Topic
  • No replies
myfoot
myfoot
1 Post

Pinned topic Hash values do not match

‏2013-06-30T04:13:55Z |

Hi All,

I've been working on this problem since like 1 month and still not luck..

My vendor has a IBM DP service. We are a .Net shop and so using WCF to consume this IBM DP service.

Somehow I was able to generate a exactly similar soap request. But then the response is an error '

This is the vendor sample

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/emedny/mhs/" xmlns:urn="urn:hl7-org:v3">

<soapenv:Header>

<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(eMedNY signed user MLS cert).......</wsse:BinarySecurityToken>

<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( eMedNY MLS web-service end-point public cert)........</wsse:BinarySecurityToken>

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">

<wsse:Username>....your_username.....</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>

<wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>

<wsu:Created>2010-09-15T18:00:30Z</wsu:Created>

</wsse:UsernameToken>

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<wsse:SecurityTokenReference>

<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>

</KeyInfo>

<xenc:CipherData>

<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>

</xenc:CipherData>

<xenc:ReferenceList>

<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>

</xenc:ReferenceList>

</xenc:EncryptedKey>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">

<Transforms>

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<DigestValue>wRUq.........</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>tBSsaZi........</SignatureValue>

<KeyInfo>

<wsse:SecurityTokenReference>

<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>

</KeyInfo>

</Signature>

</wsse:Security>

</soapenv:Header>

<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

<xenc:CipherData>

<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</soap:Body>

</soap:Envelope>

 

This is my outgoing soap

<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Header>
       <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:BinarySecurityToken u:Id="uuid-9851d7ba-7a04-466e-9d09-519c7798068c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">REMOVED=</o:BinarySecurityToken>
      <o:BinarySecurityToken u:Id="uuid-9851d7ba-7a04-466e-9d09-519c7798068c-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDFjCCAnREMOVED=</o:BinarySecurityToken>
      <o:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <o:Username>USER</o:Username>
        <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PW</o:Password>
        <o:Nonce>uVHJc1PBofKWDZA27Gfr8gAozNU=</o:Nonce>
        <o:Created>2013-06-29T10:35:39.321Z</o:Created>
      </o:UsernameToken>
      <e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <o:SecurityTokenReference>
            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9851d7ba-7a04-466e-9d09-519c7798068c-1" />
          </o:SecurityTokenReference>
        </KeyInfo>
        <e:CipherData>
          <e:CipherValue>haYfE0c+tSj1jtK+wUYjESeQjvCzDQascsj0kgTz2EX6UDemUiqBDLmYmybhKlkaPqCIplxlmQnVaqR8xtCCfPKnFi7MkR4/PrOVfc6LAHz8lTMzkQhjv/p0M4UhliQFFuYYfLn

+72ecwAqboR2fLhamoRAdrao2pA4us9ydMYo=</e:CipherValue>
        </e:CipherData>
        <e:ReferenceList>
          <e:DataReference URI="#_2" />
        </e:ReferenceList>
      </e:EncryptedKey>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#_1">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D

+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference>
            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9851d7ba-7a04-466e-9d09-519c7798068c-2" />
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body u:Id="_1" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <e:CipherData>
        <e:CipherValue>h0PGIEcirfVRDj6koWSLringql/RJC/uREMOVED==</e:CipherValue>
      </e:CipherData>
    </e:EncryptedData>
  </s:Body>
</s:Envelope>

 

Both these requests match according to me

1) usernametoken with noce

2) UserCertificate with Pk key

3) Server cert with public key

4) Sign and encrypt only the body using the X509 usercert

 

But still I am getting this error

Found the element for the expression. Name "s:Body", reference ID "#_1".
Jun 26 15:26:19 DP303-MedsHistory_PTE [info] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: rule (service_5_2-req): #5 filter: 'INPUT store:///dp/require-signature-element.xsl' completed OK.
Jun 26 15:26:19 DP303-MedsHistory_PTE [debug] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Stylesheet URL to compile is 'store:///verify.xsl'
Jun 26 15:26:19 DP303-MedsHistory_PTE [debug] xmlmgr(MedsHistoryXMLManager): trans(157351047)[12.23.28.110]: xslt Compilation Request: Checking cache for URL store:///verify.xsl
MedsHistory_PTE [debug] xmlmgr(MedsHistoryXMLManager): trans(157351047)[12.23.28.110]: xslt Compilation Request: Found in cache (store:///verify.xsl)
DP303-MedsHistory_PTE [info] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Accept set.
DP303-MedsHistory_PTE [debug] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Evaluating signature reference '_1'
DP303-MedsHistory_PTE [debug] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Current XPath expression '/*[local-name()='Envelope']/*[local-name()='Body']' covered by signature
DP303-MedsHistory_PTE [debug] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Signer status: 'Extracted the certificate chain from the BinarySecurityToken having format x509'
DP303-MedsHistory_PTE [info] wsgw(MedsHistoryWSP): trans(157351047)[request][12.23.28.110]: Reject set: Hash values do not match.
 

 

So it is not able to match that Digest value with its expected hash

 

Please help

 

 

 

Updated on 2013-06-30T04:17:56Z at 2013-06-30T04:17:56Z by myfoot