[xmlsec] RE: Implementing WS-Security using XMLSec...

Tue Jun 3 22:32:57 PDT 2003

Aleksey,

Thanks for the reply, I am sorry about not using the mailing list, will make
sure to use it in the future.

I don't have a DTD, I am using the xmlAddID function to inform LibXML2 about
all the ID's.

Also, I am capturing the response directly from Websphere and storing it to
a file in binary mode.

Since there is no way I could get to the code of Websphere, do you have any
other suggestions on how to solve this issue?

Thanks,

Regards,

-Venky
  -----Original Message-----
  From: Aleksey Sanin [mailto:aleksey at aleksey.com]
  Sent: Tuesday, June 03, 2003 8:29 AM
  To: arvasoft at attbi.com
  Cc: venky at arvasoft.com; xmlsec at aleksey.com
  Subject: Re: Implementing WS-Security using XMLSec...

  First of all, I would appreciate if you would use xmlsec mailing list
  for any question about xmlsec library (this reply is copied to the list,
btw).

  It seems that your <Reference/> element contains URI with Id attribute.
  And I am not sure I understand how you got the error you describe without
a DTD.
  Most likely you should have something like this instead:

func=xmlSecXPathDataExecute:file=xpath.c:line=250:obj=unknown:subj=xmlXPtrEv
al:
  error=5:libxml2 library function failed:
  expr=xpointer(id('wssecurity_body_id_3550107555769326699_1054623170226'))

  Please read section 3.2 from the FAQ
(http://www.aleksey.com/xmlsec/faq.html)
  for explanation "why".

  Assuming you add a correct DTD, the signature seems to be trivial
(Reference with an ID
  type URI plus one exc C14N transform) and I would be really surprised if
xmlsec does
  a wrong thing here. Unfortunately, there is no easy way to determine why
digests do not
  match. In xmlsec you can use '--print-all' option to get the binary stream
just before
  digesting. The best you can do is to compare this data with similar ones
from WebSphere
  (if you would be able to get same data from WebSphere). Read documentation
or search
  mailing list. There were several similar problems before.

  And if you want me to guess, I would bet that you have different digests
because
  something introduced spaces and/or end of lines when you've dumped XML
document
  to file.

  Aleksey

  arvasoft at attbi.com wrote:

Hi Alexsey,

I am implementing WS-Security using XMLSec. Currently, I am trying to
validate signatures generated by Websphere, but am running into a problem
where the Digests generated by Websphere and that by XMLSec are different.
This causes the following error

func=:file=..\src\openssl\digests.c:line=164:obj=sha1:subj=unknown:error=12:
inva
lid data:data and digest do not match
Signature is INVALID

I would really appreciate your help on resolving this issue.

Thanks,

Regards,

-Venky

PS: I am attaching the following files:

  1. original Websphere signed document
  2. a modified version of the xml document that I am using for the test, I
have
     copied the X509 from <wsse:BinarySecurityToken> to <X509Certificate> in
     <KeyInfo>.
  3. cacert.pem the trusted root that I use

----------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
      <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary"
ValueType="wsse:X509v3"
wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_105462317022
6" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
        MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
        BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
        IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
        MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
        A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
        cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
        hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
        ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
        aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
        eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
        VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
        YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
        FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
        MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
        b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
        ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
        cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
        QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
        FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
      </wsse:BinarySecurityToken>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference
URI="#wssecurity_body_id_3550107555769326699_1054623170226">
            <Transforms>
              <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>
          vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
          sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
          vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
        </SignatureValue>
        <KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference
URI="#wssecurity_binary_security_token_id_3491871345588805218_1054623170226"
/>
          </wsse:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soapenv:Header>
 <soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
  <getGreetingResponse xmlns="http://Sample8.wsdk.ibm.com">
   <getGreetingReturn xmlns="">Hello venky. How are you?</getGreetingReturn>
  </getGreetingResponse>
 </soapenv:Body>
</soapenv:Envelope>
----------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030603/7ad4ad9c/attachment.htm