Layer 7 API Management

Expand all | Collapse all

Policy Manger: When using the sign element assertion, I want to modify the signedinfo element before the signature value is calculated.

  • 1.  Policy Manger: When using the sign element assertion, I want to modify the signedinfo element before the signature value is calculated.

    Posted 03-17-2015 10:55 PM

    When using the sign element assertion the actual signedInfo xml isn't created until the Apply WS-Security Assertion is called, but at that point the signature is calculated and injecting any new elements would invalidate it.  An outside vender requires an xpath element inserted in the transforms tag. How can i insert an element before signing. Thank you



  • 2.  Re: Policy Manger: When using the sign element assertion, I want to modify the signedinfo element before the signature value is calculated.

    Posted 03-25-2015 03:54 PM

    Anyone able to assist here?

     

    Thank you

    Justin Cranford wrote:

     

    When using the sign element assertion the actual signedInfo xml isn't created until the Apply WS-Security Assertion is called, but at that point the signature is calculated and injecting any new elements would invalidate it.  An outside vender requires an xpath element inserted in the transforms tag. How can i insert an element before signing. Thank you



  • 3.  Re: Policy Manger: When using the sign element assertion, I want to modify the signedinfo element before the signature value is calculated.

    Posted 03-25-2015 04:14 PM

    I got a response from CA support on a case i opened. I was told that XPath transforms in the XML Signature were a security risk and were not likely to be implemented byt the gateway.  While i understand the reasoning for incoming request being validated by the gateway, i don't understand why i can't do it for outbound messages where i'm creating the signature.

     

    i really just want to be able to delay the calculation of the signed value, have some more control over the signedInfo element within the security header and then calculate the signed value. Or just have the ability to just recreate the signed value.

     

    justin