Solved: Signing an XML with Report SSF02

Former Member · ‎12-02-2013

Hi Experts,

I am a newby in signing documents and I am facing a problem with signing an XML using report SSF02. I can sign an XML and it looks like:

But I expected something like that:

<?xml version="1.0" encoding="UTF-8"?>

<Description>Video Game</Description>

</Item>

<Street>One Network Drive</Street>

<Town>Burlington</Town>

<Country>United States</Country>

</Address>

</Buyer>

<CanonicalizationMethod

Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

<SignatureMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<Transform

Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

</Transforms>

<DigestValue>tVicGh6V+8cHbVYFIU91o5+L3OQ=</DigestValue>

</Reference>

</SignedInfo>

dJDHiGQMaKN8iPuWApAL57eVnxz2BQtyujwfPSgE7HyKoxYtoRB97ocxZ

8ZU440wHtE39ZwRGIjvwor3WfURxnIgnI1CChMXXwoGpHH//Zc0z4ejaz

DuCNEq4Mm4OUVTiEVuwcWAOMkfDHaM82awYQiOGcwMbZe38UX0oPJ2DOE=

</SignatureValue>

CN=My Name,O=Test Certificates Inc.,C=US

</X509SubjectName>

MIIB9zCCAWCgAwIBAgIERZwdkzANBgkqhkiG9w0BAQUFADBAMQswCQYD

VQQGEwJVUzEfMB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgSW5jLjEQ

MA4GA1UEAxMHTXkgTmFtZTAeFw0wNzAxMDMyMTE4MTFaFw0zMTA4MjUy

...

</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

</PurchaseOrder>

What do I wrong? Can someone give me some advise or does someone have an example how to handle signing xml within ABAP?

Thanks in advance.

Cheers, Alex

Former Member · ‎12-03-2013

Hi Alexander,

I did not have a closer look at the xml, but it seams you are looking for XML-DSIG. At least when using OASIS Web Services based communication, ABAP does support this since quite some time. See the docs for some more info.
What is the use case, you want to create signed XML documents for?

Regards,

Patrick

mvoros · ‎12-02-2013

Hi,

basically only signing format provided by ABAP AS out of the box is PKCS#7. On input it takes a binary blob. SSF02 takes a file from your PC and it signs it. It does not perform any manipulation of input (e.g. modifying XML document). What you can see on that screen is an output of signing in PCKS#7 format.

Cheers

Former Member · ‎12-03-2013

Hi Alexander,

I did not have a closer look at the xml, but it seams you are looking for XML-DSIG. At least when using OASIS Web Services based communication, ABAP does support this since quite some time. See the docs for some more info.
What is the use case, you want to create signed XML documents for?

Regards,

Patrick

Former Member · ‎12-03-2013

Hi Patrick,

yes you are right. I am looking for XML-DSIG within ABAP. The use case is a communication process between two partners. And we want to make sure that the document have not been manipulated during the exchange. I will take a look on the link you posted. I hope it helps to solve the problem.

Cheers, Alex

Former Member · ‎12-03-2013

Hi Alexander,

can you please be more specific about the term communication process, how does the communication work on a protocol level? Is this Web Services based? Then you can just enable this in the web services properties.

Regards,

Patrick

Former Member · ‎12-04-2013

Hi Patrick,

no we don't want to use WS or PI. The communication process is not exactly specified at the moment. But it seems to be via SFTP or E-Mail. We will send/host a signed XML document to the partner and then we will verify the document at the partner.

Cheers, Alex

mvoros · ‎12-04-2013

Hi,

I am not aware of a simple API that would allow you adding a digital signature to XML. So take the following lines as my notes from exploring code. I quickly checked the code and I think you might be interested in development package SOAP_SECURITY. There is a class CL_ST_CRYPTO and its subclass CL_ST_CRYPTO_X509. Especially, method X509_SIGN might be interesting for you. It seems to use PCKS#1 to sign a hash of XML message. So you could try to implement it all by your self and reuse basic crypto primitives provided by SAP (never ever implement your own crypto). You need to calculate digest of XML usage with SHA-1 (section DigestValue). There might be some transformations required such as encoding XML message into base64 before calculating hash. Then you need to sign it as it's done in CL_ST_CRYPTO_X509->X509_SIGN (section SginatureValue) and then add public part of a key that was used for signing (section X509 certificate).

As you can easily see development is going to be tricky and painful. So using something out of the box is much easier. Maybe you could try to re-use/misuse what is already implemented in ABAP. Configure a web service with digital signing for a fake host and use enhancement framework to find a good spot where you could extract already prepared message just before sending it to fake host. Sending would fail but you would have your message.

Cheers

Former Member · ‎12-05-2013

One could also use the open source XML Security Library (xmlsec) to create XML Signatures for XML documents. I have used it on Unix and Windows platforms.

Former Member · ‎12-05-2013

Hi Martin,

the class you posted looking interesting and is another opportunity, but we decided to try another way. We will try using the standard abap functions of the report ssf02.

Cheers, Alex

martijndeboer · ‎12-05-2013

AS ABAP 7.02 (and latest SPs of 7.01) contain the class CL_SEC_SXML_DSIGNATURE to create XML signatures. This is the implmentation used for XML signing to goverment offices (nota fiscale Brasil, elster Gemany) and also by SAML2.

In ABAP digital signature are handled by different components:

1) Canonicalization (C14N) is handled by the XML parser in the ABAP kernel

2) Logic inside ABAP

3) RSASHA1 signature calculation by the SAPCRYPTOLIB

Please check the class documentation. It references a report for testing the functionality, similar to SSF02.

martijndeboer · ‎12-05-2013

Hi Martin,

CL_ST_CRYPTO_X509->X509_SIGN relies on the secure XML parser to compute C14N values for the data to be signed directly.

Customers must not use these classes directiony but instead use class CL_SEC_SXML_DSIGNATURE.

Regards,

Martijn

mvoros · ‎12-05-2013

Hi Martijn,

thanks for this. I was not aware of this class. It's even documented. The testing program is called SECXML_DSIGNATURE. Not sure why I could not find it by using where-used for this class. I also found a note 1456433 that describes these 2 new classes.

Cheers

Former Member · ‎01-07-2015

Hi Martijn,

can you help me how to use the report SECXML_DSIGNATURE?

Cheers, Alex