Topic
  • 6 replies
  • Latest Post - ‏2016-11-22T17:24:50Z by 6JET_Raj_s
NILAY97
NILAY97
347 Posts

Pinned topic Sign the Request using xslt

‏2013-05-13T17:59:09Z | decode failed hash

Hi Hermann/Swlinn/All,

My requirement is to sign the incoming request using xslt. Iam using dp:sign function to sign the request, however I'am getting Signature Generation Failed- *Decode Hash Failed*.

 

This is what I'am doing

<xsl:variable name="$signMech" select="signingAlgo''"/>

<xsl:variable name="$request" select="//soap:Action"/>

<xsl:variable name="hashValue" select="dp:hash($Algo, $request)"/>

<xsl:variable name="cerKey" select="name:DP_CryptoKey"/>

<xsl:value-of select="dp:sign($signMech,$hashValue,$cerKey)"/>

 

Please help me out. Why iam getting this error. DECODE HASH FAILED. Urgent help please please.

  • NILAY97
    NILAY97
    347 Posts

    Re: Sign the Request using xslt

    ‏2013-05-13T18:01:21Z  

    How to access my private key. I think it is not getting accessed by:-

    <xsl:variable name"cerKey" select="'name:DP_CryptKey'"/>.

    Note DP_CryptoKey is the name of the object which contains my private Key. Please help. How to sign the request using my private key?

  • swlinn
    swlinn
    1398 Posts

    Re: Sign the Request using xslt

    ‏2013-05-14T13:18:18Z  
    • NILAY97
    • ‏2013-05-13T18:01:21Z

    How to access my private key. I think it is not getting accessed by:-

    <xsl:variable name"cerKey" select="'name:DP_CryptKey'"/>.

    Note DP_CryptoKey is the name of the object which contains my private Key. Please help. How to sign the request using my private key?

    Are you really using the literal 'signingAlgo' as the signing algorithm?  From the docs

    For dp:hash

    algorithm
    (xs:string) that Identifies the hashing algorithm. The firmware release
    supports the following hash algorithms:
    http://www.w3.org/2000/09/xmldsig#sha1
    http://www.w3.org/2001/04/xmlenc#sha256
    http://www.w3.org/2001/04/xmlenc#sha512
    http://www.w3.org/2001/04/xmldsig-more#sha224
    http://www.w3.org/2001/04/xmldsig-more#sha384
    http://www.w3.org/2001/04/xmlenc#ripemd160
    http://www.w3.org/2001/04/xmldsig-more#md5

    For dp:sign

    signMechanism
    (xs:string) Identifies the algorithm used to generate the digital signature.
    signMechanism must reference one of the following algorithms:
    http://www.w3.org/2000/09/xmldsig#dsa-sha1
    http://www.w3.org/2000/09/xmldsig#rsa-sha1
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
    http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160
    http://www.w3.org/2001/04/xmldsig-more#rsa-md5

    Regards,

    Steve

  • NILAY97
    NILAY97
    347 Posts

    Re: Sign the Request using xslt

    ‏2013-05-17T06:12:47Z  
    • swlinn
    • ‏2013-05-14T13:18:18Z

    Are you really using the literal 'signingAlgo' as the signing algorithm?  From the docs

    For dp:hash

    algorithm
    (xs:string) that Identifies the hashing algorithm. The firmware release
    supports the following hash algorithms:
    http://www.w3.org/2000/09/xmldsig#sha1
    http://www.w3.org/2001/04/xmlenc#sha256
    http://www.w3.org/2001/04/xmlenc#sha512
    http://www.w3.org/2001/04/xmldsig-more#sha224
    http://www.w3.org/2001/04/xmldsig-more#sha384
    http://www.w3.org/2001/04/xmlenc#ripemd160
    http://www.w3.org/2001/04/xmldsig-more#md5

    For dp:sign

    signMechanism
    (xs:string) Identifies the algorithm used to generate the digital signature.
    signMechanism must reference one of the following algorithms:
    http://www.w3.org/2000/09/xmldsig#dsa-sha1
    http://www.w3.org/2000/09/xmldsig#rsa-sha1
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
    http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
    http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160
    http://www.w3.org/2001/04/xmldsig-more#rsa-md5

    Regards,

    Steve

    Thank you very much Steve for your help. Now, Iam able to sign my request. However, i have a doubt in my mind. Why there is a change in the output when i sign the request using "Sign Action of DataPower" and when i sign using " dp:sign() in xslt".

