EDN Admin
Well-known member
Hello. Im trying to sign an XML-document with an X509-certificate. Thats the source document:
<pre class="prettyprint <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/
<s:Header>
<Action xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none" s:mustUnderstand="1 http://roskazna.ru/SmevUnifoService/UnifoTransferMsg</Action>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="d1ee6720-525b-4745-8173-f86089d24521 d20437e1-a284-4597-ac92-47cc9eafd55d</ActivityId>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" id="Cert </wsse:BinarySecurityToken></wsse:Security></s:Header>
<s:Body id="body
<UnifoTransferMsg xmlns="http://roskazna.ru/SmevUnifoService/
<Message xmlns="http://smev.gosuslugi.ru/rev110801
<Sender>
<Code>00408</Code>
<Name>ООО «Научно-производственный центр Бюджетного учёта»</Name>
</Sender>
<Recipient>
<Code>0000000000</Code>
<Name>UNIFO</Name>
</Recipient>
<Originator>
<Code>0000000001</Code>
<Name>External Organization</Name>
</Originator>
<TypeCode>5</TypeCode>
<Date>2013-01-01T00:00:00</Date>
</Message>
<MessageData xmlns="http://smev.gosuslugi.ru/rev110801
<AppData>
<exportData xmlns="http://rosrazna.ru/xsd/SmevUnifoService
<DataRequest xmlns="http://roskazna.ru/xsd/PGU_DataRequest
<PostBlock xmlns="
<ID>254510</ID>
<TimeStamp>2013-01-01T00:00:00</TimeStamp>
<SenderIdentifier>00002</SenderIdentifier>
</PostBlock>
</DataRequest>
</exportData>
</AppData>
</MessageData>
</UnifoTransferMsg>
</s:Body>
</s:Envelope>[/code]
The content of <s:Body> element always the same (timestamps are static).
Im performing signing with SignedXmlObject:
<pre class="prettyprint X509Store store = new X509Store(StoreName.My);
store.Open(OpenFlags.ReadOnly);
var signingCerts = store.Certificates.Find(X509FindType.FindByThumbprint,
"ea dc a4 4f c1 f0 9a 8a f5 c3 1e 2e 13 55 06 92 30 dd 41 7a", true);
if (signingCerts.Count<=0) return unsignedMessage;
store.Close();
var signingCert = signingCerts[0];
var signedXml = new SignedXml(xDoc);
signedXml.SigningKey = signingCert.PrivateKey;
signedXml.KeyInfo = new KeyInfo();
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signingCert));
signedXml.SignedInfo.SignatureMethod = signingCert.PrivateKey.SignatureAlgorithm;
Reference reference = new Reference();
reference.Uri = "#body";
var env = new XmlDsigExcC14NTransform();
reference.AddTransform(env);
reference.DigestMethod = "http://www.w3.org/2001/04/xmldsig-more#gostr3411";
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
signedXml.AddReference(reference);
signedXml.ComputeSignature();
XmlElement xmlDigitalSignature = signedXml.GetXml();[/code]
The xmlDigitalSignature is (mostly):
<pre class="prettyprint <Signature xmlns="http://www.w3.org/2000/09/xmldsig#
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# </CanonicalizationMethod>
