Scenario: A web services consumer sends a SOAP 1.1 message protected with a X.509 XML signature to the provider. The message contains a timestamp, SAML assertion, SecurityTokenReference, BinarySecurityToken, Signature. The SAML assertion must be signed according to the SecurityTokenReferenceTransform (see section 8.3 from http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf).
When computing the C14N of the SAML assertion. Correct handling of the default namespace needs to be ensured: A namespace declaration xmlns="" MUST be emitted with every apex element that has no namespace node declaring a value for the default namespace; cf. XML Decryption Transform.
- SOAP Version: 1.1
- Addressing: No (optional)
- Signature Certificate: RSA or DSA
- Timestamp: Yes (precision: seconds)
- Signed parts: Timestamp, Body, SAML assertion over STR transform
- Canonicalization: XML-EXC-C14N
- Signature: SHA1 (WS-SP asymmetric key binding)
Example Message:
<test:Envelope xmlns:test="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s11="http://schemas.xmlsoap.org/soap/envelope/">
<test:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_6221ece8-1c27-41e6-85d0-d8df92b9003f" IssueInstant="2021-03-31T14:41:03.797Z" Issuer="Axis" MajorVersion="1" MinorVersion="1">
<Conditions NotBefore="2021-03-31T14:41:03.797Z" NotOnOrAfter="2021-03-31T15:24:42.114Z" />
<AuthenticationStatement AuthenticationInstant="2021-03-31T14:41:03.797Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">BBUYER</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
<wsse:SecurityTokenReference wsu:Id="STRSAMLId-8078a27f-43f5-47ee-b0b6-aa4164fa9b47">
<wsse:Reference URI="#_6221ece8-1c27-41e6-85d0-d8df92b9003f" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID" />
</wsse:SecurityTokenReference>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1ef5d969-9344-49fd-9d9a-de605a68afa2">Certificate</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-ba9bbe38-568f-499a-8fff-e632a0eed9f5">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#STRSAMLId-8078a27f-43f5-47ee-b0b6-aa4164fa9b47">
<ds:Transforms>
<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>FADq9Qv94EFMObEywgrn8/RW5zk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-dd348b89-87fc-4565-9b5a-7dd5ebd911a7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nJqp5hNEgKTY94oXv66K0jp/P8g=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-f697613a-608a-4094-9d09-570d882f408a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>25sGhbndf+Roqhl2EJKjrZdlnw0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Signature</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-3f051cc8-51ac-40a1-80a2-08503c378723">
<wsse:SecurityTokenReference wsu:Id="STRId-3b827d63-1956-4792-867f-c87deddef4cc">
<wsse:Reference URI="#CertId-1ef5d969-9344-49fd-9d9a-de605a68afa2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-f697613a-608a-4094-9d09-570d882f408a">
<wsu:Created>2021-03-31T14:41:03.797Z</wsu:Created>
<wsu:Expires>2021-03-31T14:46:03.797Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</test:Header>
<test:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-dd348b89-87fc-4565-9b5a-7dd5ebd911a7">
<n0:WSSE_ECHO xmlns:n0="urn:sap-com:document:sap:rfc:functions">
<INPUT>some data</INPUT>
</n0:WSSE_ECHO>
</test:Body>
</test:Envelope>
----
1 Comment
Unknown User (lw8ku2e)
What's wrong with this SOAP message?
Sorry for hijacking this wiki page for my question, but I didn't manage to get the SOAP message posted into the forum...
