0

I have an issue with signing an xml form for a WSDL web service. I can sign the document just fine but the web service rejects it, while all other signature verifications check out. I have been told by the service provider the issue is i'm signing the entire document, instead of just the child. And i have no idea how to sign an xml, turn it into a node and import it into another xml without breaking the integrity of the signature. any help would be appreciated.

The xml outline is as follows:

<OddajVlogoReq>
   <EvemHRDocument>
       all the data
        <Signatures>
           <Singature>
          signature things
            </Signature>
         </Signatures>
     </EvemHRDocument>
 </OddajVlogoReq>

And apparently the OddajVlogoReq element is not supposed to be signed. I'm signing by serialising and forming a signed xml from the entire document, then appending the signature as a child into the document. There's no difference wheather i start with the parent or first child signature wise, but starting with the EvemHRDocument would mean i then need to append the signed document to the OddajVlogoReq. How can i do that and keep the signature valid?

dbc
  • 104,963
  • 20
  • 228
  • 340
ziga cibic
  • 23
  • 1
  • 5
  • 1
    See posting : https://stackoverflow.com/questions/46722997/saml-assertion-in-a-xml-using-c-sharp/46724392 – jdweng Sep 27 '18 at 09:09
  • Thanks for the link, but unfortunately it didn't help much apart from a really clean helper method. Basically from what support has told me, i need to end up with an xml, where the signature is valid after removing the OddajVlogoReq tags. To be clear, i do not touch the SOAP as that is auto generated for me(thankfully). All i really need is a way to insert a signed xml string into another xml string and maintain signature integrity. – ziga cibic Sep 28 '18 at 09:18
  • The code you need is in the link I provided. The method SignXmlWithCertificate() only signs a particular element and not the entire document. – jdweng Sep 28 '18 at 14:40
  • I noticed that, and it is an elegant method and I did implement it. However, the web service still throws an invalid signature exception, and from what I've gathered when talking with support it's as if the backend strips the OddajVlogoReq tag and only then checks the signature (This is my interpretation, support is not the dev team and super vague with their "Support"). Is it even possible to do what I'm getting at? I thought for sure the SignXml method in the link was what I needed, but apparently this is the most convoluted web service ever. – ziga cibic Sep 29 '18 at 16:40
  • You should be able to create the signature and connect. Can you connect with other software? Usually I recommend using a sniffer like wireshark or fiddler and compare a working application with the one that doesn't work. You can also save the xml to a file to verify your changes are working correctly. – jdweng Sep 29 '18 at 20:25
  • The signature is created and passes validation, if I try validating the entire xml which I do save. The web service uses an external provider for signature validation that has a tester available, which accepts plain text for the xml. Should the signature still be valid if I copy over only the signed element from the xml? If so, I guess I'm doing something wrong with the implementation. I do not have access to any working application for the service so I can't check my work against anything functional. – ziga cibic Sep 30 '18 at 21:24
  • Are you failing the signature validation or the schema validation. I would use an on-line schema check to see if xml is valid. You can perform the check inside Visual Studio using menu : Project : Add New Item : Xml File. Then past xml into view. Error will show up like normal compiler errors. – jdweng Oct 01 '18 at 07:05
  • I am failing signature validation at the web service. The document is schema compliant and after doing as you suggested the build came through no problem. Here's the xml i'm sending to the service: https://pastebin.com/KXn71ZAj And as i have previously mentioned from what i understood, the signature has to be valid when the outer most tags are stripped. The pastebin contains the entire value that is inserted into the CDATA block of the request. If the xml isn't schema compliant i don't even get to the signature validation part. – ziga cibic Oct 01 '18 at 08:28
  • I got it to work by using a pretty unhygienic method IMO. I created string values with the opening and closing elements of the xml i needed and just serialized the node i needed without the xml declaration and concatenated the whole thing. the signature passes and the webservice accepts the document. I thought there would be a cleaner solution but hey, at this point i'll take anything that works. – ziga cibic Oct 03 '18 at 08:11

0 Answers0