<SignatureMethod Algorithm="urn:ietf
arams:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411 </SignatureMethod>
<Reference URI="#body
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# </Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr3411 </DigestMethod>
<DigestValue>kAaM4srbIgOfz9AFbHwVIHqEKAGoQNSWBWDN/MsIRd8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Ol36sV+to2FmR6WJ3VrbgCU5HFiq5GPx8QWRfKfEO/Odqzz0iydSAdQk6gaMBtgqk04F92lzajF1McZU5eeb4w==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFazCCBRqgAwIBAgIKGk42hgABAABVUTAIBgYqhQMCAgMwggEjMR4wHAYJKoZIhvcNAQkBFg91Y0Byb3NlbHRvcmcucnUxCzAJBgNVBAYTAlJVMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxgYswgYgGA1UECgyBgNCe0YLQutGA0YvRgtC+0LUg0LDQutGG0LjQvtC90LXRgNC90L7QtSDQvtCx0YnQtdGB0YLQstC+ICLQldC00LjQvdCw0Y8g0Y3Qu9C10LrRgtGA0L7QvdC90LDRjyDRgtC+0YDQs9C+0LLQsNGPINC/0LvQvtGJ0LDQtNC60LAiMTAwLgYDVQQLDCfQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAxHTAbBgNVBAMMFNCj0KYg0J7QkNCeINCV0K3QotCfMB4XDTEyMDYwOTA2MTUwMFoXDTEzMDYwOTA2MjQwMFowggFPMR0wGwYJKoZIhvcNAQkBFg5wdnY4ODhAbWFpbC5ydTELMAkGA1UEBhMCUlUxGzAZBgNVBAgeEgQzAC4AIAQcBD4EQQQ6BDIEMDEbMBkGA1UEBx4SBDMALgAgBBwEPgRBBDoEMgQwMS8wLQYDVQQKHiYEHgQeBB4AIAQdBB8EJgAgACIEEQROBDQENgQ1BEIALQAyADEAIjFDMEEGA1UEAx46BBYEQwRABDAEMgQ7BDUEMgQwACAEGwROBDEEPgQyBEwAIAQSBDsEMAQ0BDgEPAQ4BEAEPgQyBD0EMDE+MDwGCSqGSIb3DQEJAhMvSU5OPTc3MDUzNTc3NTcvS1BQPTc3MDgwMTAwMS9PR1JOPTEwMzc3MzkzMjM1NTUxMTAvBgNVBAweKAQTBDUEPQQ1BEAEMAQ7BEwEPQRLBDkAIAQ0BDgEQAQ1BDoEQgQ+BEAwYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYHKoUDAgIeAQNDAARA5wqlJPNMapZIIQpi4PxwGAUpSjtCUE3WxyBbK5Jx/wccJr7YnA+4fiK3PAW4ELbNRSNconi0QQRxokbxC+V4VKOCAfwwggH4MA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUY/rjGVTIbJS7l32dEYB/glzGqtcwYQYDVR0lBFowWAYIKoUDBgMBBAEGCCsGAQUFBwMEBgcqhQMGAwEBBgcqhQMCAiIGBggrBgEFBQcDAgYIKoUDBgMBBAMGCCqFAwYDAQQCBggqhQMGAwEDAQYIKoUDBgMBAgEwHwYDVR0jBBgwFoAUl5jFDlED1omkb9PY7iutLk58A/8wga0GA1UdHwSBpTCBojCBn6CBnKCBmYZKaHR0cDovL3VjLnJvc2VsdG9yZy5ydS9yYS9jZHAvOTc5OGM1MGU1MTAzZDY4OWE0NmZkM2Q4ZWUyYmFkMmU0ZTdjMDNmZi5jcmyGS2h0dHA6Ly9ldHAucm9zZWx0b3JnLnJ1L3JhL2NkcC85Nzk4YzUwZTUxMDNkNjg5YTQ2ZmQzZDhlZTJiYWQyZTRlN2MwM2ZmLmNybDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly91Yy5yb3NlbHRvcmcucnUvcmEvY2RwLzk3OThjNTBlNTEwM2Q2ODlhNDZmZDNkOGVlMmJhZDJlNGU3YzAzZmYuY3J0MCsGA1UdEAQkMCKADzIwMTIwNjA5MDYxNTAwWoEPMjAxMzA2MDkwNjE0MDBaMAgGBiqFAwICAwNBAPKm81Ey8aVIwDk1lGXKLwbrBNZg3TyCDzr3+GwR+8Woo3abOdALkIL/C/FhzmuUp71OV+MfYGZMTuG+l1QpWMQ=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>[/code]
The DigestValue is always the same, but the SignatureValue is always different! I can verify the whole <Signature> element by SignedInfo object and it always returns true, but the SignatureValue is always different. How can that be?
