1

i'm trying to sign a xml with SecurityTokenReference for send it to ibm datapower service, but when i send it returns empty cert or error, when i send from SOAPUI DataPower receives ok

I've tried a lot of time with diferent types like: BinarySecurityToken, SecurityTokenReference... but i always get the same error, please help me.

Correct xml:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
   xmlns:ser="http://www.example.org/ServiciosAdministrativosCodensa" 
   xmlns:met="http://www.colpatria.com/services/metadata">
   <soapenv:Header>
      <wsse:Security xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <ds:Signature Id="SIG-CFB8CEFD4DE1135138158023563139463" 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="met ser soapenv" 
                     xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <ds:Reference URI="#id-CFB8CEFD4DE1135138158023563139462">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="met ser" 
                           xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>d4ThIYDCXlPoN6kGvXq+Ntf/XKQ=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>0Ph8zgWSDbWaEkczeu3RbpYmivkWSvzjjqqoUW91JnTR0NuyZhWisLTddbJvvY3xQzmjHuIVL1wW IXjIatJwMgAERjK48EjPXrr+MuMWzo2vAPmA04p2TWiF7vzFCI7pWgWzLk2D2oEx/bn3Xr4wQ2dm l00uT5Cj3B79UIRdTc76s60GBW/7ZOuFySbDywTxjXz1bNArKbS81EZXZH+jw0jk2Esf0wAHSF9u 2VCUeQvPAISKAMsx116bPT3+ReDX4b8XDTvfM1I7pnMZ9broV2adBG3nMW6FTucDEl2oJpfb7y0N CAE38EJjfdmfF/tRUHdmVGzHu8evWgqL9OgkXg==</ds:SignatureValue>
            <ds:KeyInfo Id="KI-CFB8CEFD4DE1135138158023563139460">
               <wsse:SecurityTokenReference wsu:Id="STR-CFB8CEFD4DE1135138158023563139461">
                  <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">0+fjoRhUswYnp4F6biToxgrgnAg=</wsse:KeyIdentifier>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body wsu:Id="id-CFB8CEFD4DE1135138158023563139462" 
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ser:activacionTarjetasRequest>
         <met:requestHeader>
            <met:esbHeader>
               <met:transactionId>350278742945543</met:transactionId>
               <met:serviceCode>RBMCARD1</met:serviceCode>
               <met:operationCode>Update</met:operationCode>
               <met:requestUser>PARRAJOH</met:requestUser>
               <met:requestSystem>GBM</met:requestSystem>
               <met:channel>GBM</met:channel>
               <met:host>10.236.224.50</met:host>
               <met:executionMode>U</met:executionMode>
               <met:operationCountry>057</met:operationCountry>
               <met:operationBank>Colpatria</met:operationBank>
               <met:transactionDate>2020-01-28</met:transactionDate>
               <met:transactionTime>13:20:31</met:transactionTime>
               <met:officeCode>9</met:officeCode>
               <met:numberPages>01</met:numberPages>
               <met:totalPages>01</met:totalPages>
               <met:institutionCode>019</met:institutionCode>
               <met:usernameToken>
                  <met:userName>testColDensa</met:userName>
                  <met:password>w5jgTS26eU</met:password>
               </met:usernameToken>
            </met:esbHeader>
         </met:requestHeader>
         <ser:parteFija>
            <ser:codAplicacion>25</ser:codAplicacion>
            <ser:codTerminal>235-55126-6</ser:codTerminal>
            <ser:codEstablecimiento>019</ser:codEstablecimiento>
            <ser:fecTransaccion>20190904</ser:fecTransaccion>
            <ser:horTransaccion>105523</ser:horTransaccion>
            <ser:dispositivo>INTERNET</ser:dispositivo>
            <ser:nroAuditoria>123605</ser:nroAuditoria>
            <ser:consecutivo>1069735</ser:consecutivo>
            <ser:tipTransaccion>NORMAL</ser:tipTransaccion>
            <ser:trackII>
               <ser:nroCuentaPrimaria>0316552636556352</ser:nroCuentaPrimaria>
               <ser:fecVencimiento>0905</ser:fecVencimiento>
               <ser:codServicio>562</ser:codServicio>
               <ser:campoVerificacionPIN>01234</ser:campoVerificacionPIN>
               <ser:cardVerificationCode>2</ser:cardVerificationCode>
            </ser:trackII>
         </ser:parteFija>
      </ser:activacionTarjetasRequest>
   </soapenv:Body>
</soapenv:Envelope>

my xml:

