[jboss-dev-forums] [JBoss Web Services Development] - Re-calculating XML-Signature DigestValue
Giovanni Castellari
do-not-reply at jboss.com
Fri Dec 10 11:28:37 EST 2010
Giovanni Castellari [http://community.jboss.org/people/giogio] created the discussion
"Re-calculating XML-Signature DigestValue"
To view the discussion, visit: http://community.jboss.org/message/575452#575452
--------------------------------------------------------------
Hello everyone, I'm a new user and hope it is the right section for my question.
I've configured JBoss for working with WS-Security, in particular with the signature of xml messages. Everything works well: upon the receipt of a request, I can see the signed xml message in the log and I also can find sentences like these:
2010-12-07 17:37:40,404 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"
2010-12-07 17:37:40,404 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"
The problem now is that my boss wants me to "manually" recalculate the digests of the various signed parts. After googling for a while, this is what I've understood:
- Everything concerned with the digest calculation, the signature and its verification is embedded inside the xml request: which parts are signed (inside <Reference> tags), which transformations the xml message was treated (<Transforms>), which computations were done to produce the digest value (<DigestMethod>), the resulting digest (<DigestValue>) and signature (= encrypting of the digest, <SignatureValue>) for each part.
- Therefore, the steps to calculate the digest for a part are: 1) Canonicalize that xml part; 2) Produce SHA1 of that part; 3) Convert to Base64. I should obtain exactly the same digest value contained in the <DigestValue> element of the xml message.
But I can't obtain the same digest value written in the xml message. Here's an output of a java main I wrote (I can also paste some code in next posts if someone wants to help). As you can see, I'm trying to calculate the digest value of the reference 'timestamp'. What's wrong? Bad canonical form? Bad sha1 value? I'd be VERY grateful if someone could obtain the same <DigestValue> and could tell me the exact steps/tools/code used. Thanks!
----------------------------ORIGINAL XML------------------------
<env:Envelope xmlns:env=' http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header>
<wsse:Security env:mustUnderstand='1' xmlns:wsse=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsu:Timestamp wsu:Id='timestamp'>
<wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x
MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV
1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i
WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95
BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF
qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:CanonicalizationMethod Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
<ds:SignatureMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
<ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
</ds:Transforms>
<ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
<ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#timestamp' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
</ds:Transforms>
<ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
<ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi
5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90
FIhfAthslqeFu3h9U20=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
<wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>
<wsse:Reference URI='#token-2-1291739860138-12935734' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/ http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</env:Header>
<env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<ns1:addizionami xmlns:ns1=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types' xmlns:ns2=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types'>
<Integer_1>3</Integer_1>
<Integer_2>78</Integer_2>
</ns1:addizionami>
</env:Body>
</env:Envelope>
----------------------------END ORIGINAL XML------------------------
------------------CANONICAL XML MESSAGE (using org.apache.xml.security.c14n.Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS)-------------
<env:Envelope xmlns:env=" http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">
<wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1291739860138-12935734">MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x
MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV
1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i
WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95
BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF
qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#element-1-1291739860070-11803898">
<ds:Transforms>
<ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#timestamp">
<ds:Transforms>
<ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi
5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90
FIhfAthslqeFu3h9U20=
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="reference-3-1291739860138-11726490">
<wsse:Reference URI="#token-2-1291739860138-12935734" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</env:Header>
<env:Body xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1291739860070-11803898">
<ns1:addizionami xmlns:ns1=" http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types">
<Integer_1>3</Integer_1>
<Integer_2>78</Integer_2>
</ns1:addizionami>
</env:Body>
</env:Envelope>
----------------------------END CANONICAL XML MESSAGE------------------------
----------------------------CANONICAL XML ELEMENT------------------------
<wsu:Timestamp wsu:Id="timestamp">
<wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>
</wsu:Timestamp>
----------------------------END CANONICAL XML ELEMENT------------------------
SHA1(canonical element): '(‹†ÓR× Cò—!Xæ ÕÌ_~'
Base64(SHA1(canonical element)): 'KIuthtNS1xFD8pchWOYSC9XMX34=' <-- WRONG!! It had to be 'YR/fZlwJdw+KbyP24UYiyDv8/Dc='
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/575452#575452]
Start a new discussion in JBoss Web Services Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20101210/21a23be3/attachment.html
More information about the jboss-dev-forums
mailing list