Digital signature and special characters in messag...

former_member425694 · ‎02-05-2014

Hallo,

We have scenario sending messages from SAP PI to SAP ECC by using SOAP 1.1 message protocol and WS (message signing). Due to some circumstances we can't use XI protocol. Everything work ok.... SAP PI get message sign it and send to SAP ECC, where the signature is validated. However if the body parts contain some characters, for example “>” the DigestValue calculated by SAP ECC is different from value the DigestValue delivered in SOAP Header (calculated by SAP PI) and the proces singanture validation fail.

I observed, that character “>” is replaced by escape character & g t ; in object what keep DigestValue but not sure if this is the reason.

Both systems are on Unicode, SAP PI is 7.10, SAP ECC have the same behavior on various versions (from 700 up 731).

Does anyone have idea how to correct this (canonicalizaton, or hash calculating process) ?

Some additional info:

ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"

Thanks, Martin.

martin_voros · ‎02-05-2014

Hi,

quick workaround would be to encode content with base64 in PI, sign it and then send it to ECC. This would avoid any issues with special characters. If PI is hashing < and ECC converts it to &lt before calculating hash then obviously, hashes will differ. How do you validate signature in ECC?

Cheers

former_member425694 · ‎02-06-2014

Thanks Martin for answer,

I am pretty sure, your proposal will work, unfortunately this SAP PI is not in our hands, so we have to make changes in SAP ECC. Meantime I tried this scenario in SAP PI 731 SP10 -> SAP ECC 740 (last kernel) with the same result. So I think there must be some standard workaround how to deal with it.

Regards.

martin_voros · ‎02-06-2014

Have you checked note

1836762 - Wrong signature digist for Web Service SOAP fault message

Here is a comment from fix from this note.

IF l_part_new is not initial.

* when the messages need to be transported in a secure way this method is called twice (because of 2x serialize)

* therefore the existing parts of m_fault_detail_new need to be deleted, but only if there are new parts available

So double serialization would explain why < is converted to &lt. But I am really guessing and OSS note is talking about different scenario. You can always raise an OSS message with SAP if you believe that it's a bug.

Cheers

former_member425694 · ‎02-09-2014

I looked this note and saw similar code, however there is a lot of functionality implemented in kernel so I can’t tell if this is that case.

Meanwhile I needed to decide if the message from SAP PI is valid or no. Unfortunately did not find any tools what can handle used canonalization method. So I made some lines of java code to verify this xml. According this seems the signature in XML produced from PI valid.

To make system work correctly I temporary made changes in ABAP where I took base64 variable with soap xml and changed some characters in body (according http://www.w3.org/TR/2001/REC-xml-c14n-20010315 , chapter 3.4). After this, the signature is correctly calculated.

So now I have a time to raise oss message and will see (I will keep inform in this thread). Thanks for care Martin.

Regards.

Digital signature and special characters in message