Re: XMLSecurity interop .NET

[yoram . halberstam]

>From what I can see, .NET remove the spaces between tags open/close whilst
the W3C Canonical XML spec specify you should keep them

http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (section 3.2)

Yoram




                                                                       
                      "Mats T Pettersson"                              
                      <[EMAIL PROTECTED]      To: [EMAIL PROTECTED]
                      kerson.com>                cc:                   
                                                 Subject:  XMLSecurity interop .NET
                      18/08/2004 15:02                                 
                                                                       
                                                                       
                                                                       
                      Please respond to                                
                      security-dev                                     
                                                                       
                                                                       




My project uses Java and the toolkit Apache XML Security version 1.1 for
Java to digitally sign and validate a SOAP message containing a detached
signature using a X509 certificate.The corresponding certificate is also
included using the BinarySecurityToken and a reference to it in a
SecurityTokenReference tag. The SOAP message has an element in the
soap:header  and one element in the soap:body , both containing business
data and the these elements are therefore being referenced by the signature
(se example message).

These messages are afterwards being sent to my projects business partner
via HTTP. Also - the same type of messages are created, signed and
transmitted by the my projects businesspartner, using Microsoft .NET and
probably some version of WSE, and then sent back to my project.

Example message

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Header>
      <txh:TxHeader xmlns:txh="http://schemas.ssek.org/txheader/2003-04-03/
" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility";
soap:mustUnderstand="1" wsu:Id="txHeader">
         <txh:SenderId txh:type="CN">TheSenderID</txh:SenderId>
         <txh:ReceiverId txh:type="CN">TheRecieverID</txh:ReceiverId>
         <txh:TxId>e72a8ffd-f10b-11d8-8d0a-59cd0f604ce5</txh:TxId>
         <txh:Timestamp>2004-08-18T13:44:03</txh:Timestamp>
      </txh:TxHeader>
      <wsse:Security xmlns:wsse="
http://schemas.xmlsoap.org/ws/2002/07/secext"; soap:mustUnderstand="1">
         <wsse:BinarySecurityToken xmlns:wsu="
http://schemas.xmlsoap.org/ws/2002/07/utility";
EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3"
wsu:Id="MySecurityToken">CWfFEoVpR8FX7A&&.=</wsse:BinarySecurityToken>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <SignedInfo>
               <CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod>
                <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
                 <Reference URI="#txHeader">
                    <Transforms>
                       <Transform Algorithm="http://www.w3.org/2001/10/
xml-exc_c14n#"></Transform>
                    </Transforms>
                    <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
                    <DigestValue>2tj1B31Sk+59S0W2vVrraX97c4c=</DigestValue>
                  </Reference>
                  <Refernce URI="#soapBody">
                     <Transforms>
                         <Transform Algorithm="2001/10/
xml-exc_c14n#"></Transform>
                     </Transforms>
                      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>

<DigestValue>a0q9friUjwfd8i3plQCOI1kGYd0=</DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>
WmR9U+3/ACWfFEoVpR8FX7AI5HVCrWdbViSD4mpuIriTm6zqlOMDZi2XqId01Q2BxFqeUwgLHuVvIrnglL4M/CqptMyY2pnFdcgiZYZeDtWk0brSsoCCUZb9iNAHDK6YfD53AHhFBZ9h/hVabFYXpQxN

wKeSNpfFWkb7UgzTGsI=</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference>
                      <wsse:Reference URI="#MySecurityToken">
                  </wsse:SecurityTokenReference>
                </KeyInfo>
            </Signature>
         </wsse:Security>
       </soap:Header>
       <soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility";
wsu:Id="soapBody">
          <MyBusinessData xmlns="
http://www.mybusiness.se/xmlschema/2004-01-16/";
Skapad="2004-05-24T14:48:02.070"
TxId="9678B606-E85D-49c7-8A49-5CDEA3F128F4">
           </ MyBusinessData >
   </soap:Body>
</soap:Envelope>

Status

Currently the status is as follows:

1.           My project can validate its own signed messages.
2.           My project can with the same code and certificate validate the
business partners signed messages.
3.           The business partner cant validate my projects signed
messages.

After extensive testing and debugging, it is concluded that the signature
references digest values becomes the same in both Java and .NET signed
messages. But the SignatureValues differ! Does the Java and .NET
implementations of the canonicalization algorithms differ therefore
producing different values?
According to posts in some various newsgroups it is concluded that some
interoperability issues between Java toolkits and .NET Framework / WSE 1.0
/ WSE 2.0 occur in the implementations of the canonicalization algorithms.

Questions

Which combinations of toolkits (Apache 1.1 XML Security and .NET Framework
/ WSE 1.0 SP1 / WSE 2.0) are possible according to the different
implementations of the canonicalization algorithms?

How to configure either toolkit (Apache or .NET) to make the both
canonicalization algorithms the same regarding to implementation?

Which toolkit supports the xml signature standard?

Are there any interoperability test results accessible between Apache XML
Signature and .NET?

Any and I mean any input / feedback / help is much appriciated cause we are
stuck...

Ps. Sorry for the long posting D.s

Mats







_________________________________________________________________
--------------------- End of message text --------------------

This e-mail is intended only for the person to whom it is addressed.  If an
addressing or transmission error has misdirected this e-mail, please notify
the author by replying to this e-mail.  If you are not the intended
recipient you must not use, disclose, print or rely on this e-mail.

PricewaterhouseCoopers LLP is a limited liability partnership registered in
England with registered number OC303525.  The registered office of
PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH.
PricewaterhouseCoopers LLP is authorised and regulated by the Financial
Services Authority for designated investment business.

PricewaterhouseCoopers LLP may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and
telecommunications systems. By replying to this e-mail you
give your consent to such monitoring.

----------------------------------------------------------------
Visit our website http://www.pwc.com