wiki:T12_Security/WS-Security

Version 11 (modified by pjkersha, 13 years ago) (diff)

--

Conversion of NDG Security WS Interfaces to use WS-Security

Current Status

The Alpha version of the s/w uses message level security based on pyXMLSec and ZSI. WSDL interface message arguments are signed and or encrypted before dispatch.

Reasons for Change

  • Current solution is bespoke. A more standards based solution is preferred.
  • DEWS project requires use of WS-Security
  • Standardised interface will enable smoother interoperation with clients written in other languages such as Java
  • A secondary issue is that pyXMLSec can be difficult to use. It would be helpful to remove it as dependency
  • pGridWare + ZSI may give an off the shelf solution.

Approaches to a Solution

  • Investigate pyGridWare and experiment with examples
  • Implement custom solution for WS-Security but using ZSI - This would enable an interface according to what we need with minimal dependencies on other packages.
  • Look at IBM WebSphere - to be used with DEWS project. Check WS-Security support and how best to interface to it.

XML Signature

pyGridWare uses sha package for digest generation and M2Crypto for signing. A DOM based canonicalisation algorithm written by Rich Salz has been added to ZSI (ZSI.wstools.c14n). This gets a mention on a Python mailing list from May 2002:  http://mail.python.org/pipermail/xml-sig/2001-May/005462.html

Custom Signature Code

Objective: emulate digital signature using the above and validate against pyXMLSec Version.

pyXMLSec has been used in NDG up until now with enveloped signature e.g. for signed Attribute Certificates. For WS-Security we need to be able to use a reference instead, set to the particular part of the SOAP message body to be signed.

  • Modified pyXMLSec sign3.py test code to sign an externally referenced XML doc.
  • Written test code adapted from pyGridWare GssSignatureHandler to verify the above. This uses the canonicalization algorithm from ZSI.wstools.c14n and M2Crypto for verification:
from M2Crypto import X509, BIO, RSA

x509Cert = # Get cert from wsse header ...
        
# Extract RSA public key from the cert
rsaPubKey = x509Cert.get_pubkey().get_rsa()
        
# Apply the signature verification
verify = rsaPubKey.verify(signedInfoDigest, signature)
  • (21/08/06) Test sign code working with test version of verify and pyXMLSec verify code. Care is needed with namespace declarations and canonicalization. It seems that all namespaces should be included in a document subset whether they're referenced or not. See Spec ( http://www.w3.org/TR/xml-c14n)

Integration into ZSI

How best to integrate singature code into ZSI?

For WS client side, ZSI.Binding.Send has sig_handler keyword which can be assigned to a signature handler class. This must implement sign and verify methods. These both take the same single argument of a ZSI.writer.SoapWriter instance. verify indicates an invalid signature by raising an exception. GssSignatureHandler the pyGridWare handler class raises a VerifyError type.

XML Encryption

Tackle digital signature first :)

WSDL + WS-Security?

The existing system uses WSDL so it would desriable to keep with this when integrating WS-Security. WS-PolicyAttachment standard would seem to cover what we need but is it too new for the s/w support tools to be there?