<br/>
View the full article
<pre class="prettyprint <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/
<s:Header>
<Action xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none" s:mustUnderstand="1 http://roskazna.ru/SmevUnifoService/UnifoTransferMsg</Action>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="d1ee6720-525b-4745-8173-f86089d24521 d20437e1-a284-4597-ac92-47cc9eafd55d</ActivityId>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" id="Cert </wsse:BinarySecurityToken></wsse:Security></s:Header>
<s:Body id="body
<UnifoTransferMsg xmlns="http://roskazna.ru/SmevUnifoService/
<Message xmlns="http://smev.gosuslugi.ru/rev110801
<Sender>
<Code>00408</Code>
<Name>ООО «Научно-производственный центр Бюджетного учёта»</Name>
</Sender>
<Recipient>
<Code>0000000000</Code>
<Name>UNIFO</Name>
</Recipient>
<Originator>
<Code>0000000001</Code>
<Name>External Organization</Name>
</Originator>
<TypeCode>5</TypeCode>
<Date>2013-01-01T00:00:00</Date>
</Message>
<MessageData xmlns="http://smev.gosuslugi.ru/rev110801
<AppData>
<exportData xmlns="http://rosrazna.ru/xsd/SmevUnifoService
<DataRequest xmlns="http://roskazna.ru/xsd/PGU_DataRequest
<PostBlock xmlns="
<ID>254510</ID>
<TimeStamp>2013-01-01T00:00:00</TimeStamp>
<SenderIdentifier>00002</SenderIdentifier>
</PostBlock>
</DataRequest>
</exportData>
</AppData>
</MessageData>
</UnifoTransferMsg>
</s:Body>
</s:Envelope>[/code]
The content of <s:Body> element always the same (timestamps are static).
Im performing signing with SignedXmlObject:
<pre class="prettyprint X509Store store = new X509Store(StoreName.My);
store.Open(OpenFlags.ReadOnly);
var signingCerts = store.Certificates.Find(X509FindType.FindByThumbprint,
"ea dc a4 4f c1 f0 9a 8a f5 c3 1e 2e 13 55 06 92 30 dd 41 7a", true);
if (signingCerts.Count<=0) return unsignedMessage;
store.Close();
var signingCert = signingCerts[0];
var signedXml = new SignedXml(xDoc);
signedXml.SigningKey = signingCert.PrivateKey;
signedXml.KeyInfo = new KeyInfo();
signedXml.KeyInfo.AddClause(new KeyInfoX509Data(signingCert));
signedXml.SignedInfo.SignatureMethod = signingCert.PrivateKey.SignatureAlgorithm;
Reference reference = new Reference();
reference.Uri = "#body";
var env = new XmlDsigExcC14NTransform();
reference.AddTransform(env);
reference.DigestMethod = "http://www.w3.org/2001/04/xmldsig-more#gostr3411";
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
signedXml.AddReference(reference);
signedXml.ComputeSignature();
XmlElement xmlDigitalSignature = signedXml.GetXml();[/code]
The xmlDigitalSignature is (mostly):
<pre class="prettyprint <Signature xmlns="http://www.w3.org/2000/09/xmldsig#
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# </CanonicalizationMethod>
<SignatureMethod Algorithm="urn:ietf
