given XML elements specified in the tags string. Should be used in combination with soap_wsse_set_wsu_id to set wsu:Id for given XML element tags.

Parameters
soapcontext
[in]algalgorithm to use, SOAP_MEC_ENV_ENC_DES_CBC etc.
[in]URIa unique identifier for the key, required for interoperability
[in]certthe X509 certificate with public key or NULL
[in]subjectkeyidstring identification of the subject which when set to non-NULL is used instead of embedding the public key in the message
[in]issuerstring to include SecurityTokenReference/X509Data
[in]serialstring to include SecurityTokenReference/X509Data
[in]tagsspace-separated string of element tag names to encrypt
Returns
xenc__EncryptedKeyType object

This function adds the encrypted key or subject key ID to the WS-Security header and initiates encryption of the SOAP Body. An X509 certificate may be provided, or the subjectkeyid, or the issuer and serial number. The certificate is embedded in the WS-Security EncryptedKey header. If the subjectkeyid string is non-NULL the subject key ID is used in the EncryptedKey header instead of the X509 certificate content. Only the XML elements given in the 'tags' string as wsu:Id attributed elements are encrypted.

Warning
Use soap_wsse_add_EncryptedKey_encrypt_only only in combination with soap_wsse_set_wsu_id with the tag names of the elements to be encrypted. OTHERWISE THE GIVEN XML ELEMENTS ARE NOT ENCRYPTED AND WILL BE SENT IN THE CLEAR.
The elements identified with soap_wsse_set_wsu_id to encrypt MUST occur EXACTLY ONCE in the SOAP Body.
Encryption/decryption of elements with simple content (CDATA content) IS NOT SUPPORTED. This means that elements you want to encrypt with this function must have complex content. That is, only encrypt elements with sub elements or encrypt the entire SOAP Body.
SOAP_FMAC1 struct ds__KeyInfoType* SOAP_FMAC2 soap_wsse_add_KeyInfo ( struct soap *  soap)

Adds KeyInfo element.

Parameters
soapcontext
Returns
ds__KeyInfo object
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_KeyName ( struct soap *  soap,
const char *  name 
)

Adds KeyName element.

Parameters
soapcontext
[in]namestring of the KeyName
Returns
SOAP_OK
Note
The recommended method to add Key information is to utilize KeyIdentifier instead of KeyName. A KeyName is useful mainly for internal use.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceEmbedded ( struct soap *  soap,
const char *  id,
const char *  valueType 
)

Adds KeyInfo element with Embedded SecurityTokenReference.

Parameters
soapcontext
[in]idstring for signature reference
[in]valueTypestring
Returns
SOAP_OK
Note
This function does not add embedded tokens automatically. See code for comments.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceKeyIdentifier ( struct soap *  soap,
const char *  id,
const char *  valueType,
unsigned char *  data,
int  size 
)

Adds KeyInfo element with SecurityTokenReference/KeyIdentifier binary data.

Parameters
soapcontext
[in]idstring for signature reference
[in]valueTypestring
[in]databinary data
[in]sizeof binary data
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceURI ( struct soap *  soap,
const char *  URI,
const char *  valueType 
)

Adds KeyInfo element with SecurityTokenReference URI.

Parameters
soapcontext
[in]URIstring referencing a security token
[in]valueTypestring or NULL
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_SecurityTokenReferenceX509 ( struct soap *  soap,
const char *  URI 
)

Adds KeyInfo element with SecurityTokenReference URI to an X509 cert.

Parameters
soapcontext
[in]URIstring referencing an X509 certificate
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_KeyInfo_X509Certificate ( struct soap *  soap,
X509 *  cert 
)

Adds KeyInfo/X509Data/X509Certificate.

Parameters
soapcontext
[in]certX509 certificate
Returns
SOAP_OK or error code
SOAP_FMAC1 struct _wsse__Security* SOAP_FMAC2 soap_wsse_add_Security ( struct soap *  soap)

Adds Security header element.

Parameters
soapcontext
Returns
_wsse__Security object
SOAP_FMAC1 struct _wsse__Security* SOAP_FMAC2 soap_wsse_add_Security_actor ( struct soap *  soap,
const char *  actor 
)

Adds Security header element with actor or role attribute.

Parameters
soapcontext
actorstring
Returns
_wsse__Security object
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SecurityContextToken ( struct soap *  soap,
const char *  id,
const char *  identifier 
)

Adds wsc:SecurityContextToken/Identifier and SecurityTokenReference to it.

Parameters
soapcontext
[in]idstring for signature reference (required)
[in]identifierwsc:Identifier value (required)
Returns
SOAP_OK or error code
SOAP_FMAC1 struct ds__SignatureType* SOAP_FMAC2 soap_wsse_add_Signature ( struct soap *  soap)

Adds Signature header element.

Parameters
soapcontext
Returns
ds__SignatureType object
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignatureValue ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Adds SignedInfo/SignatureMethod element, signs the SignedInfo element, and adds the resulting SignatureValue element.

