SOAP Request - Signature PSE : SHA2 Required

YouriC · ‎2023 Oct 06

Hi,

I consume a SOAP WS via Enterprise Service Browser (SE80 - WSDL) and SOAMANAGER.
In SOAMANAGER I use the template "wsse:X509v3" and of course Signature PSE (Signing Key of transaction STRUST).
I need to use a template during logical port creation because the WSDL contains no WSSE information.

The network connection is OK and working ... BUT

Currently my requests are rejected by the provider because I use SHA1

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Error message:
<cod:description language="EN">Global Security Error. Hashing of signature is not correct.</cod:description>

The provider confirmed that I had to use "SHA2" instead of "SHA1".

I don't see how I can adapt this.
If anyone can help me ?

Regards,
Youri

OlgenH · ‎2023 Oct 07

Hi Youri

I can't say that I have come across this issue but when SOAMANAGER doesn't provide the option to configure some aspect of the binding then the alternative is to change the WSDL manually and hope that SAP supports all the policies of the SOAP specification.

You say that WSDL doesn't contain WSSE information but where does

 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

come from as it looks like part of a security policy? Have you tried changing sha1 to sha256 in the wsdl and re-generate the binding?

I haven't come across the <ds> tag before but you can also try and use <wssp> to specify the hashing algorithm which should work in all ABAP releases. Maybe have a look at the SOAP specification on where exactly to add it depending on how you wsdl was generated.

Regards
Olgen

YouriC · ‎2023 Oct 08

Hi Olgen,

Firstly, thank you for your answer.

Indeed the WSDL doesn't contain any information about the WSSE.
But the provider explained to me how to use it.
He confirmed that my request was OK except for the DigestMethod, I have to use SHA2.

The tag below comes from the trace on SRT_UTIL transaction > request analyze.

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

If I understand you correctly, maybe I can create my own WSDL with the correct WSSE and DigestMethod, and use it on SOAMANAGER, after that my request must be correct and use SHA2 as I mentioned on my WSDL ?
Currently in SOAMANAGER I have created my logical port via template "wsse:X509v3".

I'm going to look for an example of WSDL with this kind of settings.

Regards,
Youri

OlgenH · ‎2023 Oct 09

Hi Youri

when you create the logical point via template "wsse:X509v3" are you using the wsdl at any point or do you simply specify the endpoint and the template defaults the other parameters e.g. transport mechanism, authentication, keystore etc.?

I am not familiar with configuration templates in soamanager and the only reference I found is not clear Using Configuration Templates!

Are you able to share the wsdl to take a look?

YouriC · ‎2023 Oct 09

I'm only using the Endpoint, and the template defaults.
I just select the right PSE during creation process.

I can't share the WSDL, sorry, but It's relatively basic.

Sandra_Rossi · ‎2023 Oct 09

catinatyouri There's no reason you can't: just adapt it to remove the confidential and useless parts...

To help you, here's a minimal WSDL.

minimalwsdl.txt (minimal.wsdl)

YouriC · ‎2023 Oct 09

Sorry, Indeed I can.
FYI the echoService exist in 2 versions on the Provider.
I can use the version 2 of the service, these one use SHA1
The version 3 (WSDL in Attachment) use SHA2 and I can't use it via SOAMANAGER

As you can see the WSDL contains not a lot of information.

fsb-echoservice.txt

Sandra_Rossi · ‎2023 Oct 09

catinatyouri Sorry, I thought you would add manually the missing <wssp> part, as Olgen proposed. Did you try? If you don't know, could you ask the Web service provider to provide this part? If they don't, why?

Example: digital signature - How to make WCF client sign SecurityTokenReference:Reference - Stack Overflow

Also, I'm not sure if I understood correctly what you said. Did you try other configuration templates in SOAMANAGER?

Sandra_Rossi · ‎2023 Oct 07

As Olgen asked, I also wonder where this <ds:digestmethod> does come from.

The latest WSSE standard I could find only mentions SHA1 Web Services Security Username Token (oasis-open.org).

You might contact the SAP support to see how they support custom-defined tokens (custom hash algorithm in your case).

If what Olgen proposed doesn't work, you can still change the hash algorithm manually.

