12-02-2013 3:16 PM
Hi Experts,
I am a newby in signing documents and I am facing a problem with signing an XML using report SSF02. I can sign an XML and it looks like:
But I expected something like that:
<?xml version="1.0" encoding="UTF-8"?>
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tVicGh6V+8cHbVYFIU91o5+L3OQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
dJDHiGQMaKN8iPuWApAL57eVnxz2BQtyujwfPSgE7HyKoxYtoRB97ocxZ
8ZU440wHtE39ZwRGIjvwor3WfURxnIgnI1CChMXXwoGpHH//Zc0z4ejaz
DuCNEq4Mm4OUVTiEVuwcWAOMkfDHaM82awYQiOGcwMbZe38UX0oPJ2DOE=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>
CN=My Name,O=Test Certificates Inc.,C=US
</X509SubjectName>
<X509Certificate>
MIIB9zCCAWCgAwIBAgIERZwdkzANBgkqhkiG9w0BAQUFADBAMQswCQYD
VQQGEwJVUzEfMB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgSW5jLjEQ
MA4GA1UEAxMHTXkgTmFtZTAeFw0wNzAxMDMyMTE4MTFaFw0zMTA4MjUy
...
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</PurchaseOrder>
What do I wrong? Can someone give me some advise or does someone have an example how to handle signing xml within ABAP?
Thanks in advance.
Cheers, Alex
12-03-2013 7:07 AM
Hi Alexander,
I did not have a closer look at the xml, but it seams you are looking for XML-DSIG. At least when using OASIS Web Services based communication, ABAP does support this since quite some time. See the docs for some more info.
What is the use case, you want to create signed XML documents for?
Regards,
Patrick
12-02-2013 10:31 PM
Hi,
basically only signing format provided by ABAP AS out of the box is PKCS#7. On input it takes a binary blob. SSF02 takes a file from your PC and it signs it. It does not perform any manipulation of input (e.g. modifying XML document). What you can see on that screen is an output of signing in PCKS#7 format.
Cheers
12-03-2013 7:07 AM
Hi Alexander,
I did not have a closer look at the xml, but it seams you are looking for XML-DSIG. At least when using OASIS Web Services based communication, ABAP does support this since quite some time. See the docs for some more info.
What is the use case, you want to create signed XML documents for?
Regards,
Patrick
12-03-2013 8:29 AM
Hi Patrick,
yes you are right. I am looking for XML-DSIG within ABAP. The use case is a communication process between two partners. And we want to make sure that the document have not been manipulated during the exchange. I will take a look on the link you posted. I hope it helps to solve the problem.
Cheers, Alex
12-03-2013 10:19 AM
Hi Alexander,
can you please be more specific about the term communication process, how does the communication work on a protocol level? Is this Web Services based? Then you can just enable this in the web services properties.
Regards,
Patrick
12-04-2013 1:38 PM
Hi Patrick,
no we don't want to use WS or PI. The communication process is not exactly specified at the moment. But it seems to be via SFTP or E-Mail. We will send/host a signed XML document to the partner and then we will verify the document at the partner.
Cheers, Alex
12-04-2013 11:46 PM
Hi,
I am not aware of a simple API that would allow you adding a digital signature to XML. So take the following lines as my notes from exploring code. I quickly checked the code and I think you might be interested in development package SOAP_SECURITY. There is a class CL_ST_CRYPTO and its subclass CL_ST_CRYPTO_X509. Especially, method X509_SIGN might be interesting for you. It seems to use PCKS#1 to sign a hash of XML message. So you could try to implement it all by your self and reuse basic crypto primitives provided by SAP (never ever implement your own crypto). You need to calculate digest of XML usage with SHA-1 (section DigestValue). There might be some transformations required such as encoding XML message into base64 before calculating hash. Then you need to sign it as it's done in CL_ST_CRYPTO_X509->X509_SIGN (section SginatureValue) and then add public part of a key that was used for signing (section X509 certificate).
As you can easily see development is going to be tricky and painful. So using something out of the box is much easier. Maybe you could try to re-use/misuse what is already implemented in ABAP. Configure a web service with digital signing for a fake host and use enhancement framework to find a good spot where you could extract already prepared message just before sending it to fake host. Sending would fail but you would have your message.
Cheers
12-05-2013 12:19 AM
One could also use the open source XML Security Library (xmlsec) to create XML Signatures for XML documents. I have used it on Unix and Windows platforms.
12-05-2013 9:40 AM
Hi Martin,
the class you posted looking interesting and is another opportunity, but we decided to try another way. We will try using the standard abap functions of the report ssf02.
Cheers, Alex
12-05-2013 11:58 AM
AS ABAP 7.02 (and latest SPs of 7.01) contain the class CL_SEC_SXML_DSIGNATURE to create XML signatures. This is the implmentation used for XML signing to goverment offices (nota fiscale Brasil, elster Gemany) and also by SAML2.
In ABAP digital signature are handled by different components:
1) Canonicalization (C14N) is handled by the XML parser in the ABAP kernel
2) Logic inside ABAP
3) RSASHA1 signature calculation by the SAPCRYPTOLIB
Please check the class documentation. It references a report for testing the functionality, similar to SSF02.
12-05-2013 12:00 PM
Hi Martin,
CL_ST_CRYPTO_X509->X509_SIGN relies on the secure XML parser to compute C14N values for the data to be signed directly.
Customers must not use these classes directiony but instead use class CL_SEC_SXML_DSIGNATURE.
Regards,
Martijn
12-05-2013 9:55 PM
01-07-2015 4:23 PM
Hi Martijn,
can you help me how to use the report SECXML_DSIGNATURE?
Cheers, Alex