<soapenv:Envelope xmlns:ser="http://www.example.org/ServiciosAdministrativosCodensa" 
xmlns:met="http://www.colpatria.com/services/metadata" 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509Subjectwsse:KeyIdentifier">
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces PrefixList="met ser soapenv" 
                        xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#id-C758EA542CABFF8A3C158014740919829">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="met ser" 
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>hALHAC9T8wWZ6+5b9JFAWFwqdKc=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>JHFeMOqW9hqGEgS2gtTlJiRqQfxsd5z88mC0qzOZKtw8/aEdDWBEZU7jwEwUYwym4kgbK8kXrTCfwdT8TFpYy6NEo8Yi3wlQtC3R4buCcVreeSeWRBe9dpDw6loLPR0VsU3qFeO+3NUFMsOG49jzG37DqQVSn/6tz7Ojh7t3zTQY9wWRJdrK2iAbf04+qmNK+ATKWpOEm/waJv4GNT0pQCELQQtJqQj2t6XhPR9LwYJMOcFvB3wpJ0cKjaJ8pUCLYT2WUofNZBrelMUVgQrYrWAJ/q1GYYqfFv1vcdjmja77Q11zH6I55sZPBDJ2vLpDJlmf8YBHcII2zUS5Qs61Tw==</ds:SignatureValue>
            <ds:KeyInfo Id="KI-C758EA542CABFF8A3C158014740919527">
                <wsse:SecurityTokenReference wsu:Id="STR-C758EA542CABFF8A3C158014740919528" 
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">0+fjoRhUswYnp4F6biToxgrgnAg=</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
    </wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-C758EA542CABFF8A3C158014740919829" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <ser:activacionTarjetasRequest>
        <met:requestHeader>
            <met:esbHeader>
                <met:transactionId>100360</met:transactionId>
                <met:serviceCode>CRTPINES1</met:serviceCode>
                <met:operationCode>Update</met:operationCode>
                <met:requestUser>PARRAJOH</met:requestUser>
                <met:requestSystem>GBM</met:requestSystem>
                <met:channel>GBM</met:channel>
                <met:host>10.236.125.242</met:host>
                <met:executionMode>U</met:executionMode>
                <met:operationCountry>057</met:operationCountry>
                <met:operationBank>Colpatria</met:operationBank>
                <met:transactionDate>2020-01-30</met:transactionDate>
                <met:transactionTime>11:54:58</met:transactionTime>
                <met:officeCode>9</met:officeCode>
                <met:numberPages>01</met:numberPages>
                <met:totalPages>01</met:totalPages>
                <met:institutionCode>19</met:institutionCode>
                <met:usernameToken />
            </met:esbHeader>
        </met:requestHeader>
        <ser:parteFija>
            <ser:codAplicacion>QE</ser:codAplicacion>
            <ser:codTerminal>235-55126-D</ser:codTerminal>
            <ser:codEstablecimiento>02167306040</ser:codEstablecimiento>
            <ser:fecTransaccion>20200130</ser:fecTransaccion>
            <ser:horTransaccion>115456</ser:horTransaccion>
            <ser:dispositivo>INTERNET</ser:dispositivo>
            <ser:nroAuditoria>013422</ser:nroAuditoria>
            <ser:consecutivo>000000013422</ser:consecutivo>
            <ser:tipTransaccion>NORMAL</ser:tipTransaccion>
            <ser:trackII>
                <ser:nroCuentaPrimaria>5907120600037112</ser:nroCuentaPrimaria>
                <ser:fecVencimiento>1020</ser:fecVencimiento>
                <ser:codServicio>562</ser:codServicio>
                <ser:campoVerificacionPIN>00000</ser:campoVerificacionPIN>
                <ser:cardVerificationCode>0</ser:cardVerificationCode>
            </ser:trackII>
        </ser:parteFija>
    </ser:activacionTarjetasRequest>
</soapenv:Body>

and my code:

public static string SignXml(XmlDocument xmlDoc)
    {
        xmlDoc.PreserveWhitespace = false;
        XmlNamespaceManager ns = new XmlNamespaceManager(xmlDoc.NameTable);
        ns.AddNamespace("soapenv", "http://schemas.xmlsoap.org/soap/envelope/");

        X509Certificate2 cert = GetCertificateBySubject("WSRBM_CFacil_Firma_IIS_DP_dev");