By the way, you may generate the WSSE yourself, search this in the forum: get_protocol( IF_WSPROTOCOL=>WS_HEADER )

This may also help:

CLASS lcl_app DEFINITION.
  PUBLIC SECTION.
    CLASS-METHODS get_wsse_password_digest
      IMPORTING
        algorithm              TYPE string DEFAULT 'SHA1'
        nonce                  TYPE string
        created                TYPE string
        password               TYPE string
      RETURNING
        VALUE(password_digest) TYPE string.
ENDCLASS.
CLASS lcl_app IMPLEMENTATION.
  METHOD get_wsse_password_digest.
    DATA l_password_xstring TYPE xstring.
    DATA l_nonce_xstring TYPE xstring.
    DATA l_created_xstring TYPE xstring.
    DATA raw TYPE xstring.

    CLEAR password_digest.

    CALL FUNCTION 'ECATT_CONV_STRING_TO_XSTRING'
      EXPORTING
        im_string   = password
        im_encoding = 'UTF-8'
      IMPORTING
        ex_xstring  = l_password_xstring.

    CALL FUNCTION 'SSFC_BASE64_DECODE'
      EXPORTING
        b64data = nonce
      IMPORTING
        bindata = l_nonce_xstring
      EXCEPTIONS
        OTHERS  = 8.

    CALL FUNCTION 'ECATT_CONV_STRING_TO_XSTRING'
      EXPORTING
        im_string   = created
        im_encoding = 'UTF-8'
      IMPORTING
        ex_xstring  = l_created_xstring.

    CONCATENATE l_nonce_xstring l_created_xstring l_password_xstring INTO raw IN BYTE MODE.

    cl_abap_message_digest=>calculate_hash_for_raw(
          EXPORTING if_algorithm     = algorithm
                    if_data          = raw
          IMPORTING ef_hashb64string = password_digest ).
  ENDMETHOD.
ENDCLASS.
CLASS ltc_main DEFINITION
      FOR TESTING
      DURATION SHORT
      RISK LEVEL HARMLESS.
  PRIVATE SECTION.
    METHODS sha1 FOR TESTING.
    METHODS sha256 FOR TESTING.
    DATA nonce TYPE string VALUE '4YZ7O6YqBbsNkxzw2NGDBQ=='.
    DATA created TYPE string VALUE '2014-09-02T09:05:52.834Z'.
    DATA password TYPE string VALUE 'M335fdqs%$jm'.
    DATA password_digest TYPE string.
ENDCLASS.
CLASS ltc_main IMPLEMENTATION.
  METHOD sha1.
    password_digest = lcl_app=>get_wsse_password_digest( algorithm = 'SHA1' nonce = nonce created = created password = password ).
    cl_abap_unit_assert=>assert_equals( act = password_digest exp = 'YAdlpJqnGjc1aBmQN+e7GOIGPm8=' ).
  ENDMETHOD.
  METHOD sha256.
    password_digest = lcl_app=>get_wsse_password_digest( algorithm = 'SHA256' nonce = nonce created = created password = password ).
    cl_abap_unit_assert=>assert_equals( act = password_digest exp = 'kfGmO+omnqHntIwLRDXw9hzXSFx1zeRVpiT6RTL7xxg=' ).
  ENDMETHOD.
ENDCLASS.

Sandra_Rossi · ‎2023 Oct 08

I just checked the code, either it's fully supported by SAP in SOAMANAGER or you just need to customize a little bit.

If you are willing to look at the relevant ABAP code, here are the parts:

The digital signature can be seen in the transformation SEC_DSIG_SIGNATURE and in the classes CL_ST_CRYPTO/CL_ST_CRYPTO_509, methods APPLY > SIGN > GET_ENDORSING_REFERENCE.

(high-level code starts in CL_WSSE_CONTEXT -> WRITE_SECURITY_HEADER)

The list of possible algorithms seems to be managed in the method CL_SECXML_HELPER=>translate_ssf_2_uri.

The possible values for SHA256 can be seen in the type pool WSSEC (here the values in ABAP 7.52 SP 4):

http://www.w3.org/2001/04/xmldsig-more#hmac-sha256

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

http://www.w3.org/2009/xmldsig11#dsa-sha256

http://www.w3.org/2001/04/xmlenc#sha256

It would be good to ask what the WS publisher expects...