I am trying to implement a java webservice client. Soap message is signed (internal detached signing).
I have an example of valid message that validates as correctly signed.
When I try my code, the message is not correctly signed. Trying to track the problem, i realized that the problem (or my mistake) is related to the generation of for one of the references in .
In the example that works correctly, I can 'verify' how the DigestValue is created:
<ds:Reference URI="#Id-4889213">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VYRVoWOIiZx/7QMavLyDmAZ3Mb0=</ds:DigestValue>
The references URI is the message Body:
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-4889213">
<web:consultarEstados xmlns:web="https://webservice.face.gob.es"/>
If I 'canononicalize' this manualy, and try and apli sha1, the result I get is exactly the DigestValue.
Hand canonicalized soapenv:Body:
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-4889213"><web:consultarEstados xmlns:web="https://webservice.face.gob.es"></web:consultarEstados></soapenv:Body>
Command to generate sh1 value: (store in bodyib.txt previos string with can. body)
cat bodyib.txt|openssl dgst -binary -sha1 | openssl enc -base64
output:
VYRVoWOIiZx/7QMavLyDmAZ3Mb0= (Yes, the value in DigestValue !!)
When I sign my message, i get the following Reference:
<ds:Reference URI="#Id-4889213">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>sA5MIQPm4b2YhMRTPHg9CY8J1FI=</ds:DigestValue>
</ds:Reference>
I mimic all namespace and Id to get exactly the same soap message as the example I have. So I get the foolowing soapenv:Body:
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-4889213">
If I canonicalize this by hand, I get exactly the same string as earlier but the DigestValue shown in Reference is not the same.
I have tried this with two different jsr105 providers:
Oracle: "org.jcp.xml.dsig.internal.dom.XMLDSigRI" Apcher santuario (1.5.6) : "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI"
And the result is the same Digest (different to the one I expect based on the example I have). I don't where these digest is coming from. When I try to calculate this by hand, the result is the one in the example.
I imagine I don't get some concept of this all thing, because using two different libraries I get the same value, so I don't thing problem is the code of this libraries.
