DEVHIDE
Login Or Sign up

Sign part of XML using xmlsec

773 Views Asked by At

I’m trying to sign a simple soap message. The message looks like this:

<?xml version="1.0" encoding="utf-8"?>
<e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
    <e:Header />
    <e:Body>
         <Data>someData</Data>
    </e:Body>
</e:Envelope>

By no means I’m an expert in network and security stuff. As far as I understand, the result should look something like:

<?xml version="1.0" encoding="utf-8"?>
<e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
<e:Header>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         .... 
                 <Reference URI="#signedContent">
         ....
        </Signature>
</e:Header>
<e:Body id="signedContent">
             <Data>someData</Data>
</e:Body>
</e:Envelope>

So to my understanding the signature goes into the header, and the signature reference points to the body. I’ve put the signature node into the header by calling

xmlAddChild(xmlDocGetRootElement(doc)->children, signNode);

However I don’t know how to tell the library to sign the body. Do I have to place the id attribute in the body by myself, or should I let the library do it? The library isn’t very well documented (or maybe the functions make sense, but not for someone like me). Which functions do I need to call next (I’m using the x509 example as a basis: https://www.aleksey.com/xmlsec/api/xmlsec-examples-sign-x509.html#xmlsec-example-sign3). Probably I should create the reference node like this:

xmlNodePtr refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha256Id,
       NULL, (const xmlChar*)"signedContent”, NULL);

…but I’m not very sure at all. I see that there are other functions like xmlSecTmplReferenceAddTransform. The examples on the xmlsec webpage call this with xmlSecTransformEnvelopedId, but I don’t need enveloped, perhaps I should call it with something else?.

c soap xmlsec
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

This is exactly what happens, when you don't read the FAQ of the library. First of all - no need to dynamically create a signature template. If you build your SOAP manually like I do, it's more than enough to make it a literal like this:

<?xml version="1.0" encoding="utf-8"?>
<e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
<e:Header><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#signedContent">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</e:Header>
<e:Body id="signedContent"><Data>SomeData<Data>
</e:Body>
</e:Envelope>

The next step is to pass it to xmlsec. As you can see, digestValue, signedValue and x509 are left empty. I use C++, so I pass it as string, with my x509 certificate and private key from the HSM (I access it using libp11):

std::string XmlSigner::signSoapTemplate(const std::string& document, evp_pkey_st* prvKey, const std::string& x509)
{

    if (!init && !initialize()) {
        return "xmlsec could not be initialized";
    }
    init = true;
   
    if (prvKey == nullptr) return{};
    if (x509.empty()) return{};

    std::string result;

    xmlChar* signedBuffer{ nullptr };
    int signedLength{ 0 };

    /* load doc file */
    xmlDocPtr doc = xmlParseMemory(document.data(), document.size());
    if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)) {
        return "Error: unable to parse file";
    }
    
    xmlAttrPtr attr = xmlDocGetRootElement(doc)->children->next->properties;
//THIS IS THE MOST IMPORTANT LINE:
    xmlAddID(NULL, doc, (const xmlChar*)"signedContent", attr);

    xmlNodePtr signNode = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
    if (signNode == NULL) {
        return "Error: start node not found";
    }

    /* create signature context */
    xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(NULL);
    if (dsigCtx == NULL) {
        return "Error: failed to create signature context\n";
    }

    dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeSameDocument;

    dsigCtx->signKey = xmlSecKeyCreate();

    dsigCtx->signKey->value = xmlSecOpenSSLEvpKeyAdopt(prvKey);

    if (
        xmlSecOpenSSLAppKeyCertLoadMemory(
            dsigCtx->signKey,
            reinterpret_cast<const unsigned char*>(x509.data()),
            x509.size(),
            xmlSecKeyDataFormatPem) < 0
        )

    { return "Failed to load certificate"; }
    

     /* sign the template */
    if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
        return "Error: signature failed\n";

    }

    /* dumps the memory to the buffer */
    xmlDocDumpMemory(doc, &signedBuffer, &signedLength);

    result = std::string(reinterpret_cast<char*>(signedBuffer), signedLength);

    /* success */


    /* cleanup */
    if (dsigCtx != NULL) {
        xmlSecDSigCtxDestroy(dsigCtx);
    }

    if (doc != NULL) {
        xmlFreeDoc(doc);
    }

    return result;
}

The error handling shouldn't be done with return strings, but again - that's just an example.

Related Questions in C

Related Questions in SOAP

Related Questions in XMLSEC

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.