Parameters
soapcontext
[in]algis SOAP_SMD_HMAC_SHA1/224/256/384/512, SOAP_SMD_SIGN_DSA_SHA1/256, SOAP_SMD_SIGN_RSA_SHA1/224/256/384/512, or SOAP_SMD_SIGN_ECDSA_SHA1/224/256/384/512
[in]keyto use to sign (HMAC or DSA/RSA/ECDSA EVP_PKEY)
[in]keylenlength of HMAC key
Returns
SOAP_OK, SOAP_EOM, or fault

To sign the SignedInfo element with this function, populate SignedInfo with Reference elements first using soap_wsse_add_SignedInfo_Reference. The SignedInfo element must not be modified after signing.

The SOAP_XML_INDENT and SOAP_XML_CANONICAL flags are used to serialize the SignedInfo to compute the signature.

SOAP_FMAC1 struct ds__SignedInfoType* SOAP_FMAC2 soap_wsse_add_SignedInfo ( struct soap *  soap)

Adds SignedInfo element.

Parameters
soapcontext
Returns
ds__SignedInfoType object
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignedInfo_Reference ( struct soap *  soap,
const char *  URI,
unsigned int  level,
const char *  transform,
const char *  prefixlist,
int  alg,
const char *  HA 
)

Adds SignedInfo element with Reference URI, transform algorithm used, and digest value.

Parameters
soapcontext
[in]URIreference
[in]levelXML depth of element signed
[in]transformstring should be exc_c14n_URI for exc-c14n, or c14n_URI or NULL for default (no canonicalization)
[in]prefixlistused by the exc-c14n transform or NULL
[in]algis the digest algorithm used
[in]HAis the digest in binary form
Returns
SOAP_OK or SOAP_EOM when references exceed SOAP_WSSE_MAX_REF

This function can be called to add more references to the wsse:SignedInfo element. A maximum number of SOAP_WSSE_MAX_REF references can be added. The digest method is always SHA1.

Note
XPath transforms cannot be specified in this release.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_SignedInfo_SignatureMethod ( struct soap *  soap,
const char *  method,
int  canonical 
)

Adds SignedInfo element with SignatureMethod.

Parameters
soapcontext
[in]methodis the URI of the signature algorithm (e.g. ds_rsa_sha1)
[in]canonicalflag indicating that SignedInfo is signed in exc-c14n form or in c14n when soap->c14ninclude == "*" (i.e. all prefixes are inclusive)
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_Timestamp ( struct soap *  soap,
const char *  id,
time_t  lifetime 
)

Adds Timestamp element with optional expiration date+time (lifetime).

Parameters
[in]soapcontext
[in]idfor signature referencing or NULL
[in]lifetimeexpressed in time_t units, or 0 for no expiration
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenDigest ( struct soap *  soap,
const char *  id,
const char *  username,
const char *  password 
)

Adds UsernameToken element for digest authentication.

Parameters
soapcontext
[in]idstring for signature referencing or NULL
[in]usernamestring
[in]passwordstring
Returns
SOAP_OK

Computes SHA1 digest of the time stamp, a nonce, and the password. The digest provides the authentication credentials. Passwords are NOT sent in the clear.

Note
This release supports the use of at most one UsernameToken in the header.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenDigest_at ( struct soap *  soap,
const char *  id,
const char *  username,
const char *  password,
time_t  when 
)

Adds UsernameToken element for digest authentication.

Parameters
soapcontext
[in]idstring for signature referencing or NULL
[in]usernamestring
[in]passwordstring
[in]whenthe time stamp to use for the digest hash
Returns
SOAP_OK

Computes SHA1 digest of the time stamp, a nonce, and the password. The digest provides the authentication credentials. Passwords are NOT sent in the clear.

Note
This release supports the use of at most one UsernameToken in the header.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_add_UsernameTokenText ( struct soap *  soap,
const char *  id,
const char *  username,
const char *  password 
)

Adds UsernameToken element with optional clear-text password.

Parameters
soapcontext
[in]idstring for signature referencing or NULL
[in]usernamestring
[in]passwordstring or NULL to omit the password
Returns
SOAP_OK

Passwords are sent in the clear, so transport-level encryption is required.

Note
This release supports the use of at most one UsernameToken in the header.
SOAP_FMAC1 struct _wsse__BinarySecurityToken* SOAP_FMAC2 soap_wsse_BinarySecurityToken ( struct soap *  soap,
const char *  id 
)

Returns BinarySecurityToken element if present.

Parameters
soapcontext
[in]idstring of token to get or NULL to get the first
Returns
_wsse__BinarySecurityToken object or NULL
static int soap_wsse_copy ( struct soap *  soap,
struct soap_plugin *  dst,
struct soap_plugin *  src 
)
static

Copies plugin data to localize plugin data for threads.

Parameters
soapcontext
[out]dsttarget plugin
[in]srcsource plugin
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_auto ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Start automatic decryption when needed using the specified key. This function should be used just once. The algorithm should be SOAP_MEC_ENV_DEC_DES_CBC etc. for public key encryption/decryption and SOAP_MEC_DEC_DES_CBC etc. for symmetric shared secret keys.

