Giovanni Castellari [http://community.jboss.org/people/giogio] created the discussion "Re-calculating XML-Signature DigestValue" To view the discussion, visit: http://community.jboss.org/message/575452#575452 -------------------------------------------------------------- Hello everyone, I'm a new user and hope it is the right section for my question. I've configured JBoss for working with WS-Security, in particular with the signature of xml messages. Everything works well: upon the receipt of a request, I can see the signed xml message in the log and I also can find sentences like these: 2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898" 2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp" 2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898" 2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp" The problem now is that my boss wants me to "manually" recalculate the digests of the various signed parts. After googling for a while, this is what I've understood: - Everything concerned with the digest calculation, the signature and its verification is embedded inside the xml request: which parts are signed (inside <Reference> tags), which transformations the xml message was treated (<Transforms>), which computations were done to produce the digest value (<DigestMethod>), the resulting digest (<DigestValue>) and signature (= encrypting of the digest, <SignatureValue>)  for each part. - Therefore, the steps to calculate the digest for a part are: 1) Canonicalize that xml part; 2) Produce SHA1 of that part; 3) Convert to Base64. I should obtain exactly the same digest value contained in the <DigestValue> element of the xml message. But I can't obtain the same digest value written in the xml message. Here's an output of a java main I wrote (I can also paste some code in next posts if someone wants to help). As you can see, I'm trying to calculate the digest value of the reference 'timestamp'. What's wrong? Bad canonical form? Bad sha1 value? I'd be VERY grateful if someone could obtain the same <DigestValue> and could tell me the exact steps/tools/code used. Thanks! ----------------------------ORIGINAL XML------------------------ <env:Envelope xmlns:env=' http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/'> <env:Header>   <wsse:Security env:mustUnderstand='1' xmlns:wsse=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit...    <wsu:Timestamp wsu:Id='timestamp'>     <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>    </wsu:Timestamp>    <wsse:BinarySecurityToken EncodingType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV 1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95 BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>    <ds:Signature xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>     <ds:SignedInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>      <ds:CanonicalizationMethod Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>      <ds:SignatureMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>      <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=&l...      </ds:Reference>      <ds:Reference URI='#timestamp' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=&l...      </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'> OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi 5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90 FIhfAthslqeFu3h9U20= </ds:SignatureValue>     <ds:KeyInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>      <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>       <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil...      </wsse:SecurityTokenReference>     </ds:KeyInfo>    </ds:Signature>   </wsse:Security> </env:Header> <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit...   <ns1:addizionami xmlns:ns1=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types' xmlns:ns2=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types'>    <Integer_1>3</Integer_1>    <Integer_2>78</Integer_2>   </ns1:addizionami> </env:Body> </env:Envelope> ----------------------------END ORIGINAL XML------------------------ ------------------CANONICAL XML MESSAGE (using org.apache.xml.security.c14n.Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS)------------- <env:Envelope xmlns:env=" http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/"> <env:Header>   <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... env:mustUnderstand="1">    <wsu:Timestamp xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... wsu:Id="timestamp">     <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>    </wsu:Timestamp>    <wsse:BinarySecurityToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... wsu:Id="token-2-1291739860138-12935734">MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV 1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95 BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>    <ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#">     <ds:SignedInfo>      <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalization...      <ds:SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMeth...      <ds:Reference URI="#element-1-1291739860070-11803898">       <ds:Transforms>        <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>       </ds:Transforms>       <ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>       <ds:DigestValue>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>      </ds:Reference>      <ds:Reference URI="#timestamp">       <ds:Transforms>        <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>       </ds:Transforms>       <ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>       <ds:DigestValue>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>      </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue> OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi 5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90 FIhfAthslqeFu3h9U20= </ds:SignatureValue>     <ds:KeyInfo>      <wsse:SecurityTokenReference xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... wsu:Id="reference-3-1291739860138-11726490">       <wsse:Reference URI="#token-2-1291739860138-12935734" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil...      </wsse:SecurityTokenReference>     </ds:KeyInfo>    </ds:Signature>   </wsse:Security> </env:Header> <env:Body xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... wsu:Id="element-1-1291739860070-11803898">   <ns1:addizionami xmlns:ns1=" http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types">    <Integer_1>3</Integer_1>    <Integer_2>78</Integer_2>   </ns1:addizionami> </env:Body> </env:Envelope> ----------------------------END CANONICAL XML MESSAGE------------------------ ----------------------------CANONICAL XML ELEMENT------------------------ <wsu:Timestamp wsu:Id="timestamp">     <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>    </wsu:Timestamp> ----------------------------END CANONICAL XML ELEMENT------------------------ SHA1(canonical element): '(‹­†ÓR× Cò—!Xæ  ÕÌ_~' Base64(SHA1(canonical element)): 'KIuthtNS1xFD8pchWOYSC9XMX34=' <-- WRONG!! It had to be 'YR/fZlwJdw+KbyP24UYiyDv8/Dc=' -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/575452#575452] Start a new discussion in JBoss Web Services Development at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]