Hi Julius I'm beginning to get this now, but I still have a problem :-((
How do I obtain this result sXD2SsGQxI7DDFMwHwONxjGOaoI= from the data object in the soap envelope? Shouldn't it be the SHA1 digest of the text between <soapenv:Body Id="MsgBody">... in here ...</soapenv:Body> Then, is this a SHA1 with RSA digest instead of SHA1. If so, how does OPENSSL know this if the key is not used on the command line. Also, Goetz says that one normally digests & signs in one step, but I need to retrieve the digest as well as the signature value. Any ideas? David <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> <soapenv:Header><wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";> <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" Id="X509Token" ValueType="wsse:X509v3"> MIIC6TCCAdGgAwIBAgIRAKJBsnHLRuiGajUMvwYJh+IwDQYJKoZIhvcNAQEFBQAw ZTELMAkGA1UEBhMCSUUxHjAcBgNVBAoTFVJldmVudWUgQ29tbWlzc2lvbmVyczEg MB4GA1UECxMXUmV2ZW51ZSBPbi1MaW5lIFNlcnZpY2UxFDASBgNVBAMTC1JPUyBS U0EgQ0EyMB4XDTA2MTAyMzEyMzI1M1oXDTA4MTAyMjEyMzI1M1owTjEWMBQGA1UE AxMNQURNSU5JU1RSQVRPUjETMBEGA1UECxMKMTg1OTgxMzI5NTESMBAGA1UEChMJ S0lORyBDT05HMQswCQYDVQQGEwJJRTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA9PlKOv3ZuTmiT4XsFSPBrduB3SZzu2bJvlgOK+MSDsbc2hRmJqZuzqRFGvCm J3kFyB2Sy5QX3XzYNjsqkb8gmYr/7pjZ1WzDx5aoAj+t4XWn07VkuPi30KJUQpbe IDO2Gebh0wcakdRDILeix3KxZRmjy0ts21vf/oqCyeX8tf8CAwEAAaMvMC0wCwYD VR0PBAQDAgbAMB4GA1UdEQQXMBWBE2FueWJvZHlAYWRkcmVzcy5jb20wDQYJKoZI hvcNAQEFBQADggEBAG30/xBilQzr34w912WMC8qV7xP1GkgMKmw+ioVWd0GlK3ny twuXIazF8C2y58zV4/oGI3gU2gzYKHb4g8Z6RJMvbwLCYzHqwbkTJ9KQe2mM6NT5 uENFKIqgi3fsyCGNRlhYOYZBZBcpCyS9umcfEclAHnLu9V5fCwqsYODxriGvoNG0 YE0vNx1Qgy3EL5y7M4P7FiSz3ajV1qv7DpBrGT2KSSR9WYwNm8+F/znPsD6Dh3d/ /+TzJzABX/QhEQWPNfUE95gnBVRkdaARMtDTA8QgyPHxAdSCu6ktshQfoy7W1qAO sNBv+q0dfL9WojnqIJGcKsc6UtaC0YWNKTDZ6wo= </wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#MsgBody"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>sXD2SsGQxI7DDFMwHwONxjGOaoI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> QnZ9BIpAwFYaF55BsZrzenrqGwOnmH+2N1dTXd1UgNumZnr0O1yJWFtwwEHbhhaQ C05xJvV0HY1rCBqfHCGw83rGpcGfAHrHMzVS9fncR7xqUGDVAPtb89ywji3RjxwN W2IxRvHDJt8VrNHZPZn/wVlGlJdseCDW11Qdotm6yDU= </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature></wsse:Security> </soapenv:Header> <soapenv:Body Id="MsgBody"><EdiCustomsDeclaration xsi:schemaLocation="http://www.ros.ie/schemas/customs/edisad/v1 C:\AEP\schemas\schemas\sadedifact\schema.xsd" xmlns="http://www.ros.ie/schemas/customs/edisad/v1"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><![CDATA[UNB+UNOC:3+CA E00043270+REV.IE+070220:1252+070220125247'UNH+0022466+CUSDEC:D:96B:UN:IEA001 'BGM+22:105::EXA++X12'LOC+35+IE'LOC+36+SG'LOC+42+IEDUB100'LOC+14+ 'LOC+22+IEDUB100'LOC+18+:::IE00'GIS+ :160'GIS+1:146'EQD+CN+TRLU4621596'FTX+ACB++1D24+200701050100'RFF+ABI:43270'R FF+AAS:804550'TDT+12++1+++++:::TRLU4621596'TDT+11++1+++++::::IE'NAD+CZ+VAT82 26392B'NAD+CN+++HEWLETT PACKARD COMPANY FAR EST LTD+450 ALEXANDRA ROAD SINGAORE 11960+SINGAPORE+++SG'NAD+DT+CAE00043270'MOA+39:53251.50:USD'UNS+D'CST+1+4817 2000'LOC+27+IE'MEA+WT+AAA+KGR:6100.000'MEA+AAS++SPU:10.000'PAC+1++CT:67'PCI+ 28+1 PCS ADDR'MOA+123:40332.88'RFF+ACE:'RFF+CW::1'IMD+E'FTX+AAA+++PAPER PRODUCTS'DOC+N935+804550'GIS+001:PII'GIS+000:117::1000'UNS+S'CNT+5:1'UNT+38+ 