EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XML /SOAP Digital Sign

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#29261
Posted: 04/15/2014 02:54:24
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Now I am getting 'Signature handler is not attached to the envelope' error at
TElXMLWSSSignatureHandler(handler).Sign(Cert, wecInSignature);



following is the code.

FSOAPMessage:= TElXMLSOAPMessage.Create(nil);
FXMLDocument:= TElXMLDOMDocument.Create ;
F := TFileStream.Create('z.xml', fmOpenRead or fmShareDenyWrite);
FXMLDocument.LoadFromStream(F, 'utf-32', True);
FSOAPMessage.LoadFromXML(FXMLDocument);
Handler:= TElXMLWSSSignatureHandler.Create(nil);
Handler.AddReference(FSOAPMessage.Envelope.Body, true);
FXMLDocument.DocumentElement.FindNode('soap:Envelope');
SignatureNode :=FXMLDocument.DocumentElement.FindNode('soap:Envelope');
Ref := TElXMLReference.Create;
Ref.DigestMethod := xdmSHA1;
F1 := TFileStream.Create('pulkit_signed.keystore', fmOpenRead or fmShareDenyWrite);
kStore := TElMemoryCertStorage.Create(nil);
kStore.LoadFromStreamJKS( F1,'provgw');
cert := TElX509Certificate.Create(nil);
cert := kstore.Certificates[0] ;
X509KeyData := TElXMLKeyInfoX509Data.Create;
X509KeyData.Certificate := cert;
X509KeyData.IncludeKeyValue:=true;
TElXMLWSSSignatureHandler(handler).Sign(Cert, wecInSignature);
f.Free;
F2 := TFileStream.Create('z.xml', fmCreate or fmOpenWrite);
FXMLDocument.SaveToStream(F, xcmNone,'utf-32');
#29269
Posted: 04/15/2014 12:29:24
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Code
Now I am getting 'Signature handler is not attached to the envelope' error at
TElXMLWSSSignatureHandler(handler).Sign(Cert, wecInSignature);

You are missing AddSignature call, from the sample:
Code
HandlerIndex := FSOAPMessage.AddSignature(Handler, true);

As I noted above, you need to select "XML-DSIG signature handler" in the sample to create a similar signature, this signature handler correspond to TElXMLSOAPBaseSignatureHandler handler class not TElXMLWSSSignatureHandler handler class.
#29280
Posted: 04/16/2014 06:33:59
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Hi

At last I am able to generate signed soap document. Thanks for all the help.
Just some queries.

1. Following are the tags which are seen in the sample signed doc. send to us by
we server people where as they are not appearing in SOAP/XML generated by our code. Will that make any difference in verifying the sign by server.

<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001REC-mlc14n0010315#WithComments">
</ds:Transforms>


2.This signature is coming at the end in our code where as sample document
of webserver has it at the top after <soapenv:Header>

3.Does the digest value is for the entire soap body or it is for particular
element? Please have a look at code below.

FSOAPMessage:= TElXMLSOAPMessage.Create(nil);
FXMLDocument:= TElXMLDOMDocument.Create ;
F := TFileStream.Create('abc.xml',fmOpenRead or fmShareDenyWrite);
FXMLDocument.LoadFromStream(F,'utf-8', True);
FSOAPMessage.LoadFromXML(FXMLDocument);
Handler:= TElXMLSOAPBaseSignatureHandler.Create(nil);//TElXMLSOAPSignatureHandler.Create(nil);
HandlerIndex := FSOAPMessage.AddSignature(Handler, true);
Handler.AddReference(FSOAPMessage.Envelope.Body, true);
FXMLDocument.DocumentElement.FindNode('soapenv:envelope'); //SOAP
SignatureNode :=FXMLDocument.DocumentElement.FindNode('soapenv:Body');
Ref := TElXMLReference.Create;
Ref.DigestMethod := xdmSHA1;
F1 := TFileStream.Create('pulkit_signed.keystore', fmOpenRead or fmShareDenyWrite);
kStore := TElMemoryCertStorage.Create(nil);
kStore.LoadFromStreamJKS( F1,'provgw');
cert := TElX509Certificate.Create(nil);
cert := kstore.Certificates[0] ;
X509KeyData := TElXMLKeyInfoX509Data.Create;
X509KeyData.Certificate := cert;
X509KeyData.IncludeKeyValue:=true;
// TElXMLWSSSignatureHandler(handler).Sign(Cert,wecInSignature);

Handler.Sign(SignatureNode as TElXMLDOMElement,Cert);
// Handler.Sign(cert);

f.Free;
F2 := TFileStream.Create('z_new_With_transform.xml', fmCreate or fmOpenWrite);
FXMLDocument.SaveToStream(F, xcmNone,'utf-8');
#29284
Posted: 04/16/2014 09:20:49
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
Following are the tags which are seen in the sample signed doc. send to us by we server people where as they are not appearing in SOAP/XML generated by our code. Will that make any difference in verifying the sign by server.

If the server doesn't require those transforms, then it should be ok. If you need them you can add them using TElXMLReference.TransformChain.Add method.

Quote
3.Does the digest value is for the entire soap body or it is for particular
element? Please have a look at code below.
Handler.AddReference(FSOAPMessage.Envelope.Body, true);
...
Ref := TElXMLReference.Create;
Ref.DigestMethod := xdmSHA1;

You are adding a reference to the Body element. I don't know for what you are creating new instance of TElXMLReference as you are not using it later. If you need to modify reference created using AddReference() method, you can use a Handler.References[index] property, where index is returned value of AddReference() method.

Quote
2.This signature is coming at the end in our code where as sample document
of webserver has it at the top after <soapenv:Header>
SignatureNode :=FXMLDocument.DocumentElement.FindNode('soapenv:Body');
...
Handler.Sign(SignatureNode as TElXMLDOMElement,Cert);

You are placing a signature as a child of a Body element, if you need to place it under a Header element, then set:
Code
SignatureNode := FSOAPMessage.Envelope.Header.XMLElement;
#29310
Posted: 04/22/2014 08:42:04
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

we are able to successfully post signed SOAP request on the server now on HTTP. Thanks a lot for your help. Now when we are trying to send the same request on HTTPS, It is giving us 'Could not acquire security credentials' error, web service admin has given us credentials, how to use them for https? Do we need to set some properties for this?
#29311
Posted: 04/22/2014 08:50:10
by Eugene Mayevski (EldoS Corp.)

What component/class are you using to connect to the server. From the message it sounds that this is not SecureBlackbox, so your question is beyond the scope of our support.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 4315 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!