hello i am developing a service for a SOAP call with x509 authentication and i need to sign the body and timestamp, but i can't get it to work java side while in SoapUI it does.
The error (with java code) is SSF_API_SIGNER_ERORS A signing opration not be performed or failed
the configuration in soapUi is this
while my signature code is this
private void createDetachedSignature(SOAPElement signatureElement, PrivateKey privateKey, SOAPElement securityTokenReference, SOAPBody soapBody, SOAPElement timestamp) throws Exception {
String providerName = System.getProperty
("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
//Digest method
javax.xml.crypto.dsig.DigestMethod digestMethod = xmlSignatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null);
ArrayList<Transform> transformList = new ArrayList<Transform>();
//Transform
Transform envTransform = xmlSignatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
transformList.add(envTransform);
//References
ArrayList<Reference> refList = new ArrayList<Reference>();
Reference refTS = xmlSignatureFactory.newReference("#TS"+UUID, digestMethod, transformList, null, null);
Reference refBody = xmlSignatureFactory.newReference("#Body"+UUID, digestMethod, transformList, null, null);
refList.add(refBody);
refList.add(refTS);
javax.xml.crypto.dsig.CanonicalizationMethod cm = xmlSignatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#",
(C14NMethodParameterSpec) null);
javax.xml.crypto.dsig.SignatureMethod sm = xmlSignatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null);
SignedInfo signedInfo = xmlSignatureFactory.newSignedInfo(cm, sm, refList);
signatureElement.setAttribute("Id", "SIG" + UUID);
DOMSignContext signContext = new DOMSignContext(privateKey, signatureElement);
signContext.setDefaultNamespacePrefix("ds");
signContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", "ds");
//These are required for new Java versions
signContext.setIdAttributeNS
(soapBody,
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id");
signContext.setIdAttributeNS
(timestamp,
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id");
KeyInfoFactory keyFactory = KeyInfoFactory.getInstance();
DOMStructure domKeyInfo = new DOMStructure(securityTokenReference);
javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo = keyFactory.newKeyInfo(java.util.Collections.singletonList(domKeyInfo));
if (securityTokenReference instanceof Element) {
Element keyInfoElement = (Element) securityTokenReference;
keyInfoElement.setAttribute("Id", "KI" + UUID);
}
javax.xml.crypto.dsig.XMLSignature signature = xmlSignatureFactory.newXMLSignature(signedInfo, keyInfo);
signContext.setBaseURI("");
signature.sign(signContext);
String signatureValue = getSignatureValueAsString(signatureElement);
System.out.println("Signature Value: " + signatureValue);
Element canonicalizationMethodElement = (Element) signatureElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "CanonicalizationMethod").item(0);
addInclusiveNamespaces(canonicalizationMethodElement, "soapenv urn");
NodeList referenceNodes = signatureElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Reference");
for (int i = 0; i < referenceNodes.getLength(); i++) {
Element referenceElement = (Element) referenceNodes.item(i);
Element transformsElement = (Element) referenceElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Transforms").item(0);
Element transformElement = (Element) transformsElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Transform").item(0);
addInclusiveNamespaces(transformElement, "wsse soapenv urn");
}
}
I tried to compare the two requests and now I attach them to you
SOAP UI REQUEST
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:sap-com:document:sap:rfc:functions">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-8C92EF6DC231D5F4321700816423308691">
MIIIEjCCBfqgAwIBAgITHQAAZ/wkXidRhqKJ2wADAABn/DANBgkqhkiG...........</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-8C92EF6DC231D5F4321700816423307690">
<wsu:Created>2023-11-24T09:00:23Z</wsu:Created>
<wsu:Expires>2024-02-15T17:00:23Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id="SIG-8C92EF6DC231D5F4321700816423348695"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv urn"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#TS-8C92EF6DC231D5F4321700816423307690">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse soapenv urn"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>7KhZ1yTPuNhQ7OtTn32HcJQQ04U=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-8C92EF6DC231D5F4321700816423308694">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList=""
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>t5f22r+WwrehIN/rbI7EFwLq7tM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KRttsmdFmqCRQyTmo6/Cgs1Vj8EZ1y9YbObETjtcvhNQUBRny7tIKZE3bH4TwR69L2x0MsosaAcefeuT/OkowAa............</ds:SignatureValue>
<ds:KeyInfo Id="KI-8C92EF6DC231D5F4321700816423308692">
<wsse:SecurityTokenReference wsu:Id="STR-8C92EF6DC231D5F4321700816423308693">
<wsse:Reference URI="#X509-8C92EF6DC231D5F4321700816423308691"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-8C92EF6DC231D5F4321700816423308694"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn:SCHEMA_CC>
<IV_BP>3960915933</IV_BP>
</urn:SCHEMA_CC>
</soapenv:Body>
</soapenv:Envelope>
My request java
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:sap-com:document:sap:rfc:functions">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
Id="SIG-1B1352404FC17AFA99AD1B962FA2A67E">
<wsu:Timestamp wsu:Id="TS-1B1352404FC17AFA99AD1B962FA2A67E">
<wsu:Created>2023-11-24T08:18:32Z</wsu:Created>
<wsu:Expires>2023-11-24T08:19:02Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509Token-1B1352404FC17AFA99AD1B962FA2A67E">
MIIIEjCCBfqgAwIBAgITHQAAZ/wkXidRhqKJ2wADAABn..........</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soapenv urn" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#Body-1B1352404FC17AFA99AD1B962FA2A67E">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse soapenv urn" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>qOQ+Nv9QAe63RePMKZkCfn2a8xI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1B1352404FC17AFA99AD1B962FA2A67E">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse soapenv urn" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>grbt4GpvYhKKUaetcW2HHMm91Mw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>agesPe4aOZPE9m1aI17MDz+oE5V7YNk7ox6q1WvmHWjd7EdH4XdqVq62dMnqkE2RRbI5TafX1qnK
udGLnMFcZu/gIYMUYmZ1RrwO6y39tLDWii8hEIZMYj/jIzAqi6d1jXh8GOjtmflYnIsRnidFgokV
/fgoMn7c548QlvEPyCokgFlS/aF4OF5uKqnb/yJ2ilRbeJBlG9QCO5rEUGmgeZ0untABzP+w76yg
PTkPaDTC8UHDQsG4XWMTYL+dyGfnHpYdqz5v+4BI53KfG0V7eqbdCZj9dzYN2MEel1NrgqQP2uQ8
.........</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference Id="KI-1B1352404FC17AFA99AD1B962FA2A67E"
wsu:Id="STR-1B1352404FC17AFA99AD1B962FA2A67E">
<wsse:Reference URI="#X509Token-1B1352404FC17AFA99AD1B962FA2A67E"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-1B1352404FC17AFA99AD1B962FA2A67E">
<urn:GET_SCHEMA_CC xmlns:urn="http://www.example.com/urn">
<IV_BP>3960915933</IV_BP>
</urn:GET_SCHEMA_CC>
</soapenv:Body>
</soapenv:Envelope>
The way to put the certificate in the securityBinaryToken seems correct to me, while the signature I don't know if it is the correct way to do it.