0022466'UNZ+1+070220125247']]></EdiCustomsDeclaration> </soapenv:Body> </soapenv:Envelope> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Julius Davies Sent: 27 February 2007 17:37 To: openssl-users@openssl.org Subject: Re: RSA-SHA1 Digest If you take the data inside here and base64 decode it, you end up with 20 bytes. <ds:DigestValue> sXD2SsGQxI7DDFMwHwONxjGOaoI= </ds:DigestValue> $ echo 'sXD2SsGQxI7DDFMwHwONxjGOaoI=' | openssl base64 -d | hexdump -C 00000000 b1 70 f6 4a c1 90 c4 8e c3 0c 53 30 1f 03 8d c6 00000010 31 8e 6a 82 The result is twenty bytes - you can count them. :-) b1 70 f6 4a c1 90 c4 8e c3 0c 53 30 1f 03 8d c6 31 8e 6a 82 yours, Julius On 2/27/07, WCR <[EMAIL PROTECTED]> wrote: > Julius, > > I'm a bit slow and a newbie, but this looks to me like a 28 byte string not > 20? > Can you explain please. > > <ds:DigestValue> > sXD2SsGQxI7DDFMwHwONxjGOaoI= > </ds:DigestValue> > > also Goetz, > > > Doing digest and sign in two steps is very unusual. > > Usually you process the digest and generate the signature > > in one step. > > Unfortunately, I think I do need both the digest and the signature to stuff > my xml message as in example attached in previous posts. > > Thank you both for your patience. > > David > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Julius Davies > Sent: 26 February 2007 22:30 > To: openssl-users@openssl.org > Subject: Re: RSA-SHA1 Digest > > > I think I finally understand. This isn't 28 bytes: > > <ds:DigestValue> > sXD2SsGQxI7DDFMwHwONxjGOaoI= > </ds:DigestValue> > > That's 20 bytes of base64 encoded bytes. > > So you really are using sha1. > > yours, > > Julius > > > On 2/26/07, Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hello David, > > > > WCR wrote: > > > Julius > > > > > > You're probably pointing me in the right direction. > > Not really. > > > > > I tried "openssl dgst -sha224" and yes I got a 56byte hex string / > 28byte > > > character string. My problem now is I can't use it in my xml message > because > > > of invalid characters. > > > > > > If I try "openssl enc -base64" the output is 40bytes. > > > > > > Is there another step I need to take to get a valid string? > > > > Doing digest and sign in two steps is very unusual. > > Usually you process the digest and generate the signature > > in one step. > > > > If you only want a raw base64 encoded signature (no PKCS#7) > > You do the following: > > > > openssl dgst -sha1 -sign key.pem -out sig.bin datatobesigned.txt > > openssl enc -base64 -in sig.bin -out signature.b64 > > > > 1st step: digest and sign data > > 2nd step: convert generated binary signature into base64 > > With a 1024 bit RSA key the file is 175 bytes long (containing > > 3 line feeds) > > > > In a program the first step is done with the functions > > EVP_SignInit() (or EVP_SignInit_ex()), EVP_SignUpdate() and > > EVP_SignFinal() > > > > Bye > > > > Goetz > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (GNU/Linux) > > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > > > iD8DBQFF4yvP2iGqZUF3qPYRAus7AJ9sTTd9kSvDYMOLjL88da0Rm/G8pACcD7qR > > zHll0H48SpOrutZJ036eycE= > > =S40W > > -----END PGP SIGNATURE----- > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > -- > yours, > > Julius Davies > 416-652-0183 > http://juliusdavies.ca/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
