Solved: Digital Signatures

Former Member · ‎07-11-2007

We are enabling SSO between SAP Web AS 6.40 and an External Pension Web System. We need to append a digital signature to the URL that accesses the Pensmart system.

We are using function module SSF_KRN_SIGN_BY_AS to generate digital signatures for input string 'UID=111223333&PID=ABCXYZ'. The digital signature is then base64 encoded using function module SSFC_BASE64_CODE. However the digital signature value differs every time a signature is generated although the input string remains the same. Authentication fails at Pensmart system because the digital signature cannot be verified. Any help on how to use SSF_KRN_SIGN_BY_AS for digital signatures or different options on digital signature generation will be appreciated! (I have already gone through SSP Programmers guide.)

We are using X.509 client certificates for PKI, SAP CRYPTOLIB as security toolkit. certificate uses RSA algorithm and was created using SSF_CREATE_PSE report as per OSS note 836367.

WolfgangJanzen · ‎07-16-2007

Please notice that you should first convert the strings to UTF-8 before calling the function module. Otherwise you risk that the binary representation of the characters varies (dependend on codepage and/or platform).

Cheers, Wolfgang

WolfgangJanzen · ‎07-16-2007

Please notice that you should first convert the strings to UTF-8 before calling the function module. Otherwise you risk that the binary representation of the characters varies (dependend on codepage and/or platform).

Cheers, Wolfgang

Former Member · ‎07-16-2007

Hi Wolfgang,

I am converting the strings to UTF-8 before calling the function module. We are trying to enable SSO to external third pary Pensmart Website. Pesmart is using OpenSSL libraries to verify digital signatures. SAP function module SSF_KRN_SIGN generates digital signatures in PKCS#7 format. My understanding is PKCS#7 format wraps the raw signature with time stamp which makes the signature value differernt although the input remains same for every pass. If the input does not change, Pensmart is always expecting a same value for signature. Therefore the validation fails. Is there a function in SAP that will just provide raw signature without timestamp or a function that would take wrapped signature and extract raw signature.

Thanks!

WolfgangJanzen · ‎07-17-2007

Yes, you are right: a timestamp is added (PKCS#7 format).

Former Member · ‎07-20-2007

Hi,

I've read this post about SSO and digital signature...

I have a lot of doubt about all of this...could you please give me a hand?

For example...I have an external security product to Sign Digitally, called Izenpe. I've installed in my pc and runs ok. But, how do I connect it to SAP?

Other question. With Function Group SSFG, if I use KRN functions I sign in WAS with the certificate of the server, is it correct? But if I want to sign in local, how can I choose a local certificate?

Please help!!

Thanks a lot.

Regards.

Urtzi.

WolfgangJanzen · ‎07-20-2007

Well, PKCS#7 is a standard format - so, interoperability should not be a problem.

But what you should be aware is the fact that you cannot expect that the digital signature of a (static) data is always the same (due to the fact that timestamp and random number information also influences the result). That's different from hash functions (e.g. SHA-1, MD5, ...).

Regarding your 2nd question: have a kind look on