XMLSecurity interop .NET

[Mats T Pettersson]

My project uses Java and the toolkit Apache XML Security version 1.1 for Java to 
digitally sign and validate a SOAP message containing a detached signature using a 
X509 certificate.The corresponding certificate is also included using the 
BinarySecurityToken and a reference to it in a SecurityTokenReference tag. The SOAP 
message has an element in the soap:header  and one element in the soap:body , both 
containing business data and the these elements are therefore being referenced by the 
signature (se example message).

These messages are afterwards being sent to my projects business partner via HTTP. 
Also - the same type of messages are created, signed and transmitted by the my 
projects businesspartner, using Microsoft .NET and probably some version of WSE, and 
then sent back to my project.

Example message

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Header>
      <txh:TxHeader xmlns:txh="http://schemas.ssek.org/txheader/2003-04-03/"; 
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"; soap:mustUnderstand="1" 
wsu:Id="txHeader">
         <txh:SenderId txh:type="CN">TheSenderID</txh:SenderId>
         <txh:ReceiverId txh:type="CN">TheRecieverID</txh:ReceiverId>
         <txh:TxId>e72a8ffd-f10b-11d8-8d0a-59cd0f604ce5</txh:TxId>
         <txh:Timestamp>2004-08-18T13:44:03</txh:Timestamp>
      </txh:TxHeader>
      <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"; 
soap:mustUnderstand="1">
         <wsse:BinarySecurityToken 
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"; 
EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" 
wsu:Id="MySecurityToken">CWfFEoVpR8FX7A&&.=</wsse:BinarySecurityToken>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <SignedInfo>
               <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod>
                <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
                 <Reference URI="#txHeader">
                    <Transforms>
                       <Transform Algorithm="http://www.w3.org/2001/10/ 
xml-exc_c14n#"></Transform>
                    </Transforms>
                    <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
                    <DigestValue>2tj1B31Sk+59S0W2vVrraX97c4c=</DigestValue>
                  </Reference>
                  <Refernce URI="#soapBody">
                     <Transforms>
                         <Transform Algorithm="2001/10/ xml-exc_c14n#"></Transform>
                     </Transforms>
                      <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
                      <DigestValue>a0q9friUjwfd8i3plQCOI1kGYd0=</DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>
WmR9U+3/ACWfFEoVpR8FX7AI5HVCrWdbViSD4mpuIriTm6zqlOMDZi2XqId01Q2BxFqeUwgLHuVvIrnglL4M/CqptMyY2pnFdcgiZYZeDtWk0brSsoCCUZb9iNAHDK6YfD53AHhFBZ9h/hVabFYXpQxN
wKeSNpfFWkb7UgzTGsI=</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference>
                      <wsse:Reference URI="#MySecurityToken">
                  </wsse:SecurityTokenReference>
                </KeyInfo>
            </Signature>
         </wsse:Security>
       </soap:Header>
       <soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"; 
wsu:Id="soapBody">
          <MyBusinessData xmlns="http://www.mybusiness.se/xmlschema/2004-01-16/"; 
Skapad="2004-05-24T14:48:02.070" TxId="9678B606-E85D-49c7-8A49-5CDEA3F128F4">
           </ MyBusinessData >
   </soap:Body>
</soap:Envelope>

Status

Currently the status is as follows:

1.      My project can validate its own signed messages.
2.      My project can with the same code and certificate validate the business 
partners signed messages.
3.      The business partner cant validate my projects signed messages.

After extensive testing and debugging, it is concluded that the signature references 
digest values becomes the same in both Java and .NET signed messages. But the 
SignatureValues differ! Does the Java and .NET implementations of the canonicalization 
algorithms differ therefore producing different values?
According to posts in some various newsgroups it is concluded that some 
interoperability issues between Java toolkits and .NET Framework / WSE 1.0 / WSE 2.0 
occur in the implementations of the canonicalization algorithms.

Questions

Which combinations of toolkits (Apache 1.1 XML Security and .NET Framework / WSE 1.0 
SP1 / WSE 2.0) are possible according to the different implementations of the 
canonicalization algorithms?

How to configure either toolkit (Apache or .NET) to make the both canonicalization 
algorithms the same regarding to implementation?

Which toolkit supports the xml signature standard?

Are there any interoperability test results accessible between Apache XML Signature 
and .NET?

Any and I mean any input / feedback / help is much appriciated cause we are stuck...

Ps. Sorry for the long posting D.s

Mats