Pankaj, Note that the digest depends on that all data is static if you want to get the same result.
The timestamp object would need its xmlns as well in order to be canonicalized. It is tricky to find out what to do but when you are know it is trivial to produce canonicalized XML. Anders On 2012-03-01 05:32, Pankaj wrote: > I had tried that but i am not able to reproduce the digest value which > mention in my req xml : > > <Reference URI="#_0"> >> <Transforms> >> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# >> <http://www.w3.org/2001/10/xml-exc-c14n#>"/> >> </Transforms> >> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 >> <http://www.w3.org/2000/09/xmldsig#sha1>"/> >> <DigestValue>Soj1m/E157CempDHHC6c6gZBd1E=</DigestValue> >> </Reference> > > As per the W3C document Reference URI refer to element or ID which need to > canonicalized. In my case ID is > >> <u:Timestamp u:Id="_0"> >> <u:Created>2012-02-21T04:45:06.429Z</u:Created> >> <u:Expires>2012-02-21T04:50:06.429Z</u:Expires> >> </u:Timestamp> > > I had tried my level best to create the SHA1 digest of above message part to > get digest value as per > <DigestValue>Soj1m/E157CempDHHC6c6gZBd1E=</DigestValue> > > As per my understanding we need to convert digest value to base64 which I am > doing but I am not able to get close to the above value. > > I had attach full XML req which is generated by using Visual Studio Client & > which I had extracted using WireShark tool. > > Thanks > > On Wednesday, 29 February 2012 19:27:03 UTC+5:30, Anders Rundgren wrote: > > If you only need to create a cononicalized XML it is very simple. > You do the canonicalization manually. > It means eliminating whitespace between elements. > Putting attributes in alphabetical order. > > When the signatures verifies you are done :-) > > Anders > > On 2012-02-28 07:38, Pankaj wrote: > > I want to consume WCF web-service which uses X.509 certificate for > > mutual authentication. I had imported certificates using keytools in > > BKS keystore & able to use in android code. Now for mutual > > authentication i need to create web-request which have message digest > > & signature in it > > > > <s:Header> > > <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"> > > <u:Timestamp u:Id="_0"> > > <u:Created>2012-02-21T04:45:06.429Z</u:Created> > > <u:Expires>2012-02-21T04:50:06.429Z</u:Expires> > > </u:Timestamp> > > <o:BinarySecurityToken u:Id="uuid-e35f5271-3c4e-47c7- > > ba34-8d995e414ba3-1" ValueType="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http:// > > docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- > <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-> > > security-1.0#Base64Binary"> > > > MIICbzCCAdygAwIBAgIQfjyZ229iN4tAbV0fiYiVyTAJBgUrDgMCHQUAMD8xPTA7BgNVBAMTNGNsaWVudC5iNTRiYTFkN2U2NzY0ZDdkOWRiMDA3YTgyNmM5ZGE5Ny5jbG91ZGFwcC5uZXQwHhcNMTIwMjE2MTY0MjI1WhcNMzkxMjMxMjM1OTU5WjA/ > > > MT0wOwYDVQQDEzRjbGllbnQuYjU0YmExZDdlNjc2NGQ3ZDlkYjAwN2E4MjZjOWRhOTcuY2xvdWRhcHAubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRW > > +Di90XDGulLybdBboUlOilxvbcnfow+NhoNW80uNjmGQiQpxP0oNnYT7RKJ > > +nP3+sZxUfRfazLgvOTFn0F9SIFQ9T4I5LNFMHhDfExoT0k/ > > aeF870Euy07BiwF7eXw6toSv1dKwKavq20szbIr/NeabIEDS/GzKY6P0/ > > > > TOQfwIDAQABo3QwcjBwBgNVHQEEaTBngBCNb6YOYI3RBR64WvVUjQtPoUEwPzE9MDsGA1UEAxM0Y2xpZW50LmI1NGJhMWQ3ZTY3NjRkN2Q5ZGIwMDdhODI2YzlkYTk3LmNsb3VkYXBwLm5ldIIQfjyZ229iN4tAbV0fiYiVyTAJBgUrDgMCHQUAA4GBAG5v1DZmXQKcaxNzz2VYDZ8aYYrYRQwU4lrBKlI0CnrkcZwQGPmRxdkiET9D91kcN/ > > fmq90nj1F5FZoqhzeT1moqGKXKT9HRX8j6Ln1QDhsr+0JfgJW9/ > > IFaQI14xKwr8bw4+DxIyp0IMpSw9biULmIQ1QuTzfKDEowlcQhsik+E > > </o:BinarySecurityToken> > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig# > <http://www.w3.org/2000/09/xmldsig#>"> > > <SignedInfo> > > <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- > <http://www.w3.org/2001/10/xml-exc-> > > c14n#"/> > > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- > <http://www.w3.org/2000/09/xmldsig#rsa-> > > sha1"/> > > <Reference URI="#_0"> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > <http://www.w3.org/2001/10/xml-exc-c14n#>"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > <http://www.w3.org/2000/09/xmldsig#sha1>"/> > > <DigestValue>Soj1m/E157CempDHHC6c6gZBd1E=</DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue> > > kqsIYUc3uYoQpuWVWYOio4KcGpon+3wDDhsAzVgZVljQxEhF7z1JS/ > > qzw9ELYCn2JbYIkWMtEeYfXRtPvjrPM1fjJiqbXSKq7jHEeVtMQnOytAHRL1ZFA > > +dLq4spJQR7uYnmJ1lmgQnu1kYcteSmD29Xm5e5dPUnz4yap3p7zC4= > > </SignatureValue> > > <KeyInfo> > > <o:SecurityTokenReference> > > <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid- > > e35f5271-3c4e-47c7-ba34-8d995e414ba3-1"/> > > </o:SecurityTokenReference> > > </KeyInfo> > > </Signature> > > </o:Security> > > </s:Header> > > > > But