        // Create a SignedXml object.
        CustomSignedXml signedXml = new CustomSignedXml(xmlDoc);

        RSACryptoServiceProvider rsaKey2 = (RSACryptoServiceProvider)cert.PrivateKey;

        signedXml.SigningKey = rsaKey2;

        // Specify a canonicalization method.
        signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;

        // Set the InclusiveNamespacesPrefixList property.        
        XmlDsigExcC14NTransform canMethod = (XmlDsigExcC14NTransform)signedXml.SignedInfo.CanonicalizationMethodObject;
        canMethod.InclusiveNamespacesPrefixList = "met ser soapenv";

        // Create a reference to be signed.
        Reference reference = new Reference();
        reference.Uri = "#id-C758EA542CABFF8A3C158014740919829";
        reference.Type = "";

        string referenceDigestMethod = "http://www.w3.org/2000/09/xmldsig#sha1";
        reference.DigestMethod = referenceDigestMethod;

        XmlDsigExcC14NTransform c14n = new XmlDsigExcC14NTransform();
        c14n.InclusiveNamespacesPrefixList = "met ser";

        reference.AddTransform(c14n);

        signedXml.AddReference(reference);

        KeyInfo keyInfo = new KeyInfo();
        KeyInfoX509Data kdata = new KeyInfoX509Data(cert);

        X509ExtensionCollection extensions = cert.Extensions;

        SecurityTokenReference skr = new SecurityTokenReference();
        skr.Id = "STR-C758EA542CABFF8A3C158014740919528";
        foreach (X509Extension extension in extensions)
            if (extension.Oid.Value == "2.5.29.14")
            { // OID for SKI extension
                X509SubjectKeyIdentifierExtension skiT = extension as X509SubjectKeyIdentifierExtension;
                if (skiT != null)
                {
                    kdata.AddSubjectKeyId(skiT.SubjectKeyIdentifier);
                    skr.KeyIdentifier = new KeyIdentifier(Convert.ToBase64String((byte[])kdata.SubjectKeyIds[0]));
                    break;
                }
            }

        skr.ValueType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";

        keyInfo.Id = "KI-C758EA542CABFF8A3C158014740919527";
        keyInfo.AddClause(skr);
        signedXml.KeyInfo = keyInfo;
        // Compute the signature.
        signedXml.ComputeSignature("ds");

        XmlElement xmlDigitalSignature = signedXml.GetXml("ds");

        XmlElement root = (XmlElement)xmlDoc.DocumentElement;

        root = setPrefix(root, "soapenv:Security", "wsse");
        root = setAttr(root, "wsse:Security", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        root = setAttr(root, "wsse:Security", "xmlns:wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509Subjectwsse:KeyIdentifier");

        //xmlDigitalSignature = setAttr(xmlDigitalSignature, "ds:Signature", "id", "SIG-C758EA542CABFF8A3C158014740919830");
        //var export = cert.Export(X509ContentType.Cert, ConfigurationManager.AppSettings["claveP12yCer"]);
        //var base64 = Convert.ToBase64String(export);

        root.GetElementsByTagName("wsse:Security")[0].AppendChild(xmlDigitalSignature);
        return root.OuterXml;
    }

thanks.

Arthur Brian Gil Paredes
  • 41
  • 1
  • 4
  • what version of Net Library are you running. Are you running x64? The encryption algorithm you are using isn't producing the a key that is compatible with the encryption method the server is using. I've seen issues recently when Net Library was upgraded that working application stopped working. I've also seen many cases where c# encryption didn't not work with java and that turned out to be a padding issue. I would try setting the project Net setting to use older version of Net like 4.0 or 4.6 if you are using 4.7. – jdweng Jan 30 '20 at 15:32
  • i've .net 4.0, and i tried x64 and x32 but i get the same error "Hash values don't match" – Arthur Brian Gil Paredes Jan 30 '20 at 16:25
  • Very interesting. Net 4.0 release was around Feb 2011. You are using RSA with SHA-1. So do you have the 32 bit version of Win 7 or the 64 bit version of Win 7. May be the following will help : https://social.msdn.microsoft.com/Forums/vstudio/en-US/c39f2298-ffe3-48d9-ad1e-ababa122d229/sha1-with-rsa-in-c?forum=netfxbcl and following : https://www.codeproject.com/Questions/490344/accessplussha1plusencryptedpluswebservice You may be able to ignore the hash according to the codeproject since hash is optional. – jdweng Jan 30 '20 at 17:45

0 Answers0