You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by yo...@uk.pwc.com on 2004/08/26 12:38:03 UTC
Re: XMLSecurity interop .NET (2)
Sorry I haven't included my test and I must add that it removed the chars
between open/close tag only if there is only spaces, tabs, carriage return
or line feed.
c#
System.Security.Cryptography.Xml.XmlDsigC14NTransform t = new
System.Security.Cryptography.Xml.XmlDsigC14NTransform(false);
System.Xml.XmlDocument doc = new
System.Xml.XmlDocument();
System.IO.StringReader stream = new
System.IO.StringReader(this.textBox1.Text);
doc.Load(stream);
t.LoadInput(doc);
Type[] te = t.InputTypes;
System.IO.Stream str =
(System.IO.Stream)t.GetOutput(typeof(System.IO.Stream));
int i;
String s = "";
while ((i = str.ReadByte()) != -1)
{
s = s + (char)i;
}
this.textBox2.Text = s;
Regards,
Yoram
Yoram
Halberstam/UK/GTS/P To: security-dev@xml.apache.org
wC@EMEA-UK cc:
Subject: Re: XMLSecurity interop .NET
26/08/2004 11:26
Please respond to
security-dev
>From what I can see, .NET remove the spaces between tags open/close whilst
the W3C Canonical XML spec specify you should keep them
http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (section 3.2)
Yoram
"Mats T Pettersson"
<mats.t.pettersson@ma To:
security-dev@xml.apache.org
kerson.com> cc:
Subject: XMLSecurity
interop .NET
18/08/2004 15:02
Please respond to
security-dev
My project uses Java and the toolkit �Apache XML Security version 1.1 for
Java� to digitally sign and validate a SOAP message containing a detached
signature using a X509 certificate.The corresponding certificate is also
included using the BinarySecurityToken and a reference to it in a
SecurityTokenReference tag. The SOAP message has an element in the
soap:header and one element in the soap:body , both containing business
data and the these elements are therefore being referenced by the signature
(se example message).
These messages are afterwards being sent to my projects business partner
via HTTP. Also - the same type of messages are created, signed and
transmitted by the my projects businesspartner, using Microsoft .NET and
probably some version of WSE, and then sent back to my project.
Example message
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<txh:TxHeader xmlns:txh="http://schemas.ssek.org/txheader/2003-04-03/
" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
soap:mustUnderstand="1" wsu:Id="txHeader">
<txh:SenderId txh:type="CN">TheSenderID</txh:SenderId>
<txh:ReceiverId txh:type="CN">TheRecieverID</txh:ReceiverId>
<txh:TxId>e72a8ffd-f10b-11d8-8d0a-59cd0f604ce5</txh:TxId>
<txh:Timestamp>2004-08-18T13:44:03</txh:Timestamp>
</txh:TxHeader>
<wsse:Security xmlns:wsse="
http://schemas.xmlsoap.org/ws/2002/07/secext" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="
http://schemas.xmlsoap.org/ws/2002/07/utility"
EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3"
wsu:Id="MySecurityToken">CWfFEoVpR8FX7A&&.=</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#txHeader">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/
xml-exc_c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>2tj1B31Sk+59S0W2vVrraX97c4c=</DigestValue>
</Reference>
<Refernce URI="#soapBody">
<Transforms>
<Transform Algorithm="2001/10/
xml-exc_c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>a0q9friUjwfd8i3plQCOI1kGYd0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
WmR9U+3/ACWfFEoVpR8FX7AI5HVCrWdbViSD4mpuIriTm6zqlOMDZi2XqId01Q2BxFqeUwgLHuVvIrnglL4M/CqptMyY2pnFdcgiZYZeDtWk0brSsoCCUZb9iNAHDK6YfD53AHhFBZ9h/hVabFYXpQxN
wKeSNpfFWkb7UgzTGsI=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#MySecurityToken">
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
wsu:Id="soapBody">
<MyBusinessData xmlns="
http://www.mybusiness.se/xmlschema/2004-01-16/"
Skapad="2004-05-24T14:48:02.070"
TxId="9678B606-E85D-49c7-8A49-5CDEA3F128F4">
</ MyBusinessData >
</soap:Body>
</soap:Envelope>
Status
Currently the status is as follows:
1. My project can validate its own signed messages.
2. My project can with the same code and certificate validate the
business partners signed messages.
3. The business partner can�t validate my projects signed
messages.
After extensive testing and debugging, it is concluded that the signature
references digest values becomes the same in both Java and .NET signed
messages. But the SignatureValues differ! Does the Java and .NET
implementations of the canonicalization algorithms differ therefore
producing different values?
According to posts in some various newsgroups it is concluded that some
interoperability issues between Java toolkits and .NET Framework / WSE 1.0
/ WSE 2.0 occur in the implementations of the canonicalization algorithms.
Questions
Which combinations of toolkits (Apache 1.1 XML Security and .NET Framework
/ WSE 1.0 SP1 / WSE 2.0) are possible according to the different
implementations of the canonicalization algorithms?
How to configure either toolkit (Apache or .NET) to make the both
canonicalization algorithms the same regarding to implementation?
Which toolkit supports the xml signature standard?
Are there any interoperability test results accessible between Apache XML
Signature and .NET?
Any and I mean any input / feedback / help is much appriciated cause we are
stuck...
Ps. Sorry for the long posting D.s
Mats
_________________________________________________________________
--------------------- End of message text --------------------
This e-mail is intended only for the person to whom it is addressed. If an
addressing or transmission error has misdirected this e-mail, please notify
the author by replying to this e-mail. If you are not the intended
recipient you must not use, disclose, print or rely on this e-mail.
PricewaterhouseCoopers LLP is a limited liability partnership registered in
England with registered number OC303525. The registered office of
PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH.
PricewaterhouseCoopers LLP is authorised and regulated by the Financial
Services Authority for designated investment business.
PricewaterhouseCoopers LLP may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and
telecommunications systems. By replying to this e-mail you
give your consent to such monitoring.
----------------------------------------------------------------
Visit our website http://www.pwc.com
_________________________________________________________________
--------------------- End of message text --------------------
This e-mail is intended only for the person to whom it is addressed. If an
addressing or transmission error has misdirected this e-mail, please notify
the author by replying to this e-mail. If you are not the intended
recipient you must not use, disclose, print or rely on this e-mail.
PricewaterhouseCoopers LLP is a limited liability partnership registered in
England with registered number OC303525. The registered office of
PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH.
PricewaterhouseCoopers LLP is authorised and regulated by the Financial
Services Authority for designated investment business.
PricewaterhouseCoopers LLP may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and
telecommunications systems. By replying to this e-mail you
give your consent to such monitoring.
----------------------------------------------------------------
Visit our website http://www.pwc.com