Parameters
soapcontext
[in]algthe decryption algorithm,
[in]keya persistent decryption key for the algorithm, a private RSA key or a shared symmetric secret key
[in]keylenuse 0 for public-key encryption/decryption or the shared secret decryption key length, 20 bytes for a DES CBC 160-bit key
Returns
SOAP_OK or error code

This function can be called once before multiple messages are received with WS-Security encrypted content, where only one key is used for encryption (public key or shared secret key). The default decryption key is set. If multiple decryption keys should be used, do NOT use this function but set the security_token_handler callback of the wsse plugin. See Decrypting Message Parts. Use a NULL key to remove the default decryption key.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_begin ( struct soap *  soap)

Check for XML encryption tags and start decryption of the XML element content. If the KeyInfo element is present, the security_token_handler callback will be used to obtain a decryption key based on the key name.

Parameters
soapcontext
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_decrypt_end ( struct soap *  soap)

Check for XML encryption ending tags and stop decryption of the XML element content.

Parameters
soapcontext
Returns
SOAP_OK or error code
static void soap_wsse_delete ( struct soap *  soap,
struct soap_plugin *  p 
)
static

Deletes plugin data.

Parameters
soapcontext
[in,out]pplugin
Returns
SOAP_OK
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_EncryptedKey ( struct soap *  soap)

Deletes EncryptedKey header element.

Parameters
soapcontext
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_Security ( struct soap *  soap)

Deletes Security header element.

Parameters
soapcontext
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_delete_Signature ( struct soap *  soap)

Deletes Signature header element.

Parameters
soapcontext
static int soap_wsse_element_begin_in ( struct soap *  soap,
const char *  tag 
)
static

This callback is invoked as soon as a starting tag of an element is received by the XML parser.

Parameters
soapcontext
[in]tagname of the element parsed
Returns
SOAP_OK or error code
static int soap_wsse_element_begin_out ( struct soap *  soap,
const char *  tag,
int  id,
const char *  type 
)
static

This callback is invoked as soon as a starting tag of an element is to be sent by the XML generator.

Parameters
soapcontext
[in]tagname of the element
[in]idof the element or 0
[in]typexsi:type of the element or NULL
Returns
SOAP_OK or error code
static int soap_wsse_element_end_in ( struct soap *  soap,
const char *  tag1,
const char *  tag2 
)
static

This callback is invoked as soon as an ending tag of an element is received by the XML parser.

Parameters
soapcontext
[in]tag1name of the element parsed
[in]tag2name of the element that was expected by the parser's state, or NULL
Returns
SOAP_OK or error code
static int soap_wsse_element_end_out ( struct soap *  soap,
const char *  tag 
)
static

This callback is invoked as soon as an ending tag of an element is to be sent by the XML generator.

Parameters
soapcontext
[in]tagname of the element
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Start encryption. This function is supposed to be used internally only. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey for public key. encryption.

Parameters
soapcontext
[in]algthe encryption algorithm, should be SOAP_MEC_ENC_DES_CBC etc.
[in]keya certificate with public key for encryption, a DES CBC 160-bit key or AES key
[in]keylenthe symmetric encryption key length, 20 bytes for a DES CBC 160-bit key
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_begin ( struct soap *  soap,
const char *  id,
int  alg,
const char *  URI,
const char *  keyname,
const unsigned char *  key,
const char *  type 
)

Emit XML encryption tags and start encryption of the XML element content.

Parameters
soapcontext
[in]idstring for the EncryptedData element Id attribute
[in]algalgorithm used, or SOAP_MEC_NONE to ignore
[in]URIstring for the encrypted element wsu:Id attribute
[in]keynameoptional subject key name
[in]keyoptional DES/AES key for encryption (to override the current key)
[in]typeof encryption, either xenc_elementURI ("http://www.w3.org/2001/04/xmlenc#Element") or xenc_contentURI ("http://www.w3.org/2001/04/xmlenc#Content")
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_body ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Initiates the encryption of the SOAP Body. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey for public key encryption.

Parameters
soapcontext
[in]algthe encryption algorithm, should be SOAP_MEC_ENC_DES_CBC etc.
[in]keya certificate with public key for encryption, a DES CBC 160-bit key or AES key
[in]keylenthe symmetric encryption key length, 20 bytes for a DES CBC 160-bit key or larger for AES key
Returns
SOAP_OK or error code

This function initiates the encryption of the SOAP Body using an RSA public key or a symmetric shared secret key. No WS-Security EncryptedKey header will be set. Use soap_wsse_add_EncryptedKey instead for public key encryption.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_end ( struct soap *  soap)

Emit XML encryption end tags and stop encryption of the XML element content.

Parameters
soapcontext
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_encrypt_only ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen,
const char *  tags 
)

Initiates the encryption of XML elements specified in the tags string. Should be used in combination with soap_wsse_set_wsu_id to set wsu:Id for given XML element tags. The algorithm should be SOAP_MEC_ENC_DES_CBC etc. for symmetric encryption. Use soap_wsse_add_EncryptedKey_encrypt_only for public key encryption.

