SOAP encryption. should digital signature added before or after encryption?

Similar Messages

• Encryption and Digital signature in SAP

  Hi,
  We have a requirement to encrypt the payment data before it is sent to a Bank using SAP XI.We are planning to have a ABAP proxy which will do the encryption and hopefully attach a digital signature.We are working in SAPR/3 Enterprise edition.Does SAP supports doing  Encryption and digital signature in  ABAP.
  Thanks,
  Leo

  Hi Leo,
  have a look here:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/icc/secure store and forwarddigital signatures user guide.pdf
  regards Andreas

• Encrypting a digital signature

  Hi,
  I have a problem, I'm trying to encrypt a digital signature (SHA1withRSA) using symmetric encryption (Rijndael). But when I decrypt the signature bytes and verify the signature I get the message that the signature is not ok, even though I know it is.
  Does anybody know what's the problem?

  Hi floersh
  Thanks for answering.
  I'm sending you the code which I use, the functions and the main method.
  Please, if you have the time give it a look.
  Running the code I noticed that :
  1) The message digest is 20-bytes long
  2) The signature is 128-bytes long
  3) The encrypted signature is 32-bytes long
  4) The decrypted ciphertext (signature) is 16-bytes long
  And I also noticed that the decrypted signature bytes are the same with the 16 last bytes of the original signature.
  As you can see I'm using SHA1withRSA to create and verify the signature, where the public and private keys are 1024-bits long, and the Rijdael (192-bits key)cipher, with CBC and PKCS5Padding, for symmetric encryption and decryption. I have also tried to use Rijndael with ECB and PKCS5Padding and still doesn't work, and Rijndael with ECB and NoPadding where I get a BadPadding exception.
  I look forward for your reply.
  public static void generateAndLockKeys(String publicKeyFilename,String privateKeyFilename) throws Exception{
  KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
  keyPairGenerator.initialize(1024);
  KeyPair keyPair = keyPairGenerator.genKeyPair();
  byte[] publicKeyBytes = keyPair.getPublic().getEncoded();
  FileOutputStream fos = new FileOutputStream(publicKeyFilename);
  fos.write(publicKeyBytes);
  fos.close();
  byte[] privateKeyBytes = keyPair.getPrivate().getEncoded();
  fos = new FileOutputStream(privateKeyFilename);
  fos.write(privateKeyBytes);
  fos.close();
  public static PrivateKey getPrivateKey(String privateKeyFilename, String password) throws Exception{
  FileInputStream fis = new FileInputStream(privateKeyFilename);
  ByteArrayOutputStream baos = new ByteArrayOutputStream();
  int theByte = 0;
  while ((theByte = fis.read())!= -1)
  baos.write(theByte);
  fis.close();
  byte[] keyBytes = baos.toByteArray();
  baos.close();
  PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
  KeyFactory keyFactory = KeyFactory.getInstance("RSA");
  PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
  return privateKey;
  public static PublicKey getPublicKey( String publicKeyFilename) throws Exception{
  FileInputStream fis = new FileInputStream(publicKeyFilename);
  ByteArrayOutputStream baos = new ByteArrayOutputStream();
  int theByte = 0;
  while ((theByte = fis.read())!= -1)
  baos.write(theByte);
  fis.close();
  byte[] keyBytes = baos.toByteArray();
  baos.close();
  X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
  KeyFactory keyFactory = KeyFactory.getInstance("RSA");
  PublicKey publicKey = keyFactory.generatePublic(keySpec);
  return publicKey;
  public static boolean checkSignature( PublicKey publicKey, byte[] plaintext, byte[] signedtext) throws Exception{
  Signature signature = Signature.getInstance("SHA1withRSA");
  signature.initVerify(publicKey);
  signature.update(plaintext);
  boolean authorized = false;
  authorized = signature.verify(signedtext);
  return authorized;
  public static byte[] signWithSHAAndRSA(byte[] plaintext, PrivateKey privateKey) throws Exception{
  Signature signature = Signature.getInstance("SHA1withRSA");
  signature.initSign(privateKey);
  signature.update(plaintext);
  byte[] signedBytes = signature.sign();
  return signedBytes;
  public static byte[] encryptWithAES(byte[] plaintext, Key key, byte[] iv) throws Exception{
  Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
  IvParameterSpec spec = new IvParameterSpec(iv);
  cipher.init(Cipher.ENCRYPT_MODE, key,spec);
  cipher.update(plaintext);
  byte[] ciphertext = cipher.doFinal();
  return ciphertext;
  public static byte[] decryptWithAESKey (Key AESKey, byte[] ciphertext, byte[] iv) throws Exception{
  Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
  IvParameterSpec spec = new IvParameterSpec(iv);
  cipher.init(Cipher.DECRYPT_MODE,AESKey,spec);
  byte[] decryptedText = cipher.doFinal(ciphertext);
  return decryptedText;
  public static Key generateAESKey() throws Exception {
  KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
  keyGenerator.init(192);
  Key key = keyGenerator.generateKey();
  return key;
  public static byte[] initAndReturnIV(){
  SecureRandom random = new SecureRandom();
  byte[] iv = new byte[16];
  random.nextBytes(iv);
  return iv;
  public static void main(String[] args) throws Exception{
  Security.addProvider(new BouncyCastleProvider());
  try {
  generateAndLockKeys(System.getProperty("user.dir") + System.getProperty("file.separator") +
  "PublicKey",System.getProperty("user.dir")
  + System.getProperty("file.separator") +"PrivateKey");
  } catch (Exception e) {}
  Key AESKey= generateAESKey();
  byte[] iv = initAndReturnIV();
  byte[] array2 = signWithSHAAndRSA("Hello".getBytes("UTF8"),getPrivateKey(System.getProperty("user.dir")
  + System.getProperty("file.separator") +"PrivateKey"));
  byte[] he = encryptWithAES(array2,AESKey,iv);
  byte[] hd = decryptWithAESKey(AESKey,he,iv);
  boolean ok = checkSignature(getPublicKey(System.getProperty("user.dir") + System.getProperty("file.separator") +
  "PublicKey"),"Hello".getBytes("UTF8"),hd);
  }

