Skip to end of metadata
Go to start of metadata

Scenario: A web services consumer sends a SOAP 1.1 message protected with a X.509 XML signature to the provider. The message contains a timestamp, SAML assertion, SecurityTokenReference, BinarySecurityToken, Signature. The SAML assertion must be signed according to the SecurityTokenReferenceTransform (see section 8.3 from http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf).

(warning)  When computing the C14N of the SAML assertion. Correct handling of the default namespace needs to be ensured: A namespace declaration xmlns="" MUST be emitted with every apex element that has no namespace node declaring a value for the default namespace; cf. XML Decryption Transform.
-        SOAP Version:             1.1

-        Addressing:                  No (optional)

-        Signature Certificate:    RSA or DSA

-        Timestamp:                   Yes (precision: seconds)

-        Signed parts:                Timestamp, Body, SAML assertion over STR transform

-        Canonicalization:          XML-EXC-C14N

-        Signature:                    SHA1 (WS-SP asymmetric key binding)

Example Message:

   

<test:Envelope xmlns:test="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s11="http://schemas.xmlsoap.org/soap/envelope/">
  <test:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_6221ece8-1c27-41e6-85d0-d8df92b9003f" IssueInstant="2021-03-31T14:41:03.797Z" Issuer="Axis" MajorVersion="1" MinorVersion="1">
        <Conditions NotBefore="2021-03-31T14:41:03.797Z" NotOnOrAfter="2021-03-31T15:24:42.114Z" />
        <AuthenticationStatement AuthenticationInstant="2021-03-31T14:41:03.797Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
          <Subject>
            <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">BBUYER</NameIdentifier>
            <SubjectConfirmation>
              <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
            </SubjectConfirmation>
          </Subject>
        </AuthenticationStatement>
      </Assertion>
      <wsse:SecurityTokenReference wsu:Id="STRSAMLId-8078a27f-43f5-47ee-b0b6-aa4164fa9b47">
        <wsse:Reference URI="#_6221ece8-1c27-41e6-85d0-d8df92b9003f" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID" />
      </wsse:SecurityTokenReference>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1ef5d969-9344-49fd-9d9a-de605a68afa2">Certificate</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-ba9bbe38-568f-499a-8fff-e632a0eed9f5">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <ds:Reference URI="#STRSAMLId-8078a27f-43f5-47ee-b0b6-aa4164fa9b47">
            <ds:Transforms>
              <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                <wsse:TransformationParameters>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </wsse:TransformationParameters>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>FADq9Qv94EFMObEywgrn8/RW5zk=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-dd348b89-87fc-4565-9b5a-7dd5ebd911a7">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>nJqp5hNEgKTY94oXv66K0jp/P8g=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-f697613a-608a-4094-9d09-570d882f408a">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>25sGhbndf+Roqhl2EJKjrZdlnw0=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Signature</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-3f051cc8-51ac-40a1-80a2-08503c378723">
          <wsse:SecurityTokenReference wsu:Id="STRId-3b827d63-1956-4792-867f-c87deddef4cc">
            <wsse:Reference URI="#CertId-1ef5d969-9344-49fd-9d9a-de605a68afa2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsu:Timestamp wsu:Id="TS-f697613a-608a-4094-9d09-570d882f408a">
        <wsu:Created>2021-03-31T14:41:03.797Z</wsu:Created>
        <wsu:Expires>2021-03-31T14:46:03.797Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </test:Header>
  <test:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-dd348b89-87fc-4565-9b5a-7dd5ebd911a7">
    <n0:WSSE_ECHO xmlns:n0="urn:sap-com:document:sap:rfc:functions">
      <INPUT>some data</INPUT>
    </n0:WSSE_ECHO>
  </test:Body>
</test:Envelope>

----

  • No labels

1 Comment

  1. Unknown User (lw8ku2e)

    What's wrong with this SOAP message?

    Sorry for hijacking this wiki page for my question, but I didn't manage to get the SOAP message posted into the forum...

    My client is sending the following SOAP message to AS ABAP 7 EHP 2 (the current AS ABAP trial version):

