[XML-SIG] .NET webservice ws 2004 digital signature and soap
Andy-Kim Möller
kim at ypsilon.net
Tue Apr 11 13:18:35 CEST 2006
Hello,
I try to connect to .NET soap webservice. The messages must have a
signature confirm to ws - security 2004 with
enveloping mode.
I tried to build it with ZSI, but i hang at the signature. After this i
tried to us pyxmlsec which build a signature, but not confirm to the ws
2004 standard.
Right now i try to do it by hand but i am still not able to get the
right digest.
As a short explanation using following template:
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security><wsse:BinarySecurityToken
Id="binarytoken"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
elementEncoding="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">{HERE
IS THE CERTIFICATE IN DER FORMAT AND BASE64
ENCODED}</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#RefID">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>{DIGEST GENERATED WITH CODESNIPPET
#1}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
{DIGEST ECRYPTED WITH PRIVATE KEY}
</ds:SignatureValue>
<dsig:Object Id="RefID" xmlns=""
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">{XML REQUEST FROM SOAP
BODY}</dsig:Object>
<ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soapenv:Body>{CUSTOM_XML_REQUEST}</soapenv:Body></soapenv:Envelope>
CODESNIPPET #1 to generate digest:
I take the complete <dsig:Object> .... </dsig:Object> and put this into
c14n from ZSI.wstools and Canonicalize it with
exclusive = 1 and with_comments = 1. On the result of that i do simply
base64.encodestring(sha.new(resultOfCanonicalize).digest()) and this is
my digest. But this part is allways diffrent from that was apaches axis
modul for java is doing. With the javaversion i get access to the
webservice with my python version not.
I do not believe that the problem is in canonicalization because i tried
a lot of diffrent modules from other projects and e.g. libxml2, xmllint
and the result was everytime the same. (I also checked it by hand).
I am now at the point where i try to take a look into the sourcecode of
apaches axis modul. I would be happy if you can give me a hint what i am
doing wrong or if there is somewhere some python code outside where i
can take a look.
Best regards Kim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kim.vcf
Type: text/x-vcard
Size: 358 bytes
Desc: not available
Url : http://mail.python.org/pipermail/xml-sig/attachments/20060411/4639ed7b/attachment.vcf
More information about the XML-SIG
mailing list