Submit and vote on feature ideas.

Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.

Does SOATest support Thumbprint SHA1?

rvmseng
rvmseng Posts: 89
edited January 2018 in SOAtest

I need to use thumbprint sha1 WS-Security for signing soap body? Does Soatest support it

Best Answer

Answers

  • rvmseng
    rvmseng Posts: 89

    Thanks for your reply, do you have any alternative solution (e.g. using scripting or extension tools)?

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭

    Just about anything is possible using scripting, provided you are able to write the code you need. In this particular case, it is possible to chain an Extension tool to the outgoing Request output to transform the message, like how you would chain an XML Signer tool. So, instead of chaining an XML Signer you could chain an Extension tool that would invoke WSS4J APIs to sign the SOAP message your script receives as input and then return the signed version. I don't know if you care to attempt this. You would effectively be coding your own custom version of the XML Signer.

    If you want to attempt to code this, you would create an instance of org.apache.ws.security.message.WSSecSignature then invoke a bunch of methods on it. I don't have any code to share with you. However, in case this helps, WSS4J has some unit tests that can be helpful to get an understanding for how to user their API, such as SignatureTest.testX509SignatureThumb().

    Again, I don't know if you care to attempt this. I just want to highlight that you can do just about anything with scripting. Scripting always enables you to do something in SOAtest that is not otherwise available out-of-box.

  • rvmseng
    rvmseng Posts: 89

    Dear Benken_parasoft,

    I have been faced with below error,

    Error Message:
    Error during script execution. View Details for more information.

    org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to
    javax.xml.crypto.dsig.XMLSignatureFactory

    Additional Details:
    org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to
    javax.xml.crypto.dsig.XMLSignatureFactory

    java.lang.ClassCastException: org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast
    to javax.xml.crypto.dsig.XMLSignatureFactory

    at javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:202)
    
    at javax.xml.crypto.dsig.XMLSignatureFactory.getInstance(XMLSignatureFactory.java:186)
    
    at org.apache.ws.security.message.WSSecSignature.init(WSSecSignature.java:129)
    
    at org.apache.ws.security.message.WSSecSignature.<init>(WSSecSignature.java:115)
    
    at mp.auto.Utility.X509SignatureThumb(Utility.java:134)
    
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    
    at java.lang.reflect.Method.invoke(Unknown Source)
    
    at com.parasoft.scripting.java.JavaCode$JavaMethodRunnable.run(JavaCode.java:200)
    
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    
    at java.util.concurrent.FutureTask.run(Unknown Source)
    
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    
    at java.lang.Thread.run(Unknown Source) 
    
  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭

    That type of ClassCastException should not happen anymore in the next release. For now, you can remove the javax folder from the XMLSecurity.jar located under "{soatest_install}/eclipse/plugins\com.parasoft.xtest.libs.web_{ver}/root/lib-java-mod". For example, you could rename the jar to "XMLSecurity.zip", delete "javax" from zip file, then rename back to "XMLSecurity.jar" again. Don't forget to close SOAtest before modifying the jar.

  • rvmseng
    rvmseng Posts: 89

    Dear Parasoft Team,

    I want to know does SOATest 9.10.5 support thumbprint sha1 WS-Security for signing soap body?

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭

    I want to know does SOATest 9.10.5 support thumbprint sha1 WS-Security for signing soap body?

    Yes, I believe so. Under click Emulation Options, click OASIS 1.1.1. Under WS-Security, select Thumbprint KeyIdentifier.

  • rvmseng
    rvmseng Posts: 89
    edited June 2018

    Thank you so much.

    Dear benken I believe you are BATMAN.

  • rvmseng
    rvmseng Posts: 89

    Dear Benken,

    I have problem in XML singe, would you please help me.

    I want to implement following scenario with SOATest:



    I use SOATest with following state:





    but I faced with following error

    Error on verifying message against security policy Error code:3000

    would you please help me. Is my implementation correct?

    Thank you.

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭
    edited July 2018

    Make sure you are using 9.10.5. In number 8, it doesn't look like you picked "Thumbprint KeyIdentifier". As previously mentioned, you need to pick "OASIS 1.1.1" under Emulation Options section.

  • rvmseng
    rvmseng Posts: 89

    Dear benken,

    I use "OASIS 1.1.1" for both of "Binary Token" and "Thumbprint" and my SOATest version is 9.10.5. also I attach my ".tst" file for you, would you please consider it.

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭
    edited July 2018

    I use "OASIS 1.1.1" for both of "Binary Token" and "Thumbprint" and my SOATest version is 9.10.5

    The reasons why I asked is because you showed something different in your screenshot.

    I attach my ".tst" file for you, would you please consider it.

    I usually only provide quick answers on the forum. If you would like someone to study your tst file with you then I would recommend contacting Parasoft Support.