• Outlook 2013 won't auto-save emails if encryption or digital signature is enabled.

  In Outlook 2013, I recently noticed that although I have Autosave enabled, I never get drafts autosaved. The option is located in File > Options > Mail > "Save Messages" section > "[ ] Automatically save items that have not been
  sent after this many minutes [3]."
  Experimenting with why I have lost 2 long emails after system crashes, I discovered that Outlook 2013 will
  only automatically save emails if the Encrypt and Sign buttons are turned off. By default, I enable both in our corporate environment. So I never benefit from auto-save. I've changed the Autosave location and tested various other settings to
  no avail. But Autosave always works fine if there's no digital signature or encryption enabled.
  Has anyone else encountered this? Is this a bug?

  Hi,
  I just tested on my Outlook 2013 and experienced exactly the same.
  This is pretty much by design, actually you may find you are even unable to manually save these emails as drafts if encryption or digital signature is enabled.  I can also confirm some email service providers don't allow saving Encrypted Emails
  as drafts either, so this is not a bug but how it works in Outlook.
  Regards,
  Melon Chen
  TechNet Community Support

• Should I repair permissions before or after updating to Mac OS X 10.7.2?

  Hi,
  Should I repair permissions before or after updating to Mac OS X 10.7.2? or should I fix permissions before and after the update?

  This is not a routine maintenance. Upgrades can be screwed up if the system that is upgraded is screwed up. I believe in a "better safe than sorry" approach. If you repair permissions and the hard drive prior to an upgrade then if there be a problem perhaps that problem will not propagate to the new upgraded system. If there are no problems doing the repairs is harmless.
  When it comes to the topic of permissions repairs there are many opinions but not much fact. In other words there doesn't appear to be a formal analysis of whether repairing permissions is only useful when a permissions problem arises. But there is a lot of anecdotal evidence suggesting that a repair both before and after a major system upgrade can reduce the risk of problems.
  This is my opinion on the matter. I do not generally disagree with Niel or MacJack, but as I said I prefer to be safe rather than sorry.
  Here's my general approach:
  How to Install Lion Successfully - You must have Snow Leopard 10.6.7 or 10.6.8 Installed
  A. Repair the Hard Drive and Permissions:
  Boot from your Snow Leopard Installer disc. After the installer loads select your language and click on the Continue button. Then select Disk Utility from the Utilities. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list.  In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive.  If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit DU and return to the installer. Now restart normally. 
  If DU reports errors it cannot fix, then you will need Disk Warrior (4.3.) if DW cannot fix the drive, then you will need to reformat the drive and reinstall Snow Leopard.
  B. Make a Bootable Backup Using Restore Option of Disk Utility:
  Open Disk Utility from the Utilities folder.
  Select the destination volume from the left side list.
  Click on the Restore tab in the DU main window.
  Check the box labeled Erase destination.
  Select the destination volume from the left side list and drag it to the Destination entry field.
  Select the source volume from the left side list and drag it to the Source entry field.
  Double-check you got it right, then click on the Restore button.
  Destination means the backup volume. Source means the internal startup volume.
  C. Important: Please read before installing:
  If you have a FireWire hard drive connected, disconnect it before installing the update unless you will boot from this drive and install the update on it. Reconnect it and turn it back on after installation is complete and you've restarted.
  You may experience unexpected results if you have installed third-party system software modifications, or if you have modified the operating system through other means. (This does not apply to normal application software installation.)
  The installation process should not be interrupted. If a power outage or other interruption occurs during installation, use the standalone installer (see below) from Apple Downloads to update.  While the installation is in progress do not use the computer.
  D. To upgrade to Lion:
  Purchase the Lion Installer from the Mac App Store. The download will start quickly. Lion is nearly 4 GBs so a fast internet connection is essential. Download time could run upwards of 4 hours depending upon network conditions and server demands at the time.
  Boot From The Lion Installer which is located in your Applications folder.
  Follow instructions for installation.