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:echo="http://example.org/echo">
       <soapenv:Header>
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
             <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_20">
                <wsu:Created>2011-02-08T08:50:17.968Z</wsu:Created>
                <wsu:Expires>2011-02-08T08:55:17.968Z</wsu:Expires>
             </wsu:Timestamp>
             <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIICYzCCAcygAwIBAgIHAJLoLmzvezANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJERTEQMA4GA1UEChMHaWJtLmNvbTEMMAoGA1UECxMDU1dHMRYwFAYDVQQDEw1TQU1MU2lnbmVyRVNCMB4XDTExMDIwNjEwMTk1NVoXDTEyMDIwNjEwMTk1NVowRTELMAkGA1UEBhMCREUxEDAOBgNVBAoTB2libS5jb20xDDAKBgNVBAsTA1NXRzEWMBQGA1UEAxMNU0FNTFNpZ25lckVTQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvUsuOvPHwG9JJehEHejbrWOf4vAAVT6HwnpyyWOVH3tC6Wrrdb50srXd2exzqj1yuJoHX8y6zCvGTOS1igfEFyP4/hqDYcg5XWHVU0GBJKWWrHCSbZ8WB052fFy4AMCQyus/9xx4pe7JydEMAH9c/iCBMstMdd1BUQNjkod1AP0CAwEAAaNdMFswRgYDVR0RBD8wPYE7UHJvZmlsZVVVSUQ6YmhFU0ItQkFTRS1iYjkyYzA2Yy03MjBhLTQ0MjEtYmE1Mi02NTk3NDVhMzg3N2QwEQYDVR0OBAoECEIrHixmCxN5MA0GCSqGSIb3DQEBBQUAA4GBADYJ2iNzC3CYGypnZtU3QvxLTAWvX7YaMBdlCqPtNf660oCn4L6EJCCtDsxr3LVrA+V4n4i8sh6+Rn0RRfDnDUJkZjLHvDqfF0MDcys/Df3yAlzNrTJfVteyshR4qZL+zdhR/XGQGQKiA0lkiYAvlhcHVq+yvz3sE+Ft8+MZ4SA9</wsse:BinarySecurityToken>
             <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="Assertion-uuid476cdfb-012e-1915-b24b-d53ac6aae759" IssueInstant="2011-02-08T08:50:18Z" Issuer="TFIM" MajorVersion="1" MinorVersion="1">
                <saml:Conditions NotBefore="2011-02-08T08:49:18Z" NotOnOrAfter="2011-02-08T08:51:18Z">
                   <saml:AudienceRestrictionCondition>
                      <saml:Audience>

    http://abap:8000/sap/bc/srt/xip/sap/echo1/001/echo1/saml

    </saml:Audience>
                   </saml:AudienceRestrictionCondition>
                </saml:Conditions>
                <saml:AuthenticationStatement AuthenticationInstant="2011-02-08T08:50:18Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                   <saml:Subject>
                      <saml:NameIdentifier Format="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">jens</saml:NameIdentifier>
                      <saml:SubjectConfirmation>
                         <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                      </saml:SubjectConfirmation>
                   </saml:Subject>
                </saml:AuthenticationStatement>
             </saml:Assertion>
             <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_23">
                <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">Assertion-uuid476cdfb-012e-1915-b24b-d53ac6aae759</wsse:KeyIdentifier>
             </wsse:SecurityTokenReference>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                      <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsse ds "></ec:InclusiveNamespaces>
                   </ds:CanonicalizationMethod>
                   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                   <ds:Reference URI="#wssecurity_signature_id_20">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsu wsse "></ec:InclusiveNamespaces>
                         </ds:Transform>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                      <ds:DigestValue>gUmUzDRJ5QwlcsTGmntXWVE/p/k=</ds:DigestValue>
                   </ds:Reference>
                   <ds:Reference URI="#wssecurity_signature_id_21">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsu "></ec:InclusiveNamespaces>
                         </ds:Transform>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                      <ds:DigestValue>i5EQGjellmusu2jQ1U8PMxnIQwI=</ds:DigestValue>
                   </ds:Reference>
                   <ds:Reference URI="#wssecurity_signature_id_23">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                            <wsse:TransformationParameters>
                               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="echo saml wsse soapenv"></ec:InclusiveNamespaces>
                               </ds:CanonicalizationMethod>
                            </wsse:TransformationParameters>
                         </ds:Transform>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                      <ds:DigestValue>HDQ+9UbcqROxyLaviLpmz262T7U=</ds:DigestValue>
                   </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>S9D9gqWA907etAHBrZNJ7pC6X1HWT0SKvgk77XnetU7bVeKc3z0/CYhYpOq4r8d4XqVclGVEJ2M40vF7NiwShAvl4PYDaizhTlbiMhHX/rhpprhBhJZUoHC6Tn+yUupOpjXpCbRG45IcPJ0MaFPF3RkFHISdT2+CYchlfJNAIR4=</ds:SignatureValue>
                <ds:KeyInfo>
                   <wsse:SecurityTokenReference>
                      <wsse:Reference URI="#x509bst_22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
                   </wsse:SecurityTokenReference>
                </ds:KeyInfo>
             </ds:Signature>
          </wsse:Security>
       </soapenv:Header>
       <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_21">      
          <echo:echoIn>1</echo:echoIn>   
       </soapenv:Body></soapenv:Envelope

    I have run WSS_SETUP and imported the sender's self-signed certificate (used for the digitial signature) into every truststore in STRUST. However, the server always responds:

    HTTP/1.1 500 Internal Server Error
    content-type: text/xml; charset=utf-8
    content-length: 3208
    accept: text/xml
    sap-srt_id: 20110208/091352/v1.00_final_6.40/000C291822AC1ED08CEB6B12142600E7
    server: SAP NetWeaver Application Server / ABAP 702