Parameters
soapcontext
[in]algthe encryption algorithm, should be SOAP_MEC_ENC_DES_CBC etc.
[in]keya certificate with public key for encryption, a DES CBC 160-bit key or AES key
[in]keylenthe symmetric encryption key length, 20 bytes for a DES CBC 160-bit key
[in]tagsstring of space-separated qualified and unqualified tag names
Returns
SOAP_OK or error code

This function initiates the encryption using an RSA public key or a symmetric shared secret key. No WS-Security EncryptedKey header will be set. Use soap_wsse_add_EncryptedKey instead for public key encryption.

Warning
Use soap_wsse_add_EncryptedKey_encrypt_only only in combination with soap_wsse_set_wsu_id with the tag names of the elements to be encrypted. OTHERWISE THE GIVEN XML ELEMENTS ARE NOT ENCRYPTED AND WILL BE SENT IN THE CLEAR.
The elements identified with soap_wsse_set_wsu_id to encrypt MUST occur EXACTLY ONCE in the SOAP Body.
Encryption/decryption of elements with simple content (CDATA content) IS NOT SUPPORTED. This means that elements you want to encrypt with this function must have complex content. That is, only encrypt elements with sub elements or encrypt the entire SOAP Body.
SOAP_FMAC1 struct xenc__EncryptedKeyType* SOAP_FMAC2 soap_wsse_EncryptedKey ( struct soap *  soap)

Returns EncryptedKey header element if present.

Parameters
soapcontext
Returns
xenc__EncryptedKeyType object or NULL
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_fault ( struct soap *  soap,
wsse__FaultcodeEnum  fault,
const char *  detail 
)

Sets SOAP Fault (sub)code for server response.

Parameters
soapcontext
[in]faultis one of wsse:FaultcodeEnum
[in]detailstring with optional text message
Returns
SOAP_FAULT
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_get_BinarySecurityToken ( struct soap *  soap,
const char *  id,
char **  valueType,
unsigned char **  data,
int *  size 
)

Get wsse:BinarySecurityToken element token data in binary form.

Parameters
soapcontext
[in]idstring of token to get or NULL to get the first
[out]valueTypestring
[out]datapoints to binary token data
[out]sizeis length of binary token
Returns
SOAP_OK or SOAP_FAULT with wsse:SecurityTokenUnavailable fault
SOAP_FMAC1 X509* SOAP_FMAC2 soap_wsse_get_BinarySecurityTokenX509 ( struct soap *  soap,
const char *  id 
)

Get X509 wsse:BinarySecurityToken certificate and verify its content. This call must be followed by an X509_free to deallocate the X509 certificate data.

Parameters
soapcontext
[in]idstring of token to get or NULL to get the first
Returns
X509 certificate (dynamically allocated) or NULL with wsse:SecurityTokenUnavailable fault
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_KeyInfo_KeyName ( struct soap *  soap)

Returns KeyName element if present.

Parameters
soapcontext
Returns
string or NULL
SOAP_FMAC1 const unsigned char* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceKeyIdentifier ( struct soap *  soap,
ds__KeyInfoType keyInfo,
int *  size 
)

Returns KeyInfo/SecurityTokenReference/KeyIdentifier binary data.

Parameters
soapcontext
keyInfopoints to ds__KeyInfoType, e.g. using soap_wsse_KeyInfo(soap)
[out]sizeis set to the size of the decoded data
Returns
data or NULL
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceKeyIdentifierValueType ( struct soap *  soap,
ds__KeyInfoType keyInfo 
)

Returns KeyInfo/SecurityTokenReference/KeyIdentifier/ValueType if present.

Parameters
soapcontext
keyInfopoints to ds__KeyInfoType, e.g. using soap_wsse_KeyInfo(soap)
Returns
string or NULL
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceURI ( struct soap *  soap)

Returns a SecurityTokenReference URI if present.

Parameters
soapcontext
Returns
string or NULL
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceValueType ( struct soap *  soap)

Returns a SecurityTokenReference ValueType if present.

Parameters
soapcontext
Returns
string or NULL
SOAP_FMAC1 X509* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceX509 ( struct soap *  soap)

Returns a X509 certificate when referenced and present as a BinarySecurity token or when embedded in the signature KeyIdentifier or KeyInfo element. This call must be followed by an X509_free to deallocate the X509 certificate data.

Parameters
soapcontext
Returns
X509 object or NULL with wsse:SecurityTokenUnavailable fault
SOAP_FMAC1 struct ds__X509IssuerSerialType* SOAP_FMAC2 soap_wsse_get_KeyInfo_SecurityTokenReferenceX509Data ( struct soap *  soap)

Returns ds__X509IssuerSerialType with non-NULL X509IssuerName and non-NULL X509SerialNumber of a X509Data element when present and set.

Parameters
soapcontext
Returns
pointer to ds__X509IssuerSerialType struct or NULL
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_SecurityContextToken ( struct soap *  soap)

Returns wsc:SecurityContextToken/Identifier string value or NULL.

Parameters
soapcontext
Returns
wsc:SecurityContextToken/Identifier string value value or NULL
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_get_SignedInfo_SignatureMethod ( struct soap *  soap,
int *  alg,
int *  bits 
)

Get SignatureMethod algorithm.

