Well, it can't be the http headers. I now think the problem might be with
canonicalization.
I can verify when I sign with the transform:
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
I can verify when I sign with the transform:
<dsig:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
but when I sign with the transform:
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
it fails to verify.
And none of it verifies when I send to my server (which is some black box
Microsoft implementation).
It looks like the server is expecting Exclusive Canonicalization, but I
can't even get that to work in my test environment.
Attached is my xml document after signing (shortened the digest values,
but otherwise unchanged).
Please take a look at it and see if I am doing something stupid.
Thanks in advance,
Brian
Aleksey Sanin <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/29/2008 08:19 PM
To
[EMAIL PROTECTED]
cc
xmlsec@aleksey.com
Subject
Re: [xmlsec] Signing a document that will be altered
I highly doubt that http headers are involved in the signatures...
At least, not with xmlsec.
Aleksey
[EMAIL PROTECTED] wrote:
>
> Hello,
> I think I'm running into a problem where the digital signature is being
> made invalid due to an http post.
> Before I send my message to serverB I encrypt it and sign it, I then
> post the message to the server.
> The post obviously adds http headers to the beginning of the message,
> such as ContentType, ContentLength, ect.
> I'm guessing that even though these headers are not inside the xml
> document, they are still affecting my digest.
>
> Is there a way to force the sign method to only sign the xml as opposed
> to the whole string? and also force
> the severB verifier to verify the xml?
>
> Thank you,
> Brian
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [
<!ATTLIST soap:Body wsu:Id ID #IMPLIED>
<!ATTLIST xenc:EncryptedData Id ID #IMPLIED>
<!ATTLIST xenc:EncryptedKey Id ID #IMPLIED>
]>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1">
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SB">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>RcoLinRmgZOuMk8KbAdJRLhRdzc=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>c0GoWW9WCw7JSEDvd4PUcl3TmLp9gMtanzhj/nLLkyCQd2Q5g8fhxs4ATQnxSKpQ
...
srq68Xg5cdzJyuiGxFyzeVYIRKI5o5JE0iMU5+Ww+nw9EKlzisKZOgeBav/Aozez
Ep05DNaey/WYyp2Xpu6iqw==</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>JIQs8tRZIGKLLlyGkKOqMLonGpw=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EK-0"
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>JIQs8tRZIGKLLlyGkKOqMLonGpw=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>EI4QK0cOVgoRm5CNTOdxDJ4fwyNxcvpJb+7HbADNn75dF+3McMEtCsxo85q25sFb
...
LeonG0qH50jqboU8UEgfLmi8oNew4OfRb1RvnfS5w3HJ+b19YrAouI+iZK9RcOLz
roXJ6gYgb4TrdMnXXyIXL5G6HiA39Kt9533tQB81Ycu6wUqE1wH7V485ukS3FScx
OJA7h/VdbZamAaiWgPwh9A==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-0"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="SB">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-0"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<RetrievalMethod URI="#EK-0"
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>bhiN30v5EV+37HUmEbuJJTj9PSAD7cCDs3C2+bnhd05r8VlzBsQgJBcrR/P/6vzW
u8PSFGekaQDcLgCJkFyiK83X9Q/PPHLke+ZEjClKl/+BOxv0NamSoaDGHMkqDwy1
Iblm/XQ0PfFY9arPdgWTxkE+qymQlU+LWlG8Q4Q3zqtwOxvSALV/dEreBcE0OqbP
...
7aftifDgmidBO7tV8MqLvLNrOB/ANbfI3GvMSeih2Ew4afEWp02bE3Muo/ev0YPf
2bXV/SbkaUJxhemZVHHJaKx7dSr80rEboz/BGigGLB3PscPo41pJMz7WbvNlX27M
affn5s4LjxIjbSYqGYHi2E26zRxo0V1t1c7zLTMycRfNWbJLEg29pon8LU8jDWkX
hKRF1FuQbe7AhOXFcSEp2wd+bNnPcRu7bXVAa69VR4Clm0BwJz4zADcLtioaYmSY
5UZGkcLmpopfQy8IgAhadI8v6Vme4ZXkAkchc6Iy8h/KBCx8+W/U/cTSYeLS54hg
CfJB48KJvL8DwNP2U8fJy7jGrQ4sFGMBORr8JKBg++aLhNxxoEVhJkiztVfyiZPx
m4JAJEcddcyJuMpyPYyv2F6cWiOqU0SQgCWAwPKiGmddfH0k6Jbk70k57olR7Zv4</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