to create message digest we need perform XML canonicalization with > > "http://www.w3.org/2001/10/xml-exc-c14n# > <http://www.w3.org/2001/10/xml-exc-c14n#>" transform algorithm. I am > > not able to found any API or library which perform above task. > > > > I had used xmlsec jar but I guess it is not supported by android and > > also used all the option which I found after googling. > > > > Please guide me how to call WCF web-service which involve X.509 > > certificate based mutual authentication. > > > > > On Wednesday, 29 February 2012 19:27:03 UTC+5:30, Anders Rundgren wrote: > > If you only need to create a cononicalized XML it is very simple. > You do the canonicalization manually. > It means eliminating whitespace between elements. > Putting attributes in alphabetical order. > > When the signatures verifies you are done :-) > > Anders > > On 2012-02-28 07:38, Pankaj wrote: > > I want to consume WCF web-service which uses X.509 certificate for > > mutual authentication. I had imported certificates using keytools in > > BKS keystore & able to use in android code. Now for mutual > > authentication i need to create web-request which have message digest > > & signature in it > > > > <s:Header> > > <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"> > > <u:Timestamp u:Id="_0"> > > <u:Created>2012-02-21T04:45:06.429Z</u:Created> > > <u:Expires>2012-02-21T04:50:06.429Z</u:Expires> > > </u:Timestamp> > > <o:BinarySecurityToken u:Id="uuid-e35f5271-3c4e-47c7- > > ba34-8d995e414ba3-1" ValueType="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http:// > > docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- > <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-> > > security-1.0#Base64Binary"> > > > MIICbzCCAdygAwIBAgIQfjyZ229iN4tAbV0fiYiVyTAJBgUrDgMCHQUAMD8xPTA7BgNVBAMTNGNsaWVudC5iNTRiYTFkN2U2NzY0ZDdkOWRiMDA3YTgyNmM5ZGE5Ny5jbG91ZGFwcC5uZXQwHhcNMTIwMjE2MTY0MjI1WhcNMzkxMjMxMjM1OTU5WjA/ > > > MT0wOwYDVQQDEzRjbGllbnQuYjU0YmExZDdlNjc2NGQ3ZDlkYjAwN2E4MjZjOWRhOTcuY2xvdWRhcHAubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRW > > +Di90XDGulLybdBboUlOilxvbcnfow+NhoNW80uNjmGQiQpxP0oNnYT7RKJ > > +nP3+sZxUfRfazLgvOTFn0F9SIFQ9T4I5LNFMHhDfExoT0k/ > > aeF870Euy07BiwF7eXw6toSv1dKwKavq20szbIr/NeabIEDS/GzKY6P0/ > > > > TOQfwIDAQABo3QwcjBwBgNVHQEEaTBngBCNb6YOYI3RBR64WvVUjQtPoUEwPzE9MDsGA1UEAxM0Y2xpZW50LmI1NGJhMWQ3ZTY3NjRkN2Q5ZGIwMDdhODI2YzlkYTk3LmNsb3VkYXBwLm5ldIIQfjyZ229iN4tAbV0fiYiVyTAJBgUrDgMCHQUAA4GBAG5v1DZmXQKcaxNzz2VYDZ8aYYrYRQwU4lrBKlI0CnrkcZwQGPmRxdkiET9D91kcN/ > > fmq90nj1F5FZoqhzeT1moqGKXKT9HRX8j6Ln1QDhsr+0JfgJW9/ > > IFaQI14xKwr8bw4+DxIyp0IMpSw9biULmIQ1QuTzfKDEowlcQhsik+E > > </o:BinarySecurityToken> > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig# > <http://www.w3.org/2000/09/xmldsig#>"> > > <SignedInfo> > > <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- > <http://www.w3.org/2001/10/xml-exc-> > > c14n#"/> > > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- > <http://www.w3.org/2000/09/xmldsig#rsa-> > > sha1"/> > > <Reference URI="#_0"> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > <http://www.w3.org/2001/10/xml-exc-c14n#>"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > <http://www.w3.org/2000/09/xmldsig#sha1>"/> > > <DigestValue>Soj1m/E157CempDHHC6c6gZBd1E=</DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue> > > kqsIYUc3uYoQpuWVWYOio4KcGpon+3wDDhsAzVgZVljQxEhF7z1JS/ > > qzw9ELYCn2JbYIkWMtEeYfXRtPvjrPM1fjJiqbXSKq7jHEeVtMQnOytAHRL1ZFA > > +dLq4spJQR7uYnmJ1lmgQnu1kYcteSmD29Xm5e5dPUnz4yap3p7zC4= > > </SignatureValue> > > <KeyInfo> > > <o:SecurityTokenReference> > > <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/ > <http://docs.oasis-open.org/wss/2004/01/> > > oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid- > > e35f5271-3c4e-47c7-ba34-8d995e414ba3-1"/> > > </o:SecurityTokenReference> > > </KeyInfo> > > </Signature> > > </o:Security> > > </s:Header> > > > > But to create message digest we need perform XML canonicalization with > > "http://www.w3.org/2001/10/xml-exc-c14n# > <http://www.w3.org/2001/10/xml-exc-c14n#>" transform algorithm. I am > > not able to found any API or library which perform above task. > > > > I had used xmlsec jar but I guess it is not supported by android and > > also used all the option which I found after googling. > > > > Please guide me how to call WCF web-service which involve X.509 > > certificate based mutual authentication. > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/nJyO8mAKJWQJ. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