Parameters
soapcontext
[out]algis a signature algorithm, such as SOAP_SMD_HMAC_SHA1/224/256/384/512, SOAP_SMD_VRFY_DSA_SHA1/256, SOAP_SMD_VRFY_RSA_SHA1/224/256/384/512 or SOAP_SMD_ECDSA_SHA1/224/256/384/512
[out]bitsis set to HMACOutputLength if present and valid, 0 otherwise
Returns
SOAP_OK or SOAP_FAULT with wsse:UnsupportedAlgorithm, wsse:FailedCheck, or wsse__InvalidSecurity fault
SOAP_FMAC1 const char* SOAP_FMAC2 soap_wsse_get_Username ( struct soap *  soap)

Returns UsernameToken/username string or wsse:FailedAuthentication fault.

Parameters
soapcontext
Returns
UsernameToken/username string or NULL with wsse:FailedAuthentication fault error set
See also
soap_wsse_verify_Password

The returned username should be used to lookup the user's password in a dictionary or database for server-side authentication with soap_wsse_verify_Password.

static char * soap_wsse_ids ( struct soap *  soap,
const char *  tags,
int  sub 
)
static

converts tag name(s) to id name(s).

Parameters
soapcontext
[in]tagsstring of space-separated (un)qualified tag names
[in]subreplacement character for ':'
Returns
string of ids
static int soap_wsse_init ( struct soap *  soap,
struct soap_wsse_data data,
const void *(*)(struct soap *, int *, const char *, const unsigned char *, int, int *)  arg 
)
static
static int soap_wsse_init ( struct soap *  soap,
struct soap_wsse_data data,
const void *(*)(struct soap *, int *alg, const char *keyname, const unsigned char *keyid, int keyidlen, int *keylen)  arg 
)
static
SOAP_FMAC1 struct ds__KeyInfoType* SOAP_FMAC2 soap_wsse_KeyInfo ( struct soap *  soap)

Returns KeyInfo element if present.

Parameters
soapcontext
Returns
ds__KeyInfo object or NULL
static void soap_wsse_preparecleanup ( struct soap *  soap,
struct soap_wsse_data data 
)
static

Restores engine state.

Parameters
soapcontext
[in,out]dataplugin data
static int soap_wsse_preparefinalrecv ( struct soap *  soap)
static

Verify signature and SignedInfo digests initiated with soap_wsse_verify_auto.

Parameters
soapcontext
Returns
SOAP_OK or fault
See also
soap_wsse_verify_auto

This callback is invoked immediately after a message was received.

static int soap_wsse_preparefinalsend ( struct soap *  soap)
static

Collects the digests of all the wsu:Id elements and populates the SignedInfo.

Parameters
soapcontext
Returns
SOAP_OK or fault

This callback is invoked just before the message is sent.

static int soap_wsse_preparesend ( struct soap *  soap,
const char *  buf,
size_t  len 
)
static

Takes a piece of the XML message (tokenized) to compute digest.

Parameters
soapcontext
[in]bufstring (XML "tokenized") to be sent
[in]lenbuf length
Returns
SOAP_OK or fault

This callback is invoked to analyze a message (usually during the HTTP content length phase).

Note
Nested elements with wsu:Id attributes cannot be individually signed.
SOAP_FMAC1 void SOAP_FMAC2 soap_wsse_rand_nonce ( char *  nonce,
size_t  noncelen 
)

Calculates randomized nonce.

Parameters
[out]noncevalue [0..noncelen-1]
[in]noncelenlength of nonce must be multiple of 4
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_receiver_fault ( struct soap *  soap,
const char *  faultstring,
const char *  faultdetail 
)

Sets receiver SOAP Fault for server fault response.

Parameters
soapcontext
[in]faultstringfault string
[in]faultdetaildetail string
Returns
SOAP_FAULT
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_receiver_fault_subcode ( struct soap *  soap,
const char *  faultsubcode,
const char *  faultstring,
const char *  faultdetail 
)

Sets receiver SOAP Fault (sub)code for server fault response.

Parameters
soapcontext
[in]faultsubcodesub code string
[in]faultstringfault string
[in]faultdetaildetail string
Returns
SOAP_FAULT
SOAP_FMAC1 struct _wsse__Security* SOAP_FMAC2 soap_wsse_Security ( struct soap *  soap)

Returns Security header element if present.

Parameters
soapcontext
Returns
_wsse__Security object or NULL
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sender_fault ( struct soap *  soap,
const char *  faultstring,
const char *  faultdetail 
)

Sets sender SOAP Fault for server fault response.

Parameters
soapcontext
[in]faultstringfault string
[in]faultdetaildetail string
Returns
SOAP_FAULT
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sender_fault_subcode ( struct soap *  soap,
const char *  faultsubcode,
const char *  faultstring,
const char *  faultdetail 
)

Sets sender SOAP Fault (sub)code for server fault response.

Parameters
soapcontext
[in]faultsubcodesub code string
[in]faultstringfault string
[in]faultdetaildetail string
Returns
SOAP_FAULT
static void soap_wsse_session_cleanup ( struct soap *  soap)
static

Removes expired authentication data from the digest authentication session database.

Parameters
soapcontext
static int soap_wsse_session_verify ( struct soap *  soap,
const char  hash[SOAP_SMD_SHA1_SIZE],
const char *  created,
const char *  nonce 
)
static

Verifies and updates the digest, nonce, and creation time against the digest authentication session database to prevent replay attacks.

