none
XmlDsigExcC14NTransform Namespace Propogation RRS feed

  • Question

  • Hi All,

    I am using the System.Security.Cryptography.Xml.XmlDsigExcC14NTransform function to convert an XML document into C14N standard ready for applying hashes and digital signatures. I am having trouble creating the correct output as expected by the web service I am invoking.

    I have tracked the problem down to the C14N, and the problem seems to be for namespaces which are defined in the <soap:Envelope> element and are then also included in the PrefixList when using Exclusive C14N Canonicalization. In this case, the namespaces specified in the PrefixList which are defined in the <soap:Envelope> (but not defined in the actual child element) are not propagated down to the child when running C14N transformation.

    For example, if I have this;

    <soap:Envelope xmlns:parent="parent-namespace" xmlns:soap="w3.org/2003/05/soap-envelope">

        <soap:Header>

            <MessageID>abcdef-123456-abc123</MessageID>

        <soap:Header>

        <soap:Body>

        ....

        </soap:Body>

    <soap:Envelope>

    If I then want to create a C14N version of <MessageID> I use the following code;

    Dim instring As New StreamReader("C:\Sample.xml")
    Dim xmldoc As String = instring.ReadToEnd

    Dim canon As New System.Security.Cryptography.Xml.XmlDsigExcC14NTransform
    Dim xd As New System.Xml.XmlDocument
       
    xd.LoadXml(xmldoc)
    canon.LoadInput(xd)
           
    canon.InclusiveNamespacesPrefixList = "parent soap"

    Dim outstream As New StreamReader(CType(canon.GetOutput(), IO.Stream))
    Dim outstring As String = outstream.ReadToEnd

    msgbox(outstring)

     

    However, when looking at the output displayed in the messagebox (i.e. the output in string 'outstring') then I see that the <MessageID> element does not have the "parent" or "soap" namespaces added to it's attributes.

    At first I did not think this was an issue. But then I tested a web service using the SoapUI tool and what I observed there is that SoapUI does propagate those namespaces down to the child element.

    Please note I have simplified the issue here as ultimately I am testing some WS Security elements involving hashes, but the problem I am seeing at the moment is that the string value being sent in to the hash (SHA-256) function is different between using the .NET C14N and using SoapUI. The above illustrates the point, but what I don't quite understand is why the <soap:Envelope> namespace attributes are not propagated down to the child element. Do I somehow need to tell the Transform that I only want to extract the <MessageID> element? I didn't see any object or properties to allow this?

     

     

    Tuesday, June 11, 2013 10:32 PM

All replies

  • Hi rjtmerrett,

    I'll try to involve some other senior engineers in this thread. It may take some time to get the response. Your patience will be appreciated.

    Sorry for any inconvenience.

    Best regards,


    Chester Hong
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, June 13, 2013 2:26 AM
    Moderator
  • Hi Rjtmerrett,

    Unfortunately, I don't think I can address your question from the Forum so you may want to open a support incident with Microsoft.  You should check the following article - http://support.microsoft.com/kb/2639079?wa=wsignin1.0 .

    Although it's not related to your issue, you can register your own custom transform class.  Within LoadInput, check whether the namespaces are being included (most likely they aren't).  If not, you can add the namespaces in the LoadInput method. That should work.

    Thanks


    Carlos Lopez - Microsoft Escalation Engineer

    Wednesday, June 19, 2013 1:46 AM
  • Hi Carlos,

    please can you clarify why you cannot address this in the forum? The point of the forum is to make the information available other users, and if I raise a support ticket with MS then other users will not see the output. Furthermore, it will presumably cost me money to raise such a support incident?

    Are you suggesting I should spend my own money raising a support ticket for something which appears to be a bug? Are you able to confirm this is in fact a bug, because I have run the same functions in other frameworks 9including Java) and they al have consistent output except for the MS .NET output. This really implies to me that it's a MS problem. Would you agree?

    Thanks.

    Thursday, July 4, 2013 9:00 PM
  • Hi Carlos,

    please can you clarify why you cannot address this in the forum? The point of the forum is to make the information available other users, and if I raise a support ticket with MS then other users will not see the output. Furthermore, it will presumably cost me money to raise such a support incident?

    Are you suggesting I should spend my own money raising a support ticket for something which appears to be a bug? Are you able to confirm this is in fact a bug, because I have run the same functions in other frameworks 9including Java) and they al have consistent output except for the MS .NET output. This really implies to me that it's a MS problem. Would you agree?

    Thanks.

    Hi Carlos and rjtmerrett, 

    Did any of you manage to solve this problem.

    I need to communicate with an Apache service through WCF.  As .NET does not provide me the correct bindings, I need to create my own.

    For this, I need to sign the SOAP's body and timestamp (in the security header).

    I manage to get the correct headers through SoapUI, but when I let .NET render the Digest of the same XML, I get another result.  This is due to the same issue as you described here.

    In .NET, the parent namespaces are not propagated down, so the SHA-1 hash is incorrect.

    Best regards
    Steven

     
    Monday, June 3, 2019 6:28 AM