NAME
XML::Compile::WSS::KeyInfo - handling WSS key info structures
SYNOPSIS
# Not for end-users
my $sig = XML::Compile::WSS::Signature->new(key_info => $config);
my $ki = $sig->keyInfo;
DESCRIPTION
The specifications define at least 10 different ways to provide security keys to the messages. This module implements the logic to read and write tokens and keyinfo references to these tokens in the XML message.
METHODS
Constructors
- XML::Compile::WSS::KeyInfo->fromConfig(HASH|PAIRS)
-
Take default values to be used with the readers and writers, which are created by this object. So, the configuration contains all parameters to builder()
- XML::Compile::WSS::KeyInfo->new(%options)
-
End-user should use XML::Compile::WSS::Signature::new(key_info) to pass a HASH of %options. These options do not have accessors (yet).
Attributes
Token administration
- $obj->addToken( $token, [$token...] )
- $obj->findToken(%options)
-
-Option --Default fingerprint undef name undef uri undef
- $obj->tokens()
Handlers
- $obj->builder($wss, %options)
-
Not for end-users. Returns a CODE which will be called to produce the token representation in some output message.
-Option --Default publish_token 'SECTOKREF_URI'
- publish_token => 'NO'|CONSTANTS|CODE
-
How to publish the security token. The
INCLUDE_BY_REF
constant will add the token as BinarySecurityToken in the message, plus a keyinfo structure with a reference to that token. See "DETAILS" about the various choices and additional options they imply.
- $obj->getTokens($wss, %options)
-
Not for end-users. Returns a CODE which needs to be called with a parsed incoming message.
DETAILS
Supported KeyInfo types
KeyInfo
On the top level, we have the following options:
keyinfo_id STRING an xsd:ID value for the Id attribute (namespaceless)
KEYNAME
X509DATA
This key-info type inlines one or more X509 certificates, in base64 encoding.
Additional options:
x509data_type TYPE read below, default ASN1DER
When you use the X509DATA
method to publish your key, you can specify the x509data_type
SERIAL issuer name and cert serial number
SKI subject key identifier (subject hash)
SUBJECT subject name
ASN1DER base64 encoded full public certificate
CRL certification revocation list not supported (yet)
As example, you may look at Net::Domain::SMD::Schema, which uses this key storage model for an enveloped signature.
SecurityTokenReference
The wsse:SecurityTokenReference
structure contains various other constructs. They share the following options:
sectokref_id the wsu:Id of the SecurityTokenReference
usage list of URIs
SECTOKREF_KEYID
(At least) used in EncryptedKeys structures. The "ThumbprintSHA1" is the SHA1 of the fingerprint of an key.
Example:
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">+tkVcx0cyPfbKrQtVePbC98Kjc0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Options and defaults:
keyid_value WSM11_PRINT_SHA1
keyid_encoding WSM10_BASE64
keyident_id the wsu:Id of the KeyIdentifier
SECTOKREF_URI
Creates a KeyInfo structure which refers to the key via an URI. But, this will also add the BinarySecurityToken to the Security header, if not yet present.
Example:
<ds:KeyInfo Id="KI-1">
<wsse:SecurityTokenReference wsu:Id="STR-2">
<wsse:Reference URI="#X509-3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<wsse:Security
<wsse:BinarySecurityToken wsu:Id="X509-3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
MIIB..akDNgQ==
</wsse:BinarySecurityToken>
</wsse:Security>
Options and defaults:
sectokref_uri Relative or absolute URI
SEE ALSO
This module is part of XML-Compile-WSS-Signature distribution version 2.02, built on July 16, 2016. Website: http://perl.overmeer.net/xml-compile/
Please post questions or ideas to the mailinglist at http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/xml-compile . For live contact with other developers, visit the #xml-compile
channel on irc.perl.org
.
LICENSE
Copyrights 2012-2016 by [Mark Overmeer]. For other contributors see ChangeLog.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See http://www.perl.com/perl/misc/Artistic.html