Skip to content

Instantly share code, notes, and snippets.

@rwdaigle
Forked from mrezentes/xmldsig.md
Created September 26, 2016 17:27
Show Gist options
  • Save rwdaigle/f85941531356ab41501e8f0082bd762f to your computer and use it in GitHub Desktop.
Save rwdaigle/f85941531356ab41501e8f0082bd762f to your computer and use it in GitHub Desktop.
XML Signature Syntax and Processing

Spreedly uses the xmldsig library to perform the signing. To properly sign an xml request, enclose the entire xml request to be signed in xml_dsig template tags.

Nodes that should not be changed.

Do not modify the <wsse:Security> node. It must be formatted as given. This binary security token node will be generated on the server along with the timestamp.

Attributes that should not be changed.

Changes to the wsu:Id attribute of any node will cause signature failures.

Content that can be modified.

The institutionName, the appID or the body content may be modified without causing signature failures. Content means the text between the xml tags.

Sample successful doEcho request

curl https://core.spreedly.com/v1/receivers/<Receiver Token>/deliver.xml \
  -u 'Your credentials here' \
  -H 'Content-Type:application/xml' \
  -d '<delivery>
        <url>https://ws.mastercard.com/mtf/MRS/DiagnosticService</url>
        <headers><![CDATA[Content-Type: text/xml;charset=utf-8]]></headers>
        <body><![CDATA[{{#xml_dsig}}<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:ns1="http://diagnostic.ws.mcrewards.mastercard.com/"
                  xmlns:ns2="http://common.ws.mcrewards.mastercard.com/">
    <soapenv:Header>
        <com:identity xmlns:com="http://common.ws.mcrewards.mastercard.com/"
                      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
            <com:appID>0</com:appID>
            <com:institutionName>loyaltyangels</com:institutionName>
        </com:identity>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
                    <ds:Reference URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfx1819ec29-f57f-d26e-e323-f5734617170e">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue/>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference>
                        <wsse:Reference
                                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                                URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsse:BinarySecurityToken
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    wsu:Id="pfxb65d8fe8-185a-4edc-6589-3a08270deca3"
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
                {{#binary_security_token}}{{/binary_security_token}}</wsse:BinarySecurityToken>
            <wsu:Timestamp
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    wsu:Id="pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                <wsu:Created>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Created>
                <wsu:Expires>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfx1819ec29-f57f-d26e-e323-f5734617170e">
        <ns1:doEcho>{{ credit_card_number }}</ns1:doEcho>
    </soapenv:Body>
</soapenv:Envelope>{{/xml_dsig}}]]></body>
        <payment_method_token>9j3umvz8pXJSdCak58APhPm7i87</payment_method_token>
</delivery>'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment