Does SOATest support Thumbprint SHA1?
Best Answer
-
Unfortunately, it looks like the answer is no, not at this time anyway. I believe you referring to the KeyInfo Form which is configured in the XML Signer/Encryption tools under the WS-Security section.
For background, the XML Signer/Encryption tools implement WS-Security using one of three versions of WSS4J, an open source java library. The version of the WSS4J library is configured in the Emulation Options section. Offhand, it looks like WSS4J 1.6 supports this but not the older 1.5 and 1.1 WSS4J libraries. Potentially, a new "X509 ThumbprintSHA1" option would need to be added to that KeyInfo Form combo box when WSS4J 1.6 is enabled under Emulation Options.
I would recommend reaching out to your Parasoft account representative to submit a formal feature request. Parasoft could potentially implement this for some future SOAtest release on your behalf but you need to discuss this with your Parasoft account representative.
5
Answers
-
Thanks for your reply, do you have any alternative solution (e.g. using scripting or extension tools)?
0 -
Just about anything is possible using scripting, provided you are able to write the code you need. In this particular case, it is possible to chain an Extension tool to the outgoing Request output to transform the message, like how you would chain an XML Signer tool. So, instead of chaining an XML Signer you could chain an Extension tool that would invoke WSS4J APIs to sign the SOAP message your script receives as input and then return the signed version. I don't know if you care to attempt this. You would effectively be coding your own custom version of the XML Signer.
If you want to attempt to code this, you would create an instance of org.apache.ws.security.message.WSSecSignature then invoke a bunch of methods on it. I don't have any code to share with you. However, in case this helps, WSS4J has some unit tests that can be helpful to get an understanding for how to user their API, such as SignatureTest.testX509SignatureThumb().
Again, I don't know if you care to attempt this. I just want to highlight that you can do just about anything with scripting. Scripting always enables you to do something in SOAtest that is not otherwise available out-of-box.
1 -
Dear Benken_parasoft,
I have been faced with below error,
Error Message:
Error during script execution. View Details for more information.org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to
javax.xml.crypto.dsig.XMLSignatureFactoryAdditional Details:
org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to
javax.xml.crypto.dsig.XMLSignatureFactoryjava.lang.ClassCastException: org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast
to javax.xml.crypto.dsig.XMLSignatureFactoryat javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:202) at javax.xml.crypto.dsig.XMLSignatureFactory.getInstance(XMLSignatureFactory.java:186) at org.apache.ws.security.message.WSSecSignature.init(WSSecSignature.java:129) at org.apache.ws.security.message.WSSecSignature.<init>(WSSecSignature.java:115) at mp.auto.Utility.X509SignatureThumb(Utility.java:134) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.parasoft.scripting.java.JavaCode$JavaMethodRunnable.run(JavaCode.java:200) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
0 -
That type of ClassCastException should not happen anymore in the next release. For now, you can remove the javax folder from the XMLSecurity.jar located under "{soatest_install}/eclipse/plugins\com.parasoft.xtest.libs.web_{ver}/root/lib-java-mod". For example, you could rename the jar to "XMLSecurity.zip", delete "javax" from zip file, then rename back to "XMLSecurity.jar" again. Don't forget to close SOAtest before modifying the jar.
1 -
Dear Parasoft Team,
I want to know does SOATest 9.10.5 support thumbprint sha1 WS-Security for signing soap body?
0 -
I want to know does SOATest 9.10.5 support thumbprint sha1 WS-Security for signing soap body?
Yes, I believe so. Under click Emulation Options, click OASIS 1.1.1. Under WS-Security, select Thumbprint KeyIdentifier.
1 -
Thank you so much.
Dear benken I believe you are BATMAN.
0 -
Dear Benken,
I have problem in XML singe, would you please help me.
I want to implement following scenario with SOATest:
I use SOATest with following state:
but I faced with following error
Error on verifying message against security policy Error code:3000would you please help me. Is my implementation correct?
Thank you.
0 -
Make sure you are using 9.10.5. In number 8, it doesn't look like you picked "Thumbprint KeyIdentifier". As previously mentioned, you need to pick "OASIS 1.1.1" under Emulation Options section.
0 -
I use "OASIS 1.1.1" for both of "Binary Token" and "Thumbprint" and my SOATest version is 9.10.5
The reasons why I asked is because you showed something different in your screenshot.
I attach my ".tst" file for you, would you please consider it.
I usually only provide quick answers on the forum. If you would like someone to study your tst file with you then I would recommend contacting Parasoft Support.
0