Version 13 (modified by pjkersha, 14 years ago) (diff)


Conversion of NDG Security WS Interfaces to use WS-Security

Current Status

The Alpha version of the s/w uses message level security based on pyXMLSec and ZSI. WSDL interface message arguments are signed and or encrypted before dispatch.

Reasons for Change

  • Current solution is bespoke. A more standards based solution is preferred.
  • DEWS project requires use of WS-Security
  • Standardised interface will enable smoother interoperation with clients written in other languages such as Java
  • A secondary issue is that pyXMLSec can be difficult to use. It would be helpful to remove it as dependency
  • pGridWare + ZSI may give an off the shelf solution.

Approaches to a Solution

  • Investigate pyGridWare and experiment with examples
  • Implement custom solution for WS-Security but using ZSI - This would enable an interface according to what we need with minimal dependencies on other packages.
  • Look at IBM WebSphere - to be used with DEWS project. Check WS-Security support and how best to interface to it.

XML Signature

pyGridWare uses sha package for digest generation and M2Crypto for signing. A DOM based canonicalisation algorithm written by Rich Salz has been added to ZSI (ZSI.wstools.c14n). This gets a mention on a Python mailing list from May 2002:

Custom Signature Code

Objective: emulate digital signature using the above and validate against pyXMLSec Version.

pyXMLSec has been used in NDG up until now with enveloped signature e.g. for signed Attribute Certificates. For WS-Security we need to be able to use a reference instead, set to the particular part of the SOAP message body to be signed.

  • Modified pyXMLSec test code to sign an externally referenced XML doc.
  • Written test code adapted from pyGridWare GssSignatureHandler to verify the above. This uses the canonicalization algorithm from ZSI.wstools.c14n and M2Crypto for verification:
from M2Crypto import X509, BIO, RSA

x509Cert = # Get cert from wsse header ...
# Extract RSA public key from the cert
rsaPubKey = x509Cert.get_pubkey().get_rsa()
# Apply the signature verification
verify = rsaPubKey.verify(signedInfoDigest, signature)
  • (21/08/06) Test sign code working with test version of verify and pyXMLSec verify code. Care is needed with namespace declarations and canonicalization. It seems that all namespaces should be included in a document subset whether they're referenced or not. See Spec (

Integration into ZSI

How best to integrate signature code into ZSI?

For WS client side, ZSI.Binding.Send has sig_handler keyword which can be assigned to a signature handler class. This must implement sign and verify methods. These both take the same single argument of a ZSI.writer.SoapWriter instance. verify indicates an invalid signature by raising an exception. GssSignatureHandler the pyGridWare handler class raises a VerifyError type.

For the server side there doesn't seem to be an explicit place holder for a signature handler so it would seem to be a more complicated as how to best sign a message. Server side methods have access to the ZSI.parse.ParsedSoap instance which contains a dom member variable which would enable checking of content for verify.

For signing responses it may need a sub class to ZSI.ServiceContainer.SOAPRequestHandler with an overloaded version of do_POST to include code to sign an outbound message. More investigation is needed.

The current status is that a working SignatureHandler class signs outbound messages from the WS client.

XML Encryption

Tackle digital signature first :)

WSDL + WS-Security?

The existing system uses WSDL so it would desriable to keep with this when integrating WS-Security. WS-PolicyAttachment standard would seem to cover what we need but is it too new for the s/w support tools to be there?