Hi all
I'm having a really bad time with this problem. Any help on the matter would be really good.
We've set up a .NET test-environment to penetrate a tricky soon-need-to-be-deployed B2B
appliction involving some 6 or 7 different companies.
All of the others are using the Ms platform, while I'm using Java on WebSpere together with
(among a lot of external packages) Apache XMLSec 1.1.
We have to communicate different XML-messages back and forth and we are to use signed SOAP
messages.
The messages looks a bit like this:
<soap:envelope>
<soap:Header>
<txHeader>
...
</txHeader>
<wsse:Security>
<SignedInfo>
<Reference>
<DigestValue>DIGEST_TXHEADER</DigestValue>
<Reference>
<DigestValue>DIGEST_SOAPBODY</DigestValue>
</SignedInfo>
<SignatureValue>SIGNATURE</SignatureValue>
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:envelope>
While both Apache and Microsoft manages to produce the same two digestvalues (given the same source)
the signing-method(s) produce different SIGNATUREs. As it happens, Apache can validate both messages
while Microsoft only can validate it's own message.
How can this be? Is it the canonicalization of the SignedInfo-node that differs or do the two
implementations differs in their adherence to the underlying specification? What can be done to solve
this annoying showstopper?
Please, any help is useful.
regards ... Jocke