Parameters
soapcontext
[in]hashbinary digest value of PasswordDigest
[in]createdstring
[in]noncestring (base64)
Returns
SOAP_OK or SOAP_FAULT
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_InclusiveNamespaces ( struct soap *  soap,
const char *  prefixlist 
)

Sets the C14N InclusiveNamespaces Prefix List property.

Parameters
soapcontext
[in]prefixliststring of space-separated namespace prefixes, or NULL to remove
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_security_token_handler ( struct soap *  soap,
const void *(*)(struct soap *, int *alg, const char *keyname, const unsigned char *keyid, int keyidlen, int *keylen)  callback 
)

Sets the security token handler callback that is optionaly used to retrieve keys for signature verification and decryption.

Parameters
soapcontext
[in]callbackfunction pointer
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_set_wsu_id ( struct soap *  soap,
const char *  tags 
)

Sets the elements that are to be extended with wsu:Id attributes. The wsu:Id attribute values are set to the string value of the tag's QName by replacing colons with hyphens to produce an xsd:ID value.

Parameters
soapcontext
[in]tagsstring of space-separated qualified and unqualified element tag names
Returns
SOAP_OK
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Uses the wsse plugin to sign all wsu:Id attributed elements.

Parameters
soapcontext
[in]algis the signature algorithm, such as SOAP_SMD_HMAC_SHA1/224/256/384/512, SOAP_SMD_SIGN_DSA_SHA1/256, SOAP_SMD_SIGN_RSA_SHA1/224/256/384/512, or SOAP_SMD_SIGN_ECDSA_SHA1/224/256/384/512
[in]keyis the HMAC secret key or DSA/RSA/ECDSA private EVP_PKEY
[in]keylenis the HMAC key length
Returns
SOAP_OK or fault

This function does not actually sign the message, but initiates the plugin's signature algorithm to sign the message upon message transfer.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign_body ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Uses the wsse plugin to sign all wsu:Id attributed elements, including the SOAP Body (by adding a wsu:Id="Body" attribute).

Parameters
soapcontext
[in]algis the signature algorithm, such as SOAP_SMD_HMAC_SHA1/224/256/384/512, SOAP_SMD_SIGN_DSA_SHA1/256, SOAP_SMD_SIGN_RSA_SHA1/224/256/384/512, or SOAP_SMD_SIGN_ECDSA_SHA1/224/256/384/512
[in]keyis the HMAC secret key or DSA/RSA/ECDSA private EVP_PKEY
[in]keylenis the HMAC key length
Returns
SOAP_OK or fault

This function does not actually sign the message, but initiates the plugin's signature algorithm to sign the message upon message transfer.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_sign_only ( struct soap *  soap,
const char *  tags 
)

Filters only the specified wsu:Id names for signing. Can be used with soap_wsse_set_wsu_id() and if so should use the element tag names.

Parameters
soapcontext
[in]tagsstring of space-separated qualified and unqualified tag names
Returns
SOAP_OK
SOAP_FMAC1 struct ds__SignatureType* SOAP_FMAC2 soap_wsse_Signature ( struct soap *  soap)

Returns Signature header element if present.

Parameters
soapcontext
Returns
ds__SignatureType object or NULL
SOAP_FMAC1 struct ds__SignedInfoType* SOAP_FMAC2 soap_wsse_SignedInfo ( struct soap *  soap)

Returns SignedInfo element if present.

Parameters
soapcontext
Returns
ds__SignedInfoType object or NULL
SOAP_FMAC1 struct _wsu__Timestamp* SOAP_FMAC2 soap_wsse_Timestamp ( struct soap *  soap)

Returns Timestamp element if present.

Parameters
soapcontext
Returns
_wsu__Timestamp object or NULL
SOAP_FMAC1 struct _wsse__UsernameToken* SOAP_FMAC2 soap_wsse_UsernameToken ( struct soap *  soap,
const char *  id 
)

Returns UsernameToken element if present.

Parameters
soapcontext
[in]idstring of UsernameToken or NULL
Returns
_wsse__UsernameToken object or NULL
Note
This release supports the use of at most one UsernameToken in the header.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_auto ( struct soap *  soap,
int  alg,
const void *  key,
size_t  keylen 
)

Uses the wsse plugin to initiate the automatic verification of the signature and SignedInfo Reference digests.

Parameters
soapcontext
[in]algto verify signature if signature has no secret or public key, use SOAP_SMD_NONE to omit
[in]keyis HMAC key or a DSA/RSA/ECDSA EVP_PKEY or NULL
[in]keylenis HMAC key length or 0
Returns
SOAP_OK

This function does not actually verify the message, but initiates the plugin's algorithm to store the message in a DOM to automatically verify the signature and digests. If the message does not contain a key to verify the signature, the alg, key, and keylen parameters are used. It is important that the X509 certificate used to verify the signature, which requires soap->cafile and/or soap->capath to be set.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_body ( struct soap *  soap)

Post-checks the presence of signed SOAP Body. Does not verify the signature of the Body, which is done with soap_wsse_verify_auto.

