I get a response: Hash values do not match.
I have the following code:
public string SignSoapMessageVersion(string soapRequest,X509Certificate2 certificate)
{
RSA privateKey = certificate.GetRSAPrivateKey();
// Load the SOAP request into an XML document
XmlDocument soapEnvelope = new XmlDocument();
soapEnvelope.PreserveWhitespace = true; // Preserve whitespace
soapEnvelope.LoadXml(soapRequest);
KeyInfo keyInfo = AddKeyInfoPFX(certificate,soapEnvelope);
SignedXmlWithId signedXml = new SignedXmlWithId(soapEnvelope);
signedXml.SigningKey = privateKey;
signedXml.KeyInfo = keyInfo;
signedXml.SignedInfo.SignatureMethod =
"http://www.w3.org/2000/09/xmldsig#rsa-sha1";
signedXml.SignedInfo.CanonicalizationMethod =
SignedXml.XmlDsigExcC14NTransformUrl;
AddReferencesToSignedXml(signedXml);
signedXml.ComputeSignature();
XmlElement signatureElement = signedXml.GetXml();
InsertSignatureIntoEnvelope(soapEnvelope, signatureElement);
// Convert the modified XML document back to string
StringWriter stringWriter = new StringWriter();
XmlTextWriter xmlTextWriter = new XmlTextWriter(stringWriter);
soapEnvelope.WriteTo(xmlTextWriter);
string signedSoapRequest = stringWriter.ToString();
return signedSoapRequest;
}
After creating signedSoapRequest i send it over HTTP. Because the Hash does not match i expect a change of the xml, but i can't find that. I also checked my CanonicalizationMethod, but it is correct. I have looked for hours, but i can't see the problem.
The XML is as follows:
<soapenv:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns="http://logius.nl/digipoort/koppelvlakservices/1.2/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing" wsu:Id="header-id">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="BST-75A5B475BDAC322DB1281E2F7F6D508A3FA01F35">{binarysecuritytoken}</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-2828">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xfMJtd2LNORdDHd8FrWvZ3v6bKk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#timestamp-id">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pWpXBZk3+AoXZD9vnjQR8bVHIik=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2830">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Zne8qDKNG8EoX7jEb/GiGUuwrn4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2831">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rhTgRqv1al0xXnIIaUiWIlYmJSk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2832">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>W0zDCg76HEpF5kk4uM8QrMGewJw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2829">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>NMDB73UNT5oviV5V8OuG/tqItSA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>{securitytoken}</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-75A5B475BDAC322DB1281E2F7F6D508A3FA01F35">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-75A5B475BDAC322DB1281E2F7F6D508A3FA01F35">
<wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#BST-75A5B475BDAC322DB1281E2F7F6D508A3FA01F35" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp-id">
<wsu:Created>2024-03-25T19:23:31.976Z</wsu:Created>
<wsu:Expires>2024-03-25T19:28:31.976Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2831"> http://logius.nl/digipoort/wus/2.0/afleverservice/1.2/AfleverService/afleverenRequest </wsa:Action>
<wsa:ReplyTo xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2832">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2830">uuid:0a528087-4b2e-4d89-ba5d-a0168b344f04</wsa:MessageID>
<wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2829">https://FQDNBedrijf/wus/2.0/afleverservice/1.2</wsa:To>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2828">
<ns:aanleverRequest xmlns:ns="http://logius.nl/digipoort/koppelvlakservices/1.2/">
<ns:berichtsoort>Jaarrekening</ns:berichtsoort>