arams:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411 </SignatureMethod><Reference URI="#body
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# </Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr3411 </DigestMethod>
<DigestValue>kAaM4srbIgOfz9AFbHwVIHqEKAGoQNSWBWDN/MsIRd8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Ol36sV+to2FmR6WJ3VrbgCU5HFiq5GPx8QWRfKfEO/Odqzz0iydSAdQk6gaMBtgqk04F92lzajF1McZU5eeb4w==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIFazCCBRqgAwIBAgIKGk42hgABAABVUTAIBgYqhQMCAgMwggEjMR4wHAYJKoZIhvcNAQkBFg91Y0Byb3NlbHRvcmcucnUxCzAJBgNVBAYTAlJVMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxgYswgYgGA1UECgyBgNCe0YLQutGA0YvRgtC+0LUg0LDQutGG0LjQvtC90LXRgNC90L7QtSDQvtCx0YnQtdGB0YLQstC+ICLQldC00LjQvdCw0Y8g0Y3Qu9C10LrRgtGA0L7QvdC90LDRjyDRgtC+0YDQs9C+0LLQsNGPINC/0LvQvtGJ0LDQtNC60LAiMTAwLgYDVQQLDCfQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAxHTAbBgNVBAMMFNCj0KYg0J7QkNCeINCV0K3QotCfMB4XDTEyMDYwOTA2MTUwMFoXDTEzMDYwOTA2MjQwMFowggFPMR0wGwYJKoZIhvcNAQkBFg5wdnY4ODhAbWFpbC5ydTELMAkGA1UEBhMCUlUxGzAZBgNVBAgeEgQzAC4AIAQcBD4EQQQ6BDIEMDEbMBkGA1UEBx4SBDMALgAgBBwEPgRBBDoEMgQwMS8wLQYDVQQKHiYEHgQeBB4AIAQdBB8EJgAgACIEEQROBDQENgQ1BEIALQAyADEAIjFDMEEGA1UEAx46BBYEQwRABDAEMgQ7BDUEMgQwACAEGwROBDEEPgQyBEwAIAQSBDsEMAQ0BDgEPAQ4BEAEPgQyBD0EMDE+MDwGCSqGSIb3DQEJAhMvSU5OPTc3MDUzNTc3NTcvS1BQPTc3MDgwMTAwMS9PR1JOPTEwMzc3MzkzMjM1NTUxMTAvBgNVBAweKAQTBDUEPQQ1BEAEMAQ7BEwEPQRLBDkAIAQ0BDgEQAQ1BDoEQgQ+BEAwYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYHKoUDAgIeAQNDAARA5wqlJPNMapZIIQpi4PxwGAUpSjtCUE3WxyBbK5Jx/wccJr7YnA+4fiK3PAW4ELbNRSNconi0QQRxokbxC+V4VKOCAfwwggH4MA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUY/rjGVTIbJS7l32dEYB/glzGqtcwYQYDVR0lBFowWAYIKoUDBgMBBAEGCCsGAQUFBwMEBgcqhQMGAwEBBgcqhQMCAiIGBggrBgEFBQcDAgYIKoUDBgMBBAMGCCqFAwYDAQQCBggqhQMGAwEDAQYIKoUDBgMBAgEwHwYDVR0jBBgwFoAUl5jFDlED1omkb9PY7iutLk58A/8wga0GA1UdHwSBpTCBojCBn6CBnKCBmYZKaHR0cDovL3VjLnJvc2VsdG9yZy5ydS9yYS9jZHAvOTc5OGM1MGU1MTAzZDY4OWE0NmZkM2Q4ZWUyYmFkMmU0ZTdjMDNmZi5jcmyGS2h0dHA6Ly9ldHAucm9zZWx0b3JnLnJ1L3JhL2NkcC85Nzk4YzUwZTUxMDNkNjg5YTQ2ZmQzZDhlZTJiYWQyZTRlN2MwM2ZmLmNybDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly91Yy5yb3NlbHRvcmcucnUvcmEvY2RwLzk3OThjNTBlNTEwM2Q2ODlhNDZmZDNkOGVlMmJhZDJlNGU3YzAzZmYuY3J0MCsGA1UdEAQkMCKADzIwMTIwNjA5MDYxNTAwWoEPMjAxMzA2MDkwNjE0MDBaMAgGBiqFAwICAwNBAPKm81Ey8aVIwDk1lGXKLwbrBNZg3TyCDzr3+GwR+8Woo3abOdALkIL/C/FhzmuUp71OV+MfYGZMTuG+l1QpWMQ=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>[/code]
The DigestValue is always the same, but the SignatureValue is always different! I can verify the whole <Signature> element by SignedInfo object and it always returns true, but the SignatureValue is always different. How can that be?
<br/>
View the full article