Parameters
soapcontext
Returns
SOAP_OK (signed) or SOAP_FAULT

This function does not actually verify the signature of the Body. It checks whether the Body is signed and thus its integrity is preserved. Clients should call this function after invocation. Services should call this function inside a service operation. This function traverses the entire DOM, so performance is determined by the size of a message.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_digest ( struct soap *  soap,
int  alg,
int  canonical,
const char *  id,
unsigned char  hash[SOAP_SMD_MAX_SIZE] 
)

Verifies the digest value of an XML element referenced by id against the hash.

Parameters
soapcontext
[in]algdigest algorithm
[in]canonicalflag indicating that element is signed in c14n (inclusive or exclusive)
[in]idstring of the XML element to verify
[in]hashdigest value to verify against
Returns
SOAP_OK or fault
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_done ( struct soap *  soap)

Terminates the automatic verification of signatures.

Parameters
soapcontext
Returns
SOAP_OK
SOAP_FMAC1 size_t SOAP_FMAC2 soap_wsse_verify_element ( struct soap *  soap,
const char *  URI,
const char *  tag 
)

Post-checks the presence of signed element(s), returns the number of matching elements signed or zero when none found or if one or more matching elements are not signed. Does not verify the signature of these elements, which is done with soap_wsse_verify_auto.

Parameters
soapcontext
URInamespace of element(s)
tagname of element(s)
Returns
number of matching elements that are signed or 0 if no matching elements found or if one or more non-signed matching elements were found (0 is returned to prevent signature wrapping attacks).

This function does not actually verify the signature of each element, but checks whether the elements are signed and thus their integrity is preserved. Signed element nesting rules are obeyed, so if the matching element is a descendent of a signed element, it is signed as well. Thus, the verification process follows nesting rules.

Client should call this function after invocation. Services should call this function inside a service operation. This function traverses the entire DOM, so performance is determined by the size of a message.

To check the SOAP Body (either using SOAP 1.1 or 1.2), soap_wsse_verify_element(soap, namespaces[0].ns, "Body"). To check whether the Timestamp was signed (assuming it is present and message expiration checked with soap_wsse_verify_Timestamp), use soap_wsse_verify_element(soap, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Timestamp").

Note
For future releases, XPath queries (or forms of these) will be considered.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_EncryptedKey ( struct soap *  soap)

Verifies the EncryptedKey header information (certificate validity requires soap->cafile to be set). Retrieves the decryption key from the token handler callback to decrypt the decryption key.

Parameters
soapcontext
Returns
SOAP_OK or error code
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_init ( struct soap *  soap)

Uses the wsse plugin to initiate the verification of the signature and SignedInfo Reference digests.

Parameters
soapcontext
Returns
SOAP_OK

This function does not actually verify the message, but initiates the plugin's data to store the message in a DOM to verify the signature. The signature and digests in the DOM must be verified manually.

static size_t soap_wsse_verify_nested ( struct soap *  soap,
struct soap_dom_element *  dom,
const char *  URI,
const char *  tag 
)
static

Counts signed matching elements from the dom node and down.

Parameters
soapcontext
domnode to check and down
URInamespace of element(s)
tagname of element(s)
Returns
number of matching elements.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Password ( struct soap *  soap,
const char *  password 
)

Verifies the supplied password or sets wsse:FailedAuthentication fault.

Parameters
soapcontext
[in]passwordstring to verify against
Returns
SOAP_OK (authorized) or SOAP_FAULT with wsse:FailedAuthentication fault

The verification supports both clear-text password verification and digest password authentication. For digest authentication a history mechanism with a digest authentication session database ensures protection against replay attacks.

Note
This release supports the use of at most one UsernameToken in the header.
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Signature ( struct soap *  soap)

Verifies the Signature and the signed elements.

Parameters
soapcontext
Returns
SOAP_OK, SOAP_EOM, or fault
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_SignatureValue ( struct soap *  soap,
int  alg,
const void *  key,
int  keylen 
)

Verifies the SignatureValue of a SignedInfo element.

Parameters
soapcontext
[in]algis a signature algorith, such as SOAP_SMD_HMAC_SHA1/224/256/384/512, SOAP_SMD_VRFY_DSA_SHA1/256, SOAP_SMD_VRFY_RSA_SHA1/224/256/384/512 or SOAP_SMD_VRFY_ECDSA_SHA1/224/256/384/512 determined by the SignedInfo/SignatureMethod
[in]keyto use to verify (HMAC or DSA/RSA/ECDSA EVP_PKEY)
[in]keylenlength of HMAC key
Returns
SOAP_OK, SOAP_EOM, or fault

This function searches for the SignedInfo element in the soap->dom DOM tree to verify the signature in the SignatureValue element. Using the DOM ensures we will verify the signature of a SignedInfo as it was exactly received by the parser, by using the -DWITH_DOM compile flag and SOAP_XML_DOM runtime flag. If there is no DOM, it verifies the signature of the deserialized SignedInfo element in the SOAP Header. However, serializing deserialized data may change the octet stream that was signed, unless we're using gSOAP as producers and consumers (with the SOAP_XML_INDENT flag reset).

