Topic
  • 2 replies
  • Latest Post - ‏2012-10-31T14:28:24Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic signing with X509IssuerSerial and UTF-8 hex problem

‏2012-10-23T07:15:57Z |
Hi Guys,

I am using Sign action to sign my soap messages. After signing the request, the action adds a tag like this;

<dsig:X509IssuerSerial>
<dsig:X509IssuerName>O="\C4\B0ntranet A.\C5\9E.", C=.., CN="\C4\B0ntranet A.\C5\9E."</dsig:X509IssuerName>
<dsig:X509SerialNumber>......</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>

As you see, Datapower converts some characters to UTF-8(hex) format(İ -> \C4\B0). Actually there is no problem with our Java clients, but one of our .net clients is having trouble verifying the signature and what we are thinking is that, the .net client is not able to resolve the IssuerName correctly because of the UTF8 hex characters. So, can we add the IssuerName's information properly(without converting UTF8 hex) in security header?

Thanks
Updated on 2012-10-31T14:28:24Z at 2012-10-31T14:28:24Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts

    Re: signing with X509IssuerSerial and UTF-8 hex problem

    ‏2012-10-24T18:43:04Z  
    XML DSIG allows many different ways to identify the certificate of the message's signer. The two bad ones to use are X509SubjectName and X509IssuerSerial as they both involve distinguished names which means you will immediately end up in bad interop territory between different pieces of software (as you have noticed Java is ok but .NET is not).

    I would suggest changing your configuration so that the certificate is identified using X509Certificate (where the certificate is inlined rather than the issuer DN and the serial) as this gets rid of all of the interop problems involving the string representation of DNs.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: signing with X509IssuerSerial and UTF-8 hex problem

    ‏2012-10-31T14:28:24Z  
    Thanks inestlerode for your answer. You might be right about IssuerName, but it is too late to change it. The system is live and this is the first .NET client of us. So i can't make a big change on our system.
    I've tried to sign the same message with a Java application and it behaves the same with .NET. It doesn't change the issuerName.(O="İntranet A.Ş.") So, there might be something to do this in the same way with Datapower. Am i right, is there any conf. about this on DP?

    Thanks