05-28-2010 11:11 AM
All,
I have written a archive link service using C#, and all is working great except when security is enabled. I have been reading around and the most fesible solution appears to be using BouncyCastle to do the validation, however I keep getting the error 'message-digest attribute value does not match calculated value'.
The querystring is:
?info&pVersion=0045&contRep=IT&docId=001&accessMode=R&authId=CN%3DSAPHTTPCS000.pse,OU%3DI0020112593,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE&expiration=20100528121019&secKey=MIIBWQYJKoZIhvcNAQcCoIIBSjCCAUYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCASUwggEhAgEBMHYwcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTEyNTkzMRkwFwYDVQQDExBTQVBIVFRQQ1MwMDAucHNlAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMDA1MjgxMDEwMTlaMCMGCSqGSIb3DQEJBDEWBBTYx2fOt9K%2Fdui50Fz8sEgMiZSj1TAJBgcqhkjOOAQDBC8wLQIVAJ3iEzSAz%2BCHSmr7x6k7rrhrWhy3AhRQlSwXVnfYSp1%2FnWZc80R%2FXaAFWw%3D%3D
Which gives me the following string to validate with: IT001rCN=SAPHTTPCS000.pse,OU=I0020112593,OU=SAPWebAS,O=SAPTrustCommunity,C=DE20100528121019
(note: I have tried leavng the accessMode parameter in the same case as URL with no avail)
Here is the code I am trying to use to validate the values
byte[] auth = System.Text.Encoding.ASCII.GetBytes(authString.ToString());
Org.BouncyCastle.Cms.CmsSignedData csd = new Org.BouncyCastle.Cms.CmsSignedData(new Org.BouncyCastle.Cms.CmsProcessableByteArray(auth), sk);
Org.BouncyCastle.Cms.SignerInformationStore store = csd.GetSignerInfos();
System.Collections.ICollection signers = store.GetSigners();
foreach (Org.BouncyCastle.Cms.SignerInformation sinfo in signers)
{
try
{
//Sometimes failures error
if (!sinfo.Verify(cert)) return false;
}
catch(Exception ex) { return false; }
}
return true;
The error occurs on the sinfo.Verify line.
Any ideas where I am going wrong would be greatly appreciated.
05-29-2010 10:04 AM
Hi,
have a look at [SAP documentation|http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCSRVARL/BCSRVARL.pdf] page 235. It specifies which parameters are include in signature. For example name of the function is not signed. I don't see from your code what exactly you take as a messaged which is signed by server's private key.
Cheers
05-29-2010 10:04 AM
Hi,
have a look at [SAP documentation|http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCSRVARL/BCSRVARL.pdf] page 235. It specifies which parameters are include in signature. For example name of the function is not signed. I don't see from your code what exactly you take as a messaged which is signed by server's private key.
Cheers
06-01-2010 8:19 AM
Hi Martin,
Thanks for the reply, I have been using a slightly different document, but the jist is the same and I am fairly certain I am using the right parameters. So in the above I have used (in order) contRep + docId + accessMode + authId + expiryDate for an info message (using the 4.5 version of the interface btw). Does this look correct?
Thanks,
Simon
06-01-2010 9:30 AM
Hi,
That's correct. I just found that function info is defined on page 247 and there is a table with flag sign. All your attributes need to be signed and there are no additional attributes. So I would try to check what hash function is used by your library. The are two possible hash functions: MD5 and RIPEMD. Is there any way how to activate some kind of verbose mode in your library?
Cheers
12-10-2012 4:37 PM
Hi,
I am running into the same problem. Have you solved this issue for you in the meantime and could you share the results?
Regards
Mirco
11-22-2013 10:42 AM
Hi,
I am also facing the same problem.
Everything seems to be in line with SAP documentation, but the secKey is still not validating properly.
First I compute the hash from the message. The text form of message is similar on both sides of communication (SAP and Content Server). Then the message goes to be signed. It results in PKCS#7 message encoded with base64 sent in secKey by SAP.
On CS side I decode secKey and parse PKCS7 message. I find there messageDigest and the message itself. There is a first confusion: should the messageDigest or the message be the subject for verification? I put both of them to verification and it fails all the time.
Has anyone any ideas what can be wrong in this way?