views:

7

answers:

0

The signature method is HMAC-SHA1, and I already have <SignedInfo> generated. The problem is that I am not sure what to use as the key in the HMAC calculation.

I noticed that there are two <Entropy> with enclosing <BinarySecret> from the initial request (RST) and response (RSTR). I read from WS-Trust that this indicates that I could generate a proof key using these two binary values from the <BinarySecret> and PSHA1 as specified in <ComputeKey> tag from the response. However, I could never get the same signature value as the one in the sample from the service provider.

Any information would help!

As an example:

  • The binary secret from RST is grrlUUfhuNwlvQzQ4bV6TT3wA8ieZPltIf4+H7nIvCE=
  • The binary secret from RSTR is YLABh3ZmZyiO5gvVLZe9J4JPd9w59KGeTFwE85XlzxE=
  • The correct signature value is nXJEN8p1nupMA/00TK03VZlADkU=
  • The signature value I generate is bEGpeRFsznafFRf86g281zKV3Ro=
  • The content of SignInfo is as follow
<SignedInfo>
   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/&gt;
   <Reference URI="#_0">
    <Transforms>
     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
    <DigestValue>CwMGnFZklO7XsDfFguzl0tw7iHM=</DigestValue>
   </Reference>
  </SignedInfo>