++ed by:

1 PAUSE user

Mark Overmeer
and 1 contributors


XML::Compile::WSS::Signature - WSS Signatures


   is a XML::Compile::WSS


WARNING: Only limited real-life experience. Many optional extensions have never been tried.

 # You may need a few of these
 use XML::Compile::WSS::Util  qw/:dsig/;
 use XML::Compile::C14N::Util qw/:c14n/;

 # This modules van be used "stand-alone" ...
 my $schema = XML::Compile::Cache->new(...);
 my $sig    = XML::Compile::WSS::Signature->new
   (sign_method => DSIG_RSA_SHA1, ...);

 # ... or as SOAP slave (strict order of object creation!)
 my $wss    = XML::Compile::SOAP::WSS->new;
 my $wsdl   = XML::Compile::WSDL11->new($wsdlfn);
 my $sig    = $wss->signature(sign_method => ...);


The generic Web Service Security protocol is implemented by the super class XML::Compile::WSS. This extension implements cypto signatures.

On this moment, there are two versions of this standard:


One or more elements of the document can be selected to be signed. They are canonalized (serialized in a well-described way) and then digested (usually via SHA1). The digest is put in a SignedInfo component of the Signature feature in the Security header. When all digests are in place, the whole SignedInfo structure

See documentation in the base class.


Many companies have their own use of the pile of standards for this feature. Some of the resulting limitations are known by the author:

  • digests

    Only digest algorithms which are provided via the Digest module are supported for the elements to be signed.

  • signatures

    Only a limited subset of signing (algoritm, hash) combinations are supported. Lower on this page, you find details about each of the provided signing implementations.


See documentation in the base class.


See documentation in the base class.


The OPTIONS you provisw here, will also end-up as

 -Option      --Defined in       --Default
  checker                          undef
  key_info                         {}
  prepare       XML::Compile::WSS  'ALL'
  remote_token                     undef
  schema        XML::Compile::WSS  undef
  sign_types                       <required>
  signed_info                      {}
  signer                           DSIG_RSA_SHA1
  token                            <depends on sign_method>
  version       XML::Compile::WSS  undef
  wss_version   XML::Compile::WSS  '1.1'

The signer object with server information, anything what is accepted by XML::Compile::WSS::Sign::fromConfig(). When provided, we do not need to collect the information from the incoming messages.

key_info => HASH

Read XML::Compile::WSS::KeyInfo::new()

prepare => 'READER'|'WRITER'|'ALL'|'NONE'
remote_token => OBJECT|HASH|FILENAME

To defend against man-in-the-middle attacks, you need to specify the server's public key. When specified, that key will be used to verify the signature, not the one listed in the XML response.

Only when this remote_token is specified, we will require the signature. Otherwise, the check of the signature will only be performed when a Signature is available in the Security header.

schema => an XML::Compile::Cache object
sign_types => ARRAY

Specify the types of elements which need to be signed. If you have more elements of the same type, they will all get signed.

signed_info => HASH

Settings for the SignedInfo structure. Read XML::Compile::WSS::SignedInfo::new()


The client-side signer object, anything what is accepted by XML::Compile::WSS::Sign::fromConfig().


The token, anything which is accepted by XML::Compile::WSS::SecToken::fromConfig(). This contains at least the public information.

version => STRING
wss_version => '1.1'|MODULE


See documentation in the base class.


See "Attributes" in XML::Compile::WSS


See "Attributes" in XML::Compile::WSS

Security Tokens

To prove the signature, there usually is some security token. This token may (or may not) be included in the SOAP message itself.


Returns the security token of the server, which is an XML::Compile::WSS::SecToken object. Either, this token is provided by new(remote_token), to taken from the first message.


Returns the security token, which is an XML::Compile::WSS::SecToken object.


See documentation in the base class.


See "Apply" in XML::Compile::WSS

$obj->create(DOC, SECURITY, DATA)

See "Apply" in XML::Compile::WSS


See documentation in the base class.


See "Helpers" in XML::Compile::WSS


See documentation in the base class.

$obj->loadSchemas(SCHEMA, VERSION)
XML::Compile::WSS::Signature->loadSchemas(SCHEMA, VERSION)

See "Internals" in XML::Compile::WSS


See "Internals" in XML::Compile::WSS


See documentation in the base class.


This module is part of XML-Compile-WSS-Signature distribution version 2.01, built on October 11, 2013. Website: http://perl.overmeer.net/xml-compile/

Other distributions in this suite: XML::Compile, XML::Compile::SOAP, XML::Compile::SOAP12, XML::Compile::SOAP::Daemon, XML::Compile::SOAP::WSA, XML::Compile::C14N, XML::Compile::WSS, XML::Compile::WSS::Signature, XML::Compile::Tester, XML::Compile::Cache, XML::Compile::Dumper, XML::Compile::RPC, XML::Rewrite and XML::LibXML::Simple.

Please post questions or ideas to the mailinglist at http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/xml-compile . For live contact with other developers, visit the #xml-compile channel on irc.perl.org.


Copyrights 2012-2013 by [Mark Overmeer]. For other contributors see ChangeLog.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See http://www.perl.com/perl/misc/Artistic.html