    <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
       <soap-env:Header xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <wsu:Timestamp wsu:Id="ts-000C291822AC1ED08CEB6B12142620E7">
                <wsu:Created>2011-02-08T08:13:53Z</wsu:Created>
                <wsu:Expires>2011-02-08T08:15:23Z</wsu:Expires>
             </wsu:Timestamp>
          </wsse:Security>
       </soap-env:Header>
       <soap-env:Body>
          <soap-env:Fault>
             <faultcode>soap-env:Server</faultcode>
             <faultstring xml:lang="en">CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</faultstring>
             <detail>
                <ns:SystemFault xmlns:ns="http://www.sap.com/webas/710/soap/runtime/abap/fault/system/">
                   <Host>undefined</Host>
                   <Component>APPL</Component>
                   <ChainedException>
                      <Exception_Name>CX_SOAP_CORE</Exception_Name>
                      <Exception_Text>CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</Exception_Text>
                   </ChainedException>
                   <ChainedException>
                      <Exception_Name>CX_WS_SECURITY_FAULT</Exception_Name>
                      <Exception_Text>An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</Exception_Text>
                   </ChainedException>
                </ns:SystemFault>
                <ns:SystemFault xmlns:ns="http://www.sap.com/webas/711/soap/runtime/abap/fault/system/">
                   <Host>undefined</Host>
                   <Component>APPL</Component>
                   <ChainedException asx:root="abap" version="1.0" xmlns:asx="http://www.sap.com/abapxml">
                      <asx:values>
                         <EXCEPTION href="#o262"/>
                      </asx:values>
                      <asx:heap xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:abap="http://www.sap.com/abapxml/types/built-in" xmlns:cls="http://www.sap.com/abapxml/classes/global" xmlns:dic="http://www.sap.com/abapxml/types/dictionary">
                         <cls:CX_SOAP_CORE id="o262">
                            <CX_ROOT>
                               <TEXTID>0018FE864EEE1DECA69CF9C71ACB337F</TEXTID>
                               <PREVIOUS href="#o259"/>
                               <KERNEL_ERRID/>
                               <IS_RESUMABLE/>
                               <INTERNAL_SOURCE_POS>
                                  <PROGID>144</PROGID>
                                  <CONTID>1231</CONTID>
                               </INTERNAL_SOURCE_POS>
                            </CX_ROOT>
                            <CX_NO_CHECK/>
                            <CX_SOAP_CORE>
                               <E_LOCATION>
                                  <CLASS>CL_ST_CRYPTO==================CP</CLASS>
                                  <METHOD>CL_ST_CRYPTO==================CM00C</METHOD>
                                  <ID>234</ID>
                               </E_LOCATION>
                               <E_TEXT>CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</E_TEXT>
                               <E_ID>1001</E_ID>
                               <E_FAULT_LOCATION>1</E_FAULT_LOCATION>
                               <E_AREA>APPL</E_AREA>
                               <E_HOST>0</E_HOST>
                               <E_PROCESS_CONTROL/>
                            </CX_SOAP_CORE>
                         </cls:CX_SOAP_CORE>
                         <cls:CX_WS_SECURITY_FAULT id="o259">
                            <CX_ROOT>
                               <TEXTID>001321AF5ABB1DEC8AB3B106B36AD562</TEXTID>
                               <PREVIOUS/>
                               <KERNEL_ERRID/>
                               <IS_RESUMABLE/>
                               <INTERNAL_SOURCE_POS>
                                  <PROGID>291</PROGID>
                                  <CONTID>4439</CONTID>
                               </INTERNAL_SOURCE_POS>
                            </CX_ROOT>
                            <CX_NO_CHECK/>
                            <CX_WS_SECURITY_FAULT>
                               <SSF_PROFILE/>
                               <ASSERTION/>
                               <FAULTCODE>InvalidSecurity</FAULTCODE>
                               <DETAIL/>
                               <CODE>0</CODE>
                               <REASON_TEXT>XML Signature digest error for reference wssecurity_signature_id_21</REASON_TEXT>
                               <REASON_LANGUAGE>E</REASON_LANGUAGE>
                               <SUBRC>0</SUBRC>
                               <MSG1/>
                               <MSG2/>
                               <MSG3/>
                               <MSG4/>
                               <FUNCTION/>
                               <TRACE/>
                               <STS_URL/>
                            </CX_WS_SECURITY_FAULT>
                         </cls:CX_WS_SECURITY_FAULT>
                      </asx:heap>
                   </ChainedException>
                </ns:SystemFault>
             </detail>
          </soap-env:Fault>
       </soap-env:Body></soap-env:Envelope>

    It seems to complain about the digital signature of the SOAP body element, but even with tracing I was not yet able to figure out what the exact problem is.

    Any help is appreciated. I am linking to this page from a Security forum. My question is at: http://forums.sdn.sap.com/thread.jspa?threadID=1886884&tstart=0