Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1
From: Guangxi Wu (gwu_at_ch2m.com)
Date: 01/30/04
- Previous message: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- In reply to: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Next in thread: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Reply: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 17:57:24 -0800
Thanks Mitch for your post.
I am relatively new to the cryptography world, so I need a bit more
guidance. How can I determine if the signature was based on UNICODE-hashed
data? And how to determine if the signature bytes are big endian or little
endian? Is there any way to programmatically parse the signature using .NET
or WSE?
The digital signatures from the partner are supposedly to conform to the W3
Digital Signature specification (http://www.w3.org/2000/09/xmldsig#). Below
is the Signature element contained in the signed SOAP message. The KeyInfo
element is removed from the signature, and the signature value is reduced.
Notice that the SignedInfo element is contains CRLF and other
non-significant white spaces.
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body">
<Transforms>
<Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>U6ix8wug6U8XlJ48SDokGP6Jzys=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>ZPVrzaQrjpX7pzpmMiKdcTjYvoW+Axo+5MZUAyw...</SignatureValue><
/Signature>
Per W3 documentation, the signature value is calculated over the SignedInfo
element. .NET's SignedXML seems to perform the signature validation against
the SignedInfo element before performing the reference validation against
the signed content. The CheckSignature method of the WSE's SignedXML class
failed during the signature validation before going to the reference
validation.
Thanks,
--- Guangxi
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:O7WZW6s5DHA.2416@TK2MSFTNGP10.phx.gbl...
> Two possibilities ... was the signature generated based on UNICODE-hashed
> data?
> Also order of signature bytes (big versus little endian) might be an
issue.
>
> ASN parsing of signatures often reveals the problem .. some technologies
add
> authenticated attributes in the signature blobs that might cause other
less-robust
> implementations to have problems with .. just a few ideas ..
>
> - Mitch Gallant
>
> "Guangxi Wu" <gwu@ch2m.com> wrote in message
news:OB2kSNs5DHA.2168@TK2MSFTNGP12.phx.gbl...
> > I am currently working with a business partner on a B2B application
using
> > SOAP and XML Signature, and have encountered a seemingly
interoperability
> > issue. I am using SignedXML from .NET Framework 1.1 and WSE 1.0SP1. The
> > partner uses DataPower's XS40 XML Security Gateway. We exchanged
> > certificates in advance.
> >
> > Here is what we know so far:
> >
> > 1. The partner can verify the signatures created by the SignedXML class
from
> > WSE 1.0SP1.
> > 2. The partner can verify the singatures created by the XS40 XML
Security
> > Gateway (of courcse).
> > 3. We can verify the signatures created by both WSE 1.0SP1 and .NET
> > Framework 1.1 using WSE 1.0SP1.
> > 4. We CANNOT verify the signatures created by the XS40 XML Security
Gateway.
> >
> > The SignedInfo element of the signed SOAP messages from the partner is
> > nicely formatted and includes non-significant white spaces such as CRLF
and
> > tabs. I set PreserveWhitespace to True before loading the SOAP message.
The
> > SOAP message's declaration indicates it is using UTF-8 encoding, but I
am
> > not sure if the SOAP message is actually UTF-8 encoded.
> >
> > Has anyone encountered similar issues when verifying signatures
generated in
> > Java in general, and by XS40 XML Security Gateway in particular? Can you
> > share your experience, good or bad?
> >
> > Can anyone provide pointers to where I can find information to resolve
the
> > issue?
> >
> > Thanks a million in advance.
> >
> > --- Guangxi
> >
> >
>
>
- Previous message: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- In reply to: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Next in thread: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Reply: Michel Gallant: "Re: XML Digital Signature interoperability Issue between DataPower's XS40 and .NET Framework 1.1 and WSE 1.0SP1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