     

    I mean to say that when i sign using Action, i can see my signed request with all sorts of information as in <DigestAlgorithm", the CN name, Signer,

    but when i sign using xslt, i cannot see the above info, i only get a random text between the tags i wish to sign?

    Why so?

  • swlinn
    swlinn
    1398 Posts

    Re: Sign the Request using xslt

    ‏2013-05-17T13:38:45Z  
    • NILAY97
    • ‏2013-05-17T06:12:47Z

    Thank you very much Steve for your help. Now, Iam able to sign my request. However, i have a doubt in my mind. Why there is a change in the output when i sign the request using "Sign Action of DataPower" and when i sign using " dp:sign() in xslt".

     

    I mean to say that when i sign using Action, i can see my signed request with all sorts of information as in <DigestAlgorithm", the CN name, Signer,

    but when i sign using xslt, i cannot see the above info, i only get a random text between the tags i wish to sign?

    Why so?

    I'll preface my response by saying I don't have a lot of experience with dp:sign as I have always used the processing action, but my take is that the processing action gives you options of not only what to sign but how to generate the output.  In the case of the sign extension function, you're going to need to build the entire signature itself.  The doc on the info center shows an example where it is building a signature where the dp:sign result is just one part ...

    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <xsl:copy-of select="$signedinfo-subtree"/>
        <SignatureValue>
            <xsl:value-of select="dp:sign($sigmech,$signedinfo-hash,$keyid)"/>
        </SignatureValue>
        <xsl:if test='$certid!=""'>
            <KeyInfo><X509Data><X509Certificate>
            <xsl:value-of select="dp:base64-cert($certid)"/>
            </X509Certificate></X509Data></KeyInfo>
        </xsl:if>
    </Signature>

    ...

    Sorry I don't have any examples for you, perhaps other contributors can assist there.  Bottom line is that the processing action does a lot for you that you'll need to do on your own if you want a digital signature generated in your stylesheet.

    Regards,

    Steve

     

  • inestlerode
    inestlerode
    166 Posts

    Re: Sign the Request using xslt

    ‏2013-05-17T14:26:53Z  

    Trying to reinvent the wheel of XML DSIG using the dp:sign extension function is a very bad idea in general.  You should use the multistep sign action rather than attempting to do this in custom XSLT.  Your current code isn't doing C14N correctly (or at all for that matter).  A real implementation of XML DSIG would use things like dp:c14n-hash and friends rather than dp:hash, but you should just use the sign action.

  • 6JET_Raj_s
    6JET_Raj_s
    6 Posts

    Re: Sign the Request using xslt

    ‏2016-11-22T17:24:50Z  
    • swlinn
    • ‏2013-05-17T13:38:45Z

    I'll preface my response by saying I don't have a lot of experience with dp:sign as I have always used the processing action, but my take is that the processing action gives you options of not only what to sign but how to generate the output.  In the case of the sign extension function, you're going to need to build the entire signature itself.  The doc on the info center shows an example where it is building a signature where the dp:sign result is just one part ...

    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <xsl:copy-of select="$signedinfo-subtree"/>
        <SignatureValue>
            <xsl:value-of select="dp:sign($sigmech,$signedinfo-hash,$keyid)"/>
        </SignatureValue>
        <xsl:if test='$certid!=""'>
            <KeyInfo><X509Data><X509Certificate>
            <xsl:value-of select="dp:base64-cert($certid)"/>
            </X509Certificate></X509Data></KeyInfo>
        </xsl:if>
    </Signature>

    ...

