verifying a WCF signed SOAP message

StackOverflow https://stackoverflow.com/questions/1724558

Question

I have a problem verifying a SOAP message timestamp and body.

Before starting to write any code I'm trying to verify it by myself, these are the steps I followed to verify the timestamp:

1) Extract the timestamp tag, add any used namespace and write it to a file:

<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <u:Created>2009-11-11T17:37:49.000Z</u:Created>
 <u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
</u:Timestamp>

2) Use xmllint to canonicalize it

xmllint --exc-c14n timestamp.xml > timestamp.ext-c14n.xml

3) use openssl to get the SHA-1 digest of the file

openssl sha1 timestamp.ext-c14n.xml

4) uudecode the base64 DigestValue of the timestamp reference (jGZkqCNLTnUfbdpoFn19LSYkhts=) and open it with a hex editor

5) the binary value of the DigestValue is different from the sha1 of the canonicalized xml piece.

What am I doing wrong?

Here is the full SOAP Request:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
            <u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
                <u:Created>2009-11-11T17:37:49.000Z</u:Created>
                <u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
            </u:Timestamp>
            <o:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2">MIIB/TCCAWagAwIBAgIQx9PrVMJZiohOMYoubtFJ4jANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDEwpSb290Q0FUZXN0MB4XDTA5MTEwNTE1NTAzN1oXDTM5MTIzMTIzNTk1OVowGTEXMBUGA1UEAxMOdGVtcENlcnRDbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPXXm8nHsKY7jDaAJ2MVtgj0vd15D4kAFCVrflAGCBDGxku1zVGgTppv8n7i2nJLoXkMpi4HSj9+ci78YMQOKeRq0uIN3AV39hQbjjf5RkV7QY0PYprKYcVKZrWa/LYesI4jYz+ULDnpF7Q2Euk2XFYVLTWPaWU/Zys9K1wNT/n/AgMBAAGjSjBIMEYGA1UdAQQ/MD2AEHNg0Im3hcyQVTxOx1KtRZmhFzAVMRMwEQYDVQQDEwpSb290Q0FUZXN0ghDPzOoIMA8Rkkur9od1bScFMA0GCSqGSIb3DQEBBAUAA4GBAHeTK0GedKo51ZplEfAL+7+NqU5YL9yPhyGqeMUtNBJBJUdbXfvKMZNN+wMHG72boM0HV9jiSKgdjdFDaQ5cLrpLMc48wPs+PPK4KCZynQ/qBCj91w8Vvsprk4EwjGKROGeFhq8FOO8nwukKj1dMCZWELqOPutHjAKgtKpYu4zyt</o:BinarySecurityToken>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
                        <DigestValue>GFOHIzFb+GV4fj8/sGWx2J5U7ag=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
                        <DigestValue>jGZkqCNLTnUfbdpoFn19LSYkhts=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>Q6TsGUPlgzfvoh4obnpwTIM5+rG/MynC4Pr8DDkpsClkUBM4+VrR0i7bHdM51779lbLzqj01W1H3GfNehVKxwAi0c0aAKlcVUm0i3PeA2NzmdTPRHy6tHmX2yyLC5TDjhA+jmqRoU/VlWhShD7Komm/9zsyDhQKF4M92rPUo0To=</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:Reference URI="#uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></o:Reference>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1">
        <sayHello xmlns="urn:iPhone.Server"></sayHello>
    </s:Body>
</s:Envelope>
Was it helpful?

Solution

I removed all the line breaks and spaces between the tags and the digests matched. The correct XML to use would be:

<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><u:Created>2009-11-11T17:37:49.000Z</u:Created><u:Expires>2009-11-11T17:42:49.000Z</u:Expires></u:Timestamp>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top