Joseph, thank You for the answer. I looked at dp:verify(..) but:
- it requires additonal extracting/matching operations
- it looks like it performs only a subset of verify.xsl capabilities
- it is not described in details and doesn't provide full examples - for example I can't find info what is signedInfoHash exactly..
I have the <SignedInfo> element, but what do I pass here - hash of the whole element (what kind of hash), the DigestValue or something else?
I tried several ways but couldn't get it working.
<ds:SignedInfo Id="ID-6203c55b-0013-4bc5-ad09-c03c2a77d22b">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="ID-8c346cdd-ca51-4e82-9f13-8288cacd6e4c" URI="#ID-8f5eda2d-86f8-4e89-8a13-d496a5a195f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>srgdxlxv8HyLHFEZje+eV0BUEXANyEVoVwg4g4P15o=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="ID-93d7a8a8-c21e-4001-805f-079acae358f7" URI="#ID-1adaa0a0-ab45-4250-b184-f29223552a49" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>9OfS3XReIWaOI5rvq13JjnSkPEeK+gTvIJiaCdDT4OQ=</ds:DigestValue>
</ds:Referencea>
</ds:SignedInfo>
Regards,
Michal
------------------------------
Michal Grzelak
------------------------------
Original Message:
Sent: Thu March 07, 2024 08:56 AM
From: Joseph Morgan
Subject: verify signature in XSLT
Is there a reason why you won't use the dp:verify(..) rather than dp:transform(...)?
Results is an error string if it fails, which you can then use for the reject.
See here: https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=functions-dpverify
------------------------------
Joseph Morgan
Original Message:
Sent: Thu March 07, 2024 06:13 AM
From: Michal Grzelak
Subject: verify signature in XSLT
Dear Community,
I need to verify XML signature inside XSLT script (MPGW service with Filter action) and catch an error to customize it in the response. The signature (XAdES) is base-64 encoded as part of the input message - it has multiple files inside a custom XML including base-64 of the signature.
I thought about calling store:///verify.xsl transformation:
<xsl:copy-of select="dp:transform('store:///verify.xsl', $decoded-signature)" />
and it works fine but I can't or don't know how to catch the error, for example "Hash values do not match.". It goes straight to the error rule but I need to customize it inside XSLT script with dp:reject and separate from other uncatched errors:
<dp:reject>{"errorcode": "123", "message": "error message: $fileName $signatureType (...)", "errortype": "signature"} </dp:reject>
Any way to do that?
Regards,
Michal
------------------------------
Michal Grzelak
------------------------------