This page presents a brief concept of digitally signing SOAP messages.
Digital signatures, in the form of public-private key pairs, provide means for:
- authentication of the message sender (proving that the sender is whom when claims to be);
- authorization (certifying that the sender has the proper clearances to perform the queries or methods intended);
- verifying integrity of the signed data, by utilizing hashes;
- encryption, if needed.
The Digital Signature Extension (SOAP-DSIG) specifies a XML document structure that denotes the original signed message and the digital signature data. This XML structure contains specifications for the algorithms, public key, message digest, and digital certificate.
The header contains elements such as ds:DigestValue, where the message digest, generated with ds:DigestMethod Algorithm, is displayed (in this case, sha1). The ds:Reference URI shows the content being signed. The element ds:SignatureValue contains the digital signature, and wsse:BinarySecurityToken has information about the X.509 certificate, including the public key, encoded in base64Binary.
Below is an example of a SOAP in RCP-style, not signed. The method testMethod is invoked; the SOAP service is located at http: //localhost:8080/LogTestService.
The same document is now signed using a X.509 certificate and public key. We can note the elements ds:DigestValue, representing the digest of the original message above. The element ds:SignatureValue brings the digital signature of the digest, and ds:KeyInfo presents the X.509 certificate and public key. The server must use these data to verify the signature.