<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=Windows-1252">
<TITLE></TITLE>
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2>Aleksey,</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff size=2>Thanks
for the reply, I am s</FONT></SPAN><SPAN class=653361317-03062003><FONT
face=Arial color=#0000ff size=2>orry about not using the mailing list, will make
sure to use it in the future.</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff size=2>I
don't have a DTD, I am using the xmlAddID function to inform LibXML2 about all
the ID's.</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff size=2>Also,
I am capturing the response directly from Websphere and storing it to a file in
binary mode.</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff size=2>Since
there is no way I could get to the code of Websphere, do you have any other
suggestions on how to solve this issue?</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2>Regards,</FONT></SPAN></DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=653361317-03062003><FONT face=Arial color=#0000ff
size=2>-Venky</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Aleksey Sanin
[mailto:aleksey@aleksey.com]<BR><B>Sent:</B> Tuesday, June 03, 2003 8:29
AM<BR><B>To:</B> arvasoft@attbi.com<BR><B>Cc:</B> venky@arvasoft.com;
xmlsec@aleksey.com<BR><B>Subject:</B> Re: Implementing WS-Security using
XMLSec...<BR><BR></FONT></DIV>First of all, I would appreciate if you would
use xmlsec mailing list <BR>for any question about xmlsec library (this reply
is copied to the list, btw).<BR><BR>It seems that your <Reference/>
element contains URI with Id attribute.<BR>And I am not sure I understand how
you got the error you describe without a DTD.<BR>Most likely you should have
something like this
instead:<BR><BR>func=xmlSecXPathDataExecute:file=xpath.c:line=250:obj=unknown:subj=xmlXPtrEval:<BR>error=5:libxml2
library function
failed:<BR>expr=xpointer(id('wssecurity_body_id_3550107555769326699_1054623170226'))<BR><BR>Please
read section 3.2 from the FAQ (<A class=moz-txt-link-freetext
href="http://www.aleksey.com/xmlsec/faq.html">http://www.aleksey.com/xmlsec/faq.html</A>)<BR>for
explanation "why".<BR><BR>Assuming you add a correct DTD, the signature seems
to be trivial (Reference with an ID<BR>type URI plus one exc C14N transform)
and I would be really surprised if xmlsec does<BR>a wrong thing here.
Unfortunately, there is no easy way to determine why digests do not <BR>match.
In xmlsec you can use '--print-all' option to get the binary stream just
before<BR>digesting. The best you can do is to compare this data with similar
ones from WebSphere<BR>(if you would be able to get same data from WebSphere).
Read documentation or search<BR>mailing list. There were several similar
problems before.<BR><BR>And if you want me to guess, I would bet that you have
different digests because<BR>something introduced spaces and/or end of lines
when you've dumped XML document <BR>to file.<BR><BR><BR>Aleksey<BR><BR><BR><A
class=moz-txt-link-abbreviated
href="mailto:arvasoft@attbi.com">arvasoft@attbi.com</A> wrote:<BR>
<BLOCKQUOTE cite=mid000401c329d3$bff971e0$030aa8c0@corp.arvasoft.com
type="cite"><PRE wrap="">Hi Alexsey,
I am implementing WS-Security using XMLSec. Currently, I am trying to
validate signatures generated by Websphere, but am running into a problem
where the Digests generated by Websphere and that by XMLSec are different.
This causes the following error
func=:file=..\src\openssl\digests.c:line=164:obj=sha1:subj=unknown:error=12:
inva
lid <A class=moz-txt-link-freetext href="data:data">data:data</A> and digest do not match
Signature is INVALID
I would really appreciate your help on resolving this issue.
Thanks,
Regards,
-Venky
PS: I am attaching the following files:
1. original Websphere signed document
2. a modified version of the xml document that I am using for the test, I
have
copied the X509 from <wsse:BinarySecurityToken> to <X509Certificate> in
<KeyInfo>.
3. cacert.pem the trusted root that I use
</PRE><PRE wrap=""><HR width="90%" SIZE=4>
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=<A class=moz-txt-link-rfc2396E href="http://schemas.xmlsoap.org/soap/envelope/">"http://schemas.xmlsoap.org/soap/envelope/"</A> xmlns:xsd=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2001/XMLSchema">"http://www.w3.org/2001/XMLSchema"</A> xmlns:xsi=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</A>>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse=<A class=moz-txt-link-rfc2396E href="http://schemas.xmlsoap.org/ws/2002/07/secext">"http://schemas.xmlsoap.org/ws/2002/07/secext"</A>>
<wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3" wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_1054623170226" xmlns:wsu=<A class=moz-txt-link-rfc2396E href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</A>>
MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
</wsse:BinarySecurityToken>
<Signature xmlns=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</A>>
<SignedInfo>
<CanonicalizationMethod Algorithm=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</A>/>
<SignatureMethod Algorithm=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</A>/>
<Reference URI="#wssecurity_body_id_3550107555769326699_1054623170226">
<Transforms>
<Transform Algorithm=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/10/xml-exc-c14n#"</A>/>
</Transforms>
<DigestMethod Algorithm=<A class=moz-txt-link-rfc2396E href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</A>/>
<DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#wssecurity_binary_security_token_id_3491871345588805218_1054623170226"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226" xmlns:wsu=<A class=moz-txt-link-rfc2396E href="http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xmlsoap.org/ws/2002/07/utility"</A>>
<getGreetingResponse xmlns=<A class=moz-txt-link-rfc2396E href="http://Sample8.wsdk.ibm.com">"http://Sample8.wsdk.ibm.com"</A>>
<getGreetingReturn xmlns="">Hello venky. How are you?</getGreetingReturn>
</getGreetingResponse>
</soapenv:Body>
</soapenv:Envelope></PRE><PRE wrap=""><HR width="90%" SIZE=4>
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=</PRE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>