DataPower

 View Only

  • 1.  verify signature in XSLT

    Posted Thu March 07, 2024 06:13 AM
    Edited by Michal Grzelak Thu March 07, 2024 06:35 AM

    Dear Community,

    I need to verify XML signature inside XSLT script (MPGW service with Filter action) and catch an error to customize it in the response. The signature (XAdES) is base-64 encoded as part of the input message - it has multiple files inside a custom XML including base-64 of the signature.

    I thought about calling store:///verify.xsl transformation:

    <xsl:copy-of select="dp:transform('store:///verify.xsl', $decoded-signature)" />

    and it works fine but I can't or don't know how to catch the error, for example "Hash values do not match.". It goes straight to the error rule but I need to customize it inside XSLT script with dp:reject and separate from other uncatched errors:

    <dp:reject>{"errorcode": "123", "message": "error message: $fileName $signatureType (...)", "errortype": "signature"} </dp:reject>

    Any way to do that?

    Regards,

    Michal



    ------------------------------
    Michal Grzelak
    ------------------------------



  • 2.  RE: verify signature in XSLT

    IBM Champion
    Posted Thu March 07, 2024 08:57 AM

    Is there a reason why you won't use the dp:verify(..) rather than dp:transform(...)?

    Results is an error string if it fails, which you can then use for the reject.

    See here:   https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=functions-dpverify



    ------------------------------
    Joseph Morgan
    ------------------------------

    Original Message


  • 3.  RE: verify signature in XSLT

    Posted Thu March 07, 2024 09:20 AM
    Edited by Michal Grzelak Thu March 07, 2024 09:20 AM

    Joseph, thank You for the answer. I looked at dp:verify(..) but:

    1. it requires additonal extracting/matching operations
    2. it looks like it performs only a subset of verify.xsl capabilities
    3. it is not described in details and doesn't provide full examples - for example I can't find info what is signedInfoHash exactly..

    I have the <SignedInfo> element, but what do I pass here - hash of the whole element (what kind of hash), the DigestValue or something else?

    I tried several ways but couldn't get it working.

    <ds:SignedInfo Id="ID-6203c55b-0013-4bc5-ad09-c03c2a77d22b">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference Id="ID-8c346cdd-ca51-4e82-9f13-8288cacd6e4c" URI="#ID-8f5eda2d-86f8-4e89-8a13-d496a5a195f2">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>srgdxlxv8HyLHFEZje+eV0BUEXANyEVoVwg4g4P15o=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference Id="ID-93d7a8a8-c21e-4001-805f-079acae358f7" URI="#ID-1adaa0a0-ab45-4250-b184-f29223552a49" Type="http://uri.etsi.org/01903#SignedProperties">
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>9OfS3XReIWaOI5rvq13JjnSkPEeK+gTvIJiaCdDT4OQ=</ds:DigestValue>
                </ds:Referencea>
            </ds:SignedInfo>

    Regards,

    Michal



    ------------------------------
    Michal Grzelak
    ------------------------------

    Original Message