Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Validating Archive Link secKey from C#

Go to solution
Former Member

‎05-28-2010 11:11 AM

0 Kudos

All,

I have written a archive link service using C#, and all is working great except when security is enabled. I have been reading around and the most fesible solution appears to be using BouncyCastle to do the validation, however I keep getting the error 'message-digest attribute value does not match calculated value'.

The querystring is:

?info&pVersion=0045&contRep=IT&docId=001&accessMode=R&authId=CN%3DSAPHTTPCS000.pse,OU%3DI0020112593,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE&expiration=20100528121019&secKey=MIIBWQYJKoZIhvcNAQcCoIIBSjCCAUYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCASUwggEhAgEBMHYwcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTEyNTkzMRkwFwYDVQQDExBTQVBIVFRQQ1MwMDAucHNlAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMDA1MjgxMDEwMTlaMCMGCSqGSIb3DQEJBDEWBBTYx2fOt9K%2Fdui50Fz8sEgMiZSj1TAJBgcqhkjOOAQDBC8wLQIVAJ3iEzSAz%2BCHSmr7x6k7rrhrWhy3AhRQlSwXVnfYSp1%2FnWZc80R%2FXaAFWw%3D%3D

Which gives me the following string to validate with: IT001rCN=SAPHTTPCS000.pse,OU=I0020112593,OU=SAPWebAS,O=SAPTrustCommunity,C=DE20100528121019

(note: I have tried leavng the accessMode parameter in the same case as URL with no avail)

Here is the code I am trying to use to validate the values

byte[] auth = System.Text.Encoding.ASCII.GetBytes(authString.ToString());

Org.BouncyCastle.Cms.CmsSignedData csd = new Org.BouncyCastle.Cms.CmsSignedData(new Org.BouncyCastle.Cms.CmsProcessableByteArray(auth), sk);

Org.BouncyCastle.Cms.SignerInformationStore store = csd.GetSignerInfos();

System.Collections.ICollection signers = store.GetSigners();

foreach (Org.BouncyCastle.Cms.SignerInformation sinfo in signers)

{

try

{

//Sometimes failures error

if (!sinfo.Verify(cert)) return false;

}

catch(Exception ex) { return false; }

}

return true;

The error occurs on the sinfo.Verify line.

Any ideas where I am going wrong would be greatly appreciated.

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎05-29-2010 10:04 AM

0 Kudos

Hi,

have a look at [SAP documentation|http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCSRVARL/BCSRVARL.pdf] page 235. It specifies which parameters are include in signature. For example name of the function is not signed. I don't see from your code what exactly you take as a messaged which is signed by server's private key.

Cheers

5 REPLIES 5

Go to solution
mvoros
Active Contributor

‎05-29-2010 10:04 AM

0 Kudos

Hi,

have a look at [SAP documentation|http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCSRVARL/BCSRVARL.pdf] page 235. It specifies which parameters are include in signature. For example name of the function is not signed. I don't see from your code what exactly you take as a messaged which is signed by server's private key.

Cheers

Go to solution
Former Member

‎06-01-2010 8:19 AM

0 Kudos

Hi Martin,

Thanks for the reply, I have been using a slightly different document, but the jist is the same and I am fairly certain I am using the right parameters. So in the above I have used (in order) contRep + docId + accessMode + authId + expiryDate for an info message (using the 4.5 version of the interface btw). Does this look correct?

Thanks,

Simon

Go to solution
mvoros
Active Contributor
In response to Former Member

‎06-01-2010 9:30 AM

0 Kudos

Hi,

That's correct. I just found that function info is defined on page 247 and there is a table with flag sign. All your attributes need to be signed and there are no additional attributes. So I would try to check what hash function is used by your library. The are two possible hash functions: MD5 and RIPEMD. Is there any way how to activate some kind of verbose mode in your library?

Cheers

Go to solution
Former Member

‎12-10-2012 4:37 PM

0 Kudos

Hi,

I am running into the same problem. Have you solved this issue for you in the meantime and could you share the results?

Regards

Mirco

Go to solution
Former Member

‎11-22-2013 10:42 AM

0 Kudos

Hi,

I am also facing the same problem.

Everything seems to be in line with SAP documentation, but the secKey is still not validating properly.

First I compute the hash from the message. The text form of message is similar on both sides of communication (SAP and Content Server). Then the message goes to be signed. It results in PKCS#7 message encoded with base64 sent in secKey by SAP.

On CS side I decode secKey and parse PKCS7 message. I find there messageDigest and the message itself. There is a first confusion: should the messageDigest or the message be the subject for verification? I put both of them to verification and it fails all the time.

Has anyone any ideas what can be wrong in this way?