    Sorry I don't have any examples for you, perhaps other contributors can assist there.  Bottom line is that the processing action does a lot for you that you'll need to do on your own if you want a digital signature generated in your stylesheet.

    Regards,

    Steve

     

    Hi Steve,

          I would like to re-open this thread as i have a requirement on APIC which runs on DataPower and we dont have any options for using sign Action as APIC doesnt have one. I am cornered to use dp:sign(), where i am able to sing the incoming message and could get an signed encrypted kind of output

    xslt used here is,

    <?xml version="1.0" encoding="UTF-8"?>
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
    xmlns:exsl="http://xmlns.opentechnology.org/xslt-extensions/common" 
    xmlns:dp="http://www.datapower.com/extensions" 
    xmlns:dpconf="http://www.datapower.com/param/config" 
    xmlns:date="http://exslt.org/dates-and-times" extension-element-prefixes="dp" exclude-result-prefixes="dp date dpconf exsl" version="1.0">
        <xsl:preserve-space elements="argument"/>
        <xsl:template match="/">
            <xsl:variable name="input-xml" select="."/>
            <xsl:message dp:priority="debug">serverSKI::<xsl:copy-of select="$input-xml"/>
            </xsl:message>
            <xsl:variable name="sign-algorithm">
                <xsl:text>http://www.w3.org/2000/09/xmldsig#rsa-sha1</xsl:text>
            </xsl:variable>
            <xsl:variable name="hash-algorithm">
                <xsl:text>http://www.w3.org/2000/09/xmldsig#sha1</xsl:text>
            </xsl:variable>
            <xsl:variable name="hash-signedinfo" select="dp:hash($hash-algorithm,$input-xml)"/>
            <xsl:variable name="sign-pri-key">
                <xsl:text>ski:D3qtCdasfoekYnk=</xsl:text>
            </xsl:variable>
            <xsl:variable name="signed-data">
                <xsl:value-of select="dp:sign($sign-algorithm, $hash-signedinfo, $sign-pri-key)"/>
            </xsl:variable>
            <xsl:variable name="decode">
                <xsl:value-of select="dp:decode($signed-data,'base64')"/>
            </xsl:variable>
            <SignatureValue>
                <xsl:copy-of select="$input-xml"/>
                <xsl:value-of select="$signed-data"/>
            </SignatureValue>
            <xsl:copy-of select="$decode"/>
        </xsl:template>
    </xsl:stylesheet>

    Output out of it,,.

     

    <SignatureValue>jzyhzyZYWpv+C9RfJeGXF4idE7+S3y9ObMhJtUsW1e8cUc7t9zblNIPXzaGXYdRfUqFhyL1phITIAqO2/dAC06t9E8aaOlqgr2G3TPOgs4ccq9GArri2b6zB3zmo4qwEodrrzffnKIVJYD4vipWY5l4sxwjrHirZjBtQ4B0ixOY=</SignatureValue>.

    In my case the consumers are expecting an ideal signed soap message having 

    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soapenv:Header>
          <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <wsu:Timestamp wsu:Id="Timestamp-843080868434e" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2016-11-21T12:43:53Z</wsu:Created>
                <wsu:Expires>2016-11-21T12:48:53Z</wsu:Expires>
             </wsu:Timestamp>
             <wsse:BinarySecurityToken wsu:Id="SecurityToken-bbe3e151-0bdc-47f3-ae11-8798845ead84" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIEzjCCA7agAwIBAgIUR9oVmCX58CdcpXbb/wjCg5dh5UEwlEuAzNylriVyNd+hAsH/23vHYJIBbmOQrEhQeW1R39GmmcYe/wuMzgzCaQU8yfVjGIrxI2NoV7hdxemk349vG2gZ461GUGEc6EEPGp+nFcnxJnoQgu4Q==</wsse:BinarySecurityToken>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                   <Reference URI="#Timestamp-84308084-a176-4f9c-ad4f-27a91468434e">

    <signatureValue>xusfjskiejfsdlfje</signatureValue>

    It would be great to know how can i build this strucutre which can be done using Sign Action,

     

    Regards,

    Raj