Generating the DigestValue element of wsse-security with ruby/savon

Question

I need to connect to a web service that has wsse security and need to generate all the hashes and tokens by hand because savon doesn't have this functionality yet.

The thing that drives me insane is the signature.

    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <Reference URI="#_0">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>......</DigestValue>
      </Reference>
    </SignedInfo>

This is the referenced part:

  <u:Timestamp u:Id="_0">
    <u:Created>2012-01-04T08:21:22.143Z</u:Created>
    <u:Expires>2012-01-04T08:26:22.143Z</u:Expires>
  </u:Timestamp>

From what I understand, I need to canonicalize the referenced element(the timestamp), then get hash it with SHA-1 and then encode it to base64.

The question is, what part of the timestamp do i need to canonicalize? I tried using the whole element, then using and separately but I never get the correct DigestValue.

Answer 1

I sorted it out. I was canonicalizing the timestamp block with indentation inside it, which left some spaces and "\n"s that messed up the digest. After I transformed the whole xml request to one-liner, everything worked correct. After more than week battling with this security and finally seeing some result, the world seams a beautiful place :)

Answer 2

I added a pull request to use signed timestamps to Akami (the gem Savon uses for WSSE signing). You can view it here: https://github.com/savonrb/akami/pull/25 Until it gets implemented you may use https://github.com/webit-de/akami which has implemented it already.