My client is sending the following SOAP message to AS ABAP 7 EHP 2 (the current AS ABAP trial version):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:echo="http://example.org/echo">
http://abap:8000/sap/bc/srt/xip/sap/echo1/001/echo1/saml<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_20">
<wsu:Created>2011-02-08T08:50:17.968Z</wsu:Created>
<wsu:Expires>2011-02-08T08:55:17.968Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIICYzCCAcygAwIBAgIHAJLoLmzvezANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJERTEQMA4GA1UEChMHaWJtLmNvbTEMMAoGA1UECxMDU1dHMRYwFAYDVQQDEw1TQU1MU2lnbmVyRVNCMB4XDTExMDIwNjEwMTk1NVoXDTEyMDIwNjEwMTk1NVowRTELMAkGA1UEBhMCREUxEDAOBgNVBAoTB2libS5jb20xDDAKBgNVBAsTA1NXRzEWMBQGA1UEAxMNU0FNTFNpZ25lckVTQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvUsuOvPHwG9JJehEHejbrWOf4vAAVT6HwnpyyWOVH3tC6Wrrdb50srXd2exzqj1yuJoHX8y6zCvGTOS1igfEFyP4/hqDYcg5XWHVU0GBJKWWrHCSbZ8WB052fFy4AMCQyus/9xx4pe7JydEMAH9c/iCBMstMdd1BUQNjkod1AP0CAwEAAaNdMFswRgYDVR0RBD8wPYE7UHJvZmlsZVVVSUQ6YmhFU0ItQkFTRS1iYjkyYzA2Yy03MjBhLTQ0MjEtYmE1Mi02NTk3NDVhMzg3N2QwEQYDVR0OBAoECEIrHixmCxN5MA0GCSqGSIb3DQEBBQUAA4GBADYJ2iNzC3CYGypnZtU3QvxLTAWvX7YaMBdlCqPtNf660oCn4L6EJCCtDsxr3LVrA+V4n4i8sh6+Rn0RRfDnDUJkZjLHvDqfF0MDcys/Df3yAlzNrTJfVteyshR4qZL+zdhR/XGQGQKiA0lkiYAvlhcHVq+yvz3sE+Ft8+MZ4SA9</wsse:BinarySecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="Assertion-uuid476cdfb-012e-1915-b24b-d53ac6aae759" IssueInstant="2011-02-08T08:50:18Z" Issuer="TFIM" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2011-02-08T08:49:18Z" NotOnOrAfter="2011-02-08T08:51:18Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2011-02-08T08:50:18Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier Format="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">jens</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_23">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">Assertion-uuid476cdfb-012e-1915-b24b-d53ac6aae759</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsse ds "></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_20">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsu wsse "></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>gUmUzDRJ5QwlcsTGmntXWVE/p/k=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_21">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv echo wsu "></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>i5EQGjellmusu2jQ1U8PMxnIQwI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_23">
<ds:Transforms>
<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="echo saml wsse soapenv"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>HDQ+9UbcqROxyLaviLpmz262T7U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>S9D9gqWA907etAHBrZNJ7pC6X1HWT0SKvgk77XnetU7bVeKc3z0/CYhYpOq4r8d4XqVclGVEJ2M40vF7NiwShAvl4PYDaizhTlbiMhHX/rhpprhBhJZUoHC6Tn+yUupOpjXpCbRG45IcPJ0MaFPF3RkFHISdT2+CYchlfJNAIR4=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_21">
<echo:echoIn>1</echo:echoIn>
</soapenv:Body></soapenv:Envelope
I have run WSS_SETUP and imported the sender's self-signed certificate (used for the digitial signature) into every truststore in STRUST. However, the server always responds:
HTTP/1.1 500 Internal Server Error
content-type: text/xml; charset=utf-8
content-length: 3208
accept: text/xml