<ns:aanleverkenmerk>12345678_2023-12-31</ns:aanleverkenmerk>
<ns:identiteitBelanghebbende>
<ns:nummer>12345678</ns:nummer>
<ns:type>KvK</ns:type>
</ns:identiteitBelanghebbende>
<ns:rolBelanghebbende>Intermediair</ns:rolBelanghebbende>
<ns:berichtInhoud>
<ns:mimeType>application/xml</ns:mimeType>
<ns:bestandsnaam>12345678_2023-12-31.xbrl</ns:bestandsnaam>
<ns:inhoud>{XBRL}</ns:inhoud>
</ns:berichtInhoud>
</ns:aanleverRequest>
</soapenv:Body>
</soapenv:Envelope>
SignedXML:
public class SignedXmlWithId :
SignedXml
{
public
SignedXmlWithId(XmlDocument
xml) : base(xml)
{
}
public
SignedXmlWithId(XmlElement
xmlElement)
: base(xmlElement)
{
}
public override XmlElement
GetIdElement(XmlDocument
doc, string id)
{
// check to see if it's a standard ID reference
XmlElement idElem = base.GetIdElement(doc, id);
if (idElem == null)
{
XmlNamespaceManager nsManager = new XmlNamespaceManager(doc.NameTable);
nsManager.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
idElem = doc.SelectSingleNode("//*[@wsu:Id=\"" + id + "\"]", nsManager) as XmlElement;
}
return idElem;
}
}
private KeyInfo AddKeyInfoPFX(X509Certificate2 certificate, XmlDocument soapEnvelope)
{
KeyInfo keyInfo = new KeyInfo();
// Create the KeyInfo object
// Calculate the Subject Key Identifier
// Convert the byte array to a hexadecimal string
string subjectKeyIdentifierString = CalculateSubjectKeyIdentifierBase64(certificate);
subjectKeyIdentifierString = "Key-id";
keyInfo.Id = $"KeyId-{subjectKeyIdentifierString}";
// Create the SecurityTokenReference element with wsse prefix
XmlElement securityTokenReferenceElement = soapEnvelope.CreateElement("wsse", "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
// Create the KeyIdentifier element
XmlElement keyIdentifierElement = soapEnvelope.CreateElement("wsse", "KeyIdentifier", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
keyIdentifierElement.InnerText = subjectKeyIdentifierString;
// Add ValueType attribute to KeyIdentifier
keyIdentifierElement.SetAttribute("ValueType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3");
// Append KeyIdentifier to SecurityTokenReference
securityTokenReferenceElement.AppendChild(keyIdentifierElement);
// Create the Reference element
XmlElement referenceElement = soapEnvelope.CreateElement("wsse", "Reference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
referenceElement.SetAttribute("ValueType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3");
referenceElement.SetAttribute("URI", $"#KeyId-{subjectKeyIdentifierString}");
// Append Reference to SecurityTokenReference
securityTokenReferenceElement.AppendChild(referenceElement);
// Add the wsu namespace declaration to the SecurityTokenReference element
securityTokenReferenceElement.SetAttribute("xmlns:wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
// Set the wsu:Id attribute to the securityTokenReferenceElement
XmlAttribute wsuIdAttribute = soapEnvelope.CreateAttribute("wsu", "Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
wsuIdAttribute.Value = $"STRId-{subjectKeyIdentifierString}";
securityTokenReferenceElement.SetAttributeNode(wsuIdAttribute);
keyInfo.AddClause(new KeyInfoNode(securityTokenReferenceElement));
// Create the KeyInfoX509Data and add it as a child of the KeyInfo object
keyInfo.AddClause(new KeyInfoX509Data(certificate));
return keyInfo;
}
Here is the Example XML:
<soapenv:Envelope xmlns:ns="http://logius.nl/digipoort/koppelvlakservices/1.2/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-EBA33C7F5357EA682B151438280566038">binarysecuritytoken</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-EBA33C7F5357EA682B151438280566445">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa ns soapenv"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-EBA33C7F5357EA682B151438280565037">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsa ns soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5bI1/rqLbK6vCD3cPBxkHCLfhbk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-EBA33C7F5357EA682B151438280566041">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9X/ljiuWBBCvtlKMzYoxmoqiLAY=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-EBA33C7F5357EA682B151438280566042">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>uxv6IREYRgNPdcmoX8IFhCff8cM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-EBA33C7F5357EA682B151438280566043">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>UDCeO2rcpBRezwcJBVTq/t/s96c=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-EBA33C7F5357EA682B151438280566044">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>lbnkNYvWlwrkyRJuZ7anSJdclMM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>e8z0pi7IkzT84Tz73aQoE6PVuFd+ht7jr9daKkhLgKh+QU01swbOLAFM2OvEyp6DIjZKYSptP5x1 comzrFRnd+Sqp/IvF/fmh2JWYlVIgaW8oXcHMlDnzop2U/sQFKND71Fke3LovmCVQoJpK+IMlhTj +DDgU24UJf03SaT1tNcZCsFHAgBhgofwWCCy8c3iuF2NW4NgyI6xsJ6FOa+0JhIIv1IlGPBpF9z2 KsXb40uONG4EKAzOClNSfWr+1Tf0nSdz3D1xTuQlIkOi6C94vP58TS/DW1luH7MHJIJtEPLgMuZ6 EnkG8aBhz00i+KB5A2d8oFpplmcx33usbNCpgQ==</ds:SignatureValue>
<ds:KeyInfo Id="KI-EBA33C7F5357EA682B151438280566039">
<wsse:SecurityTokenReference wsu:Id="STR-EBA33C7F5357EA682B151438280566040">
<wsse:Reference URI="#X509-EBA33C7F5357EA682B151438280566038" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-EBA33C7F5357EA682B151438280565037">
<wsu:Created>2017-12-27T13:53:25.650Z</wsu:Created>
<wsu:Expires>2017-12-31T01:13:25.650Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-EBA33C7F5357EA682B151438280566044">http://logius.nl/digipoort/wus/2.0/aanleverservice/1.2/AanleverService/aanleverenRequest</wsa:Action>
<wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-EBA33C7F5357EA682B151438280566043">uuid:a923122a-3332-4711-b719-51204de8f267</wsa:MessageID>
<wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-EBA33C7F5357EA682B151438280566042">https://cs-bedrijven.procesinfrastructuur.nl:443/cpl/aanleverservice/1.2</wsa:To>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-EBA33C7F5357EA682B151438280566041">
<ns:aanleverRequest>
<ns:berichtsoort>Jaarrekening</ns:berichtsoort>
<ns:aanleverkenmerk>testjaarrekening</ns:aanleverkenmerk>
<ns:identiteitBelanghebbende>
<ns:nummer>12345678</ns:nummer>
<ns:type>KvK</ns:type>
</ns:identiteitBelanghebbende>
<ns:rolBelanghebbende>Bedrijf</ns:rolBelanghebbende>
<ns:berichtInhoud>
<ns:mimeType>application/xml</ns:mimeType>
<ns:bestandsnaam>jaarrekening.xbrl</ns:bestandsnaam>
<ns:inhoud>contentxbrl</ns:inhoud>
</ns:berichtInhoud>
</ns:aanleverRequest>
</soapenv:Body>
</soapenv:Envelope>
I'm still researching. New error seems to be from changes you made adding method : SignedXmlWithId signedXml = new SignedXmlWithId(soapEnvelope);
I found one possible issue. The xml you posted has extra spaces in the namespaces at top of file where you have returns. Make sure you put the namespace on one line instead of two.
The last namespace (wsu:Id="soap-id") I think is part of the issue. Still researching.
Update : remove the namespace above and replace with
xmlns:xsd="http://www.w3.org/2001/XMLSchema"Then change following element
From : wsu:Id="timestamp-id" To : xsd:Id="timestamp-id"
See posting below :
'Malformed Reference Element' when adding a reference based on an Id attribute with SignedXml class
Note sure. I think the dates of the namespace may be old and ID using a base64 string is new. It may be "XML Signature 2.0"
See https://www.w3.org/TR/xmldsig-core2/Overview-note-diff.html
Look at sample XML in para 2.1 for ID. The namespace is version is 2000/09. Then look at algorithm which is version 2010.
Warning 1
Warning 2
Warning 3
Warning 4 : This warning can be ignored since you do not have a body