You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Pettersson Joakim <jo...@amfpension.se> on 2004/08/18 13:58:40 UTC
Can't get Microsoft .NET to validate a SOAPMessage signed by Apac
he XMLSec ...
Hi all
I'm having a really bad time with this problem. Any help on the matter would
be really good.
We've set up a .NET test-environment to penetrate a tricky
soon-need-to-be-deployed B2B
appliction involving some 6 or 7 different companies.
All of the others are using the Ms platform, while I'm using Java on
WebSpere together with
(among a lot of external packages) Apache XMLSec 1.1.
We have to communicate different XML-messages back and forth and we are to
use signed SOAP
messages.
The messages looks a bit like this:
<soap:envelope>
<soap:Header>
<txHeader>
...
</txHeader>
<wsse:Security>
<SignedInfo>
<Reference>
<DigestValue>DIGEST_TXHEADER</DigestValue>
<Reference>
<DigestValue>DIGEST_SOAPBODY</DigestValue>
</SignedInfo>
<SignatureValue>SIGNATURE</SignatureValue>
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:envelope>
While both Apache and Microsoft manages to produce the same two digestvalues
(given the same source)
the signing-method(s) produce different SIGNATUREs. As it happens, Apache
can validate both messages
while Microsoft only can validate it's own message.
How can this be? Is it the canonicalization of the SignedInfo-node that
differs or do the two
implementations differs in their adherence to the underlying specification?
What can be done to solve
this annoying showstopper?
Please, any help is useful.
regards ... Jocke
Re: Can't get Microsoft .NET to validate a SOAPMessage signed by
Apac he XMLSec ...
Posted by Karel Wouters <kw...@esat.kuleuven.ac.be>.
Depending on the signature algorithm, it's perfectly possible to produce
two different signature values for the same document. Some algorithms
use random numbers to generate the signature. (e.g., DSA)
Don't know about the difference between MS and Apache though.
Karel.
On Wed, 18 Aug 2004, Pettersson Joakim wrote:
> Hi all
>
> I'm having a really bad time with this problem. Any help on the matter would
> be really good.
>
> We've set up a .NET test-environment to penetrate a tricky
> soon-need-to-be-deployed B2B
> appliction involving some 6 or 7 different companies.
> All of the others are using the Ms platform, while I'm using Java on
> WebSpere together with
> (among a lot of external packages) Apache XMLSec 1.1.
> We have to communicate different XML-messages back and forth and we are to
> use signed SOAP
> messages.
>
> The messages looks a bit like this:
>
> <soap:envelope>
> <soap:Header>
> <txHeader>
> ...
> </txHeader>
> <wsse:Security>
> <SignedInfo>
> <Reference>
> <DigestValue>DIGEST_TXHEADER</DigestValue>
> <Reference>
> <DigestValue>DIGEST_SOAPBODY</DigestValue>
> </SignedInfo>
> <SignatureValue>SIGNATURE</SignatureValue>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> ...
> </soap:Body>
> </soap:envelope>
>
> While both Apache and Microsoft manages to produce the same two digestvalues
> (given the same source)
> the signing-method(s) produce different SIGNATUREs. As it happens, Apache
> can validate both messages
> while Microsoft only can validate it's own message.
>
> How can this be? Is it the canonicalization of the SignedInfo-node that
> differs or do the two
> implementations differs in their adherence to the underlying specification?
> What can be done to solve
> this annoying showstopper?
>
> Please, any help is useful.
>
>
> regards ... Jocke
>