sap-srt_id: 20110208/091352/v1.00_final_6.40/000C291822AC1ED08CEB6B12142600E7
server: SAP NetWeaver Application Server / ABAP 702
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Header xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="ts-000C291822AC1ED08CEB6B12142620E7">
<wsu:Created>2011-02-08T08:13:53Z</wsu:Created>
<wsu:Expires>2011-02-08T08:15:23Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap-env:Header>
<soap-env:Body>
<soap-env:Fault>
<faultcode>soap-env:Server</faultcode>
<faultstring xml:lang="en">CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</faultstring>
<detail>
<ns:SystemFault xmlns:ns="http://www.sap.com/webas/710/soap/runtime/abap/fault/system/">
<Host>undefined</Host>
<Component>APPL</Component>
<ChainedException>
<Exception_Name>CX_SOAP_CORE</Exception_Name>
<Exception_Text>CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</Exception_Text>
</ChainedException>
<ChainedException>
<Exception_Name>CX_WS_SECURITY_FAULT</Exception_Name>
<Exception_Text>An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</Exception_Text>
</ChainedException>
</ns:SystemFault>
<ns:SystemFault xmlns:ns="http://www.sap.com/webas/711/soap/runtime/abap/fault/system/">
<Host>undefined</Host>
<Component>APPL</Component>
<ChainedException asx:root="abap" version="1.0" xmlns:asx="http://www.sap.com/abapxml">
<asx:values>
<EXCEPTION href="#o262"/>
</asx:values>
<asx:heap xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:abap="http://www.sap.com/abapxml/types/built-in" xmlns:cls="http://www.sap.com/abapxml/classes/global" xmlns:dic="http://www.sap.com/abapxml/types/dictionary">
<cls:CX_SOAP_CORE id="o262">
<CX_ROOT>
<TEXTID>0018FE864EEE1DECA69CF9C71ACB337F</TEXTID>
<PREVIOUS href="#o259"/>
<KERNEL_ERRID/>
<IS_RESUMABLE/>
<INTERNAL_SOURCE_POS>
<PROGID>144</PROGID>
<CONTID>1231</CONTID>
</INTERNAL_SOURCE_POS>
</CX_ROOT>
<CX_NO_CHECK/>
<CX_SOAP_CORE>
<E_LOCATION>
<CLASS>CL_ST_CRYPTO==================CP</CLASS>
<METHOD>CL_ST_CRYPTO==================CM00C</METHOD>
<ID>234</ID>
</E_LOCATION>
<E_TEXT>CX_WS_SECURITY_FAULT:An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21</E_TEXT>
<E_ID>1001</E_ID>
<E_FAULT_LOCATION>1</E_FAULT_LOCATION>
<E_AREA>APPL</E_AREA>
<E_HOST>0</E_HOST>
<E_PROCESS_CONTROL/>
</CX_SOAP_CORE>
</cls:CX_SOAP_CORE>
<cls:CX_WS_SECURITY_FAULT id="o259">
<CX_ROOT>
<TEXTID>001321AF5ABB1DEC8AB3B106B36AD562</TEXTID>
<PREVIOUS/>
<KERNEL_ERRID/>
<IS_RESUMABLE/>
<INTERNAL_SOURCE_POS>
<PROGID>291</PROGID>
<CONTID>4439</CONTID>
</INTERNAL_SOURCE_POS>
</CX_ROOT>
<CX_NO_CHECK/>
<CX_WS_SECURITY_FAULT>
<SSF_PROFILE/>
<ASSERTION/>
<FAULTCODE>InvalidSecurity</FAULTCODE>
<DETAIL/>
<CODE>0</CODE>
<REASON_TEXT>XML Signature digest error for reference wssecurity_signature_id_21</REASON_TEXT>
<REASON_LANGUAGE>E</REASON_LANGUAGE>
<SUBRC>0</SUBRC>
<MSG1/>
<MSG2/>
<MSG3/>
<MSG4/>
<FUNCTION/>
<TRACE/>
<STS_URL/>
</CX_WS_SECURITY_FAULT>
</cls:CX_WS_SECURITY_FAULT>
</asx:heap>
</ChainedException>
</ns:SystemFault>
</detail>
</soap-env:Fault>
</soap-env:Body></soap-env:Envelope>
It seems to complain about the digital signature of the SOAP body element, but even with tracing I was not yet able to figure out what the exact problem is.
Any help is appreciated. I am linking to this page from a Security forum. My question is at: http://forums.sdn.sap.com/thread.jspa?threadID=1886884&tstart=0