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_SignedInfo ( struct soap *  soap)

Verifies the digest values of the XML elements referenced by the SignedInfo References.

Parameters
soapcontext
Returns
SOAP_OK or fault

This function searches for the SignedInfo element in the soap->dom DOM tree to verify the digests contained therein. Using the DOM ensures we will verify the digests of the locally signed elements as they were exactly received by the parser, by using the -DWITH_DOM compile flag and SOAP_XML_DOM runtime flag. If there is no DOM, the function fails.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_Timestamp ( struct soap *  soap)

Verifies the Timestamp/Expires element against the current time.

Parameters
soapcontext
Returns
SOAP_OK or SOAP_FAULT with wsu:MessageExpired fault

Sets wsu:MessageExpired fault if wsu:Timestamp is expired. The SOAP_WSSE_CLKSKEW value is used as a margin to mitigate clock skew. Keeps silent when no timestamp is supplied or no expiration date is included in the wsu:Timestamp element.

SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_with_signature ( struct soap *  soap,
_ds__Signature signature 
)
SOAP_FMAC1 int SOAP_FMAC2 soap_wsse_verify_X509 ( struct soap *  soap,
X509 *  cert 
)

Verifies X509 certificate against soap->cafile, soap->capath, and soap->crlfile.

Parameters
soapcontext
[in]certX509 certificate
Returns
SOAP_OK or fault

This is an expensive operation. Whenever a new soap context is created, the cafile and objects are loaded into that context each time we need to verify a certificate.

Variable Documentation

const char* c14n_URI = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
const char* c14n_wc_URI = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
const char* ds_dsa_sha1URI = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
const char* ds_dsa_sha256URI = "http://www.w3.org/2009/xmldsig11#dsa-sha256"
const char* ds_ecdsa_sha1URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
const char* ds_ecdsa_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"
const char* ds_ecdsa_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
const char* ds_ecdsa_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"
const char* ds_ecdsa_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
const char* ds_envsigURI = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
const char* ds_hmac_sha1URI = "http://www.w3.org/2000/09/xmldsig#hmac-sha1"
const char* ds_hmac_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224"
const char* ds_hmac_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
const char* ds_hmac_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
const char* ds_hmac_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
const char* ds_rsa_sha1URI = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
const char* ds_rsa_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"
const char* ds_rsa_sha256URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
const char* ds_rsa_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
const char* ds_rsa_sha512URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
const char* ds_sha1URI = "http://www.w3.org/2000/09/xmldsig#sha1"
const char* ds_sha224URI = "http://www.w3.org/2001/04/xmldsig-more#sha224"
const char* ds_sha256URI = "http://www.w3.org/2001/04/xmlenc#sha256"
const char* ds_sha384URI = "http://www.w3.org/2001/04/xmldsig-more#sha384"
const char* ds_sha512URI = "http://www.w3.org/2001/04/xmlenc#sha512"
const char* ds_URI = "http://www.w3.org/2000/09/xmldsig#"
const char* exc_c14n_URI = "http://www.w3.org/2001/10/xml-exc-c14n#"
const char* exc_c14n_wc_URI = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
const char* saml1_URI = SOAP_NAMESPACE_OF_saml1
const char* saml2_URI = SOAP_NAMESPACE_OF_saml2
const char soap_wsse_id[14] = SOAP_WSSE_ID

Plugin identification for plugin registry

struct soap_wsse_session* soap_wsse_session = NULL
static

The digest authentication session database

MUTEX_TYPE soap_wsse_session_lock = MUTEX_INITIALIZER
static

Lock for digest authentication session database exclusive access

const char* wsse_Base64BinaryURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
const char* wsse_HexBinaryURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary"
const char* wsse_PasswordDigestURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"
const char* wsse_PasswordTextURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
const char* wsse_URI = SOAP_NAMESPACE_OF_wsse
const char* wsse_X509v3SubjectKeyIdentifierURI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
const char* wsse_X509v3URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
const char* wsu_URI = SOAP_NAMESPACE_OF_wsu
const char* xenc_3desURI = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
const char* xenc_aes128cbcURI = "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
const char* xenc_aes128gcmURI = "http://www.w3.org/2009/xmlenc11#aes128-gcm"
const char* xenc_aes192cbcURI = "http://www.w3.org/2001/04/xmlenc#aes192-cbc"
const char* xenc_aes192gcmURI = "http://www.w3.org/2009/xmlenc11#aes192-gcm"
const char* xenc_aes256cbcURI = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
const char* xenc_aes256gcmURI = "http://www.w3.org/2009/xmlenc11#aes256-gcm"
const char* xenc_aes512cbcURI = "http://www.w3.org/2001/04/xmlenc#aes512-cbc"
const char* xenc_aes512gcmURI = "http://www.w3.org/2009/xmlenc11#aes512-gcm"
const char* xenc_contentURI = "http://www.w3.org/2001/04/xmlenc#Content"
const char* xenc_elementURI = "http://www.w3.org/2001/04/xmlenc#Element"
const char* xenc_rsa15URI = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
const char* xenc_rsaesURI = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
const char* xenc_URI = "http://www.w3.org/2001/04/xmlenc#"