DataPower

DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  verify signature in XSLT

    Posted Thu March 07, 2024 06:13 AM
    Edited by Michal Grzelak Thu March 07, 2024 06:35 AM

    Dear Community,

    I need to verify XML signature inside XSLT script (MPGW service with Filter action) and catch an error to customize it in the response. The signature (XAdES) is base-64 encoded as part of the input message - it has multiple files inside a custom XML including base-64 of the signature.

    I thought about calling store:///verify.xsl transformation:

    <xsl:copy-of select="dp:transform('store:///verify.xsl', $decoded-signature)" />

    and it works fine but I can't or don't know how to catch the error, for example "Hash values do not match.". It goes straight to the error rule but I need to customize it inside XSLT script with dp:reject and separate from other uncatched errors:

    <dp:reject>{"errorcode": "123", "message": "error message: $fileName $signatureType (...)", "errortype": "signature"} </dp:reject>

    Any way to do that?

    Regards,

    Michal



    ------------------------------
    Michal Grzelak
    ------------------------------



  • 2.  RE: verify signature in XSLT

    Posted Thu March 07, 2024 08:57 AM

    Is there a reason why you won't use the dp:verify(..) rather than dp:transform(...)?

    Results is an error string if it fails, which you can then use for the reject.

    See here:   https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=functions-dpverify



    ------------------------------
    Joseph Morgan
    ------------------------------

    Original Message


  • 3.  RE: verify signature in XSLT

    Posted Thu March 07, 2024 09:20 AM
    Edited by Michal Grzelak Thu March 07, 2024 09:20 AM

    Joseph, thank You for the answer. I looked at dp:verify(..) but:

    1. it requires additonal extracting/matching operations
    2. it looks like it performs only a subset of verify.xsl capabilities
    3. it is not described in details and doesn't provide full examples - for example I can't find info what is signedInfoHash exactly..

    I have the <SignedInfo> element, but what do I pass here - hash of the whole element (what kind of hash), the DigestValue or something else?

    I tried several ways but couldn't get it working.

    <ds:SignedInfo Id="ID-6203c55b-0013-4bc5-ad09-c03c2a77d22b">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference Id="ID-8c346cdd-ca51-4e82-9f13-8288cacd6e4c" URI="#ID-8f5eda2d-86f8-4e89-8a13-d496a5a195f2">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>srgdxlxv8HyLHFEZje+eV0BUEXANyEVoVwg4g4P15o=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference Id="ID-93d7a8a8-c21e-4001-805f-079acae358f7" URI="#ID-1adaa0a0-ab45-4250-b184-f29223552a49" Type="http://uri.etsi.org/01903#SignedProperties">
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>9OfS3XReIWaOI5rvq13JjnSkPEeK+gTvIJiaCdDT4OQ=</ds:DigestValue>
                </ds:Referencea>
            </ds:SignedInfo>

    Regards,

    Michal



    ------------------------------
    Michal Grzelak
    ------------------------------

    Original Message


Related Content