1 Reply Latest reply on Dec 10, 2010 11:44 AM by Giovanni Castellari

    Re-calculating XML-Signature DigestValue

    Giovanni Castellari Newbie

      Hello everyone, I'm a new user and hope it is the right section for my question.

      I've configured JBoss for working with WS-Security, in particular with the signature of xml messages. Everything works well: upon the receipt of a request, I can see the signed xml message in the log and I also can find sentences like these:

       

      2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
      2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"

      2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"

      2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"

       

      The problem now is that my boss wants me to "manually" recalculate the digests of the various signed parts. After googling for a while, this is what I've understood:

       

      - Everything concerned with the digest calculation, the signature and its verification is embedded inside the xml request: which parts are signed (inside <Reference> tags), which transformations the xml message was treated (<Transforms>), which computations were done to produce the digest value (<DigestMethod>), the resulting digest (<DigestValue>) and signature (= encrypting of the digest, <SignatureValue>)  for each part.

       

      - Therefore, the steps to calculate the digest for a part are: 1) Canonicalize that xml part; 2) Produce SHA1 of that part; 3) Convert to Base64. I should obtain exactly the same digest value contained in the <DigestValue> element of the xml message.

       

       

       

      But I can't obtain the same digest value written in the xml message. Here's an output of a java main I wrote (I can also paste some code in next posts if someone wants to help). As you can see, I'm trying to calculate the digest value of the reference 'timestamp'. What's wrong? Bad canonical form? Bad sha1 value? I'd be VERY grateful if someone could obtain the same <DigestValue> and could tell me the exact steps/tools/code used. Thanks!

       

      ----------------------------ORIGINAL XML------------------------

      <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>

      <env:Header>

        <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>

         <wsu:Timestamp wsu:Id='timestamp'>

          <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>

         </wsu:Timestamp>

         <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x

      MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ

      KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV

      1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i

      WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD

      gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95

      BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF

      qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>

         <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

          <ds:SignedInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

           <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

           <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

           <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

            <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

             <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

            </ds:Transforms>

            <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

            <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>

           </ds:Reference>

           <ds:Reference URI='#timestamp' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

            <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

             <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

            </ds:Transforms>

            <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>

            <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>

           </ds:Reference>

          </ds:SignedInfo>

          <ds:SignatureValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

      OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi

      5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90

      FIhfAthslqeFu3h9U20=

      </ds:SignatureValue>

          <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

           <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>

            <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>

           </wsse:SecurityTokenReference>

          </ds:KeyInfo>

         </ds:Signature>

        </wsse:Security>

      </env:Header>

      <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>

        <ns1:addizionami xmlns:ns1='http://prova/ejb/to/ws/types' xmlns:ns2='http://prova/ejb/to/ws/types'>

         <Integer_1>3</Integer_1>

         <Integer_2>78</Integer_2>

        </ns1:addizionami>

      </env:Body>

      </env:Envelope>

      ----------------------------END ORIGINAL XML------------------------

       

       

      ------------------CANONICAL XML MESSAGE (using org.apache.xml.security.c14n.Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS)-------------

      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">

      <env:Header>

        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">

         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">

          <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>

         </wsu:Timestamp>

         <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1291739860138-12935734">MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x

      MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ

      KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV

      1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i

      WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD

      gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95

      BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF

      qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>

         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

          <ds:SignedInfo>

           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>

           <ds:Reference URI="#element-1-1291739860070-11803898">

            <ds:Transforms>

             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>

            </ds:Transforms>

            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

            <ds:DigestValue>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>

           </ds:Reference>

           <ds:Reference URI="#timestamp">

            <ds:Transforms>

             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>

            </ds:Transforms>

            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

            <ds:DigestValue>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>

           </ds:Reference>

          </ds:SignedInfo>

          <ds:SignatureValue>

      OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi

      5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90

      FIhfAthslqeFu3h9U20=

      </ds:SignatureValue>

          <ds:KeyInfo>

           <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="reference-3-1291739860138-11726490">

            <wsse:Reference URI="#token-2-1291739860138-12935734" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>

           </wsse:SecurityTokenReference>

          </ds:KeyInfo>

         </ds:Signature>

        </wsse:Security>

      </env:Header>

      <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1291739860070-11803898">

        <ns1:addizionami xmlns:ns1="http://prova/ejb/to/ws/types">

         <Integer_1>3</Integer_1>

         <Integer_2>78</Integer_2>

        </ns1:addizionami>

      </env:Body>

      </env:Envelope>

      ----------------------------END CANONICAL XML MESSAGE------------------------

       

       

      ----------------------------CANONICAL XML ELEMENT------------------------

      <wsu:Timestamp wsu:Id="timestamp">

          <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>

         </wsu:Timestamp>

      ----------------------------END CANONICAL XML ELEMENT------------------------

       

       

      SHA1(canonical element): '(‹†ÓR× Cò—!Xæ  ÕÌ_~'

      Base64(SHA1(canonical element)): 'KIuthtNS1xFD8pchWOYSC9XMX34=' <-- WRONG!! It had to be 'YR/fZlwJdw+KbyP24UYiyDv8/Dc='