• Is the 20% discount added before or after a reward certificate?

  Hello again. I got another question regarding the 20% discount. Is the 20% discount added before or after a reward certificate. So say for example, if I purchased a game for $60 and I had a $20 certificate, would my 20% discount activate first? Thus making the price 47.99 and then the $20 certificate reduced from that, making it 27.99 total. Or would it be the opposite and the certificate reduces off the $60 game first resulting in a grand total of 31.99?

  Hey again JRxPHANTOM,
  Good question! My Best Buy reward certificates are considered to be a form of payment, so they're applied to purchases after any applicable bundle pricing or discounts. Unlike traditional forms of payment though, they're applied before sales tax is calculated.
  Here's how it would work using the example you provided (a $60 game, 20% Gamers' Club Unlocked discount, and a $20 reward certificate):
  The base total is calculated ($60.00)
  Your GCU discount is applied ($60.00 - 20% = $48.00)
  The reward certificate is applied ($48.00 - $10.00 = $38.00)
  Sales taxes are calculated ($38.00 x local rate)
  The remaining balance due would then be collected, as with any other purchase.
  I hope this helps.
  Aaron|Social Media Specialist | Best Buy® Corporate
   Private Message

• I just purchased a bb 8330 and i want to install 5.0 os on it should i do it before or after i activate it?

  I just bought i new blackberry 8330 and i want to install 5.0 os on it. I have sprint as my carrier and i dont know if the allow 5.0 on their service. Should i install it before or after i activate it, or does it not matter?
  also how long will it take when i install it on my blackberry with no personal settings and should i back-up my blackberry before i do it even though i have nothing saved on it?

  anthonylo803 wrote:
  I just bought i new blackberry 8330 and i want to install 5.0 os on it. I have sprint as my carrier and i dont know if the allow 5.0 on their service. Should i install it before or after i activate it, or does it not matter?
  also how long will it take when i install it on my blackberry with no personal settings and should i back-up my blackberry before I do it even though I have nothing saved on it?
  Hi and welcome to the forums!
  I would activate it first and get used to the basic operation.
  The upgrade will take about an hour to be on the safe side, and yes always take a full backup before
  any upgrade. The link below will provide you with your carrier's website for downloading the Blackberry
  device OS. Do you have the Blackberry desktop manager installed? What version is it?
  Also attached is the upgrade procedure.
  Thanks,
  Bifocals
   KB03621
  How to use the application loader tool to install BlackBerry Device Software
  Carrier support page
  Click Accept as Solution for posts that have solved your issue(s)!
  Be sure to click Like! for those who have helped you.
  Install BlackBerry Protect it's a free application designed to help find your lost BlackBerry smartphone, and keep the information on it secure.

• SOAP 1.2 web service fails when SOAP header has digital signatures

  Hi,
  When we upgraded our JAX-RPC web services from SOAP 1.1 to SOAP 1.2, they started failing with the following response.
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header>
  <env:Upgrade>
  <env:SupportedEnvelope xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"
  qname="soap12:Envelope"/>
  </env:Upgrade>
  </env:Header>
  <env:Body>
  <env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <faultcode>env:VersionMismatch</faultcode>
  <faultstring>Version Mismatch</faultstring>
  <faultactor>http://schemas.xmlsoap.org/soap/actor/next</faultactor>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  The following two errors were in log.xml
  An error occurred for port: {http://xxx.xxx.xxx/xxx/1.0/ws/TestService}TestServicePort: oracle.j2ee.ws.common.soap.fault.SOAP11VersionMismatchException: Version Mismatch.
  Unable to determine operation id from SOAP Message.
  We use web service handlers to add and verify digital signatures. The request message seems to be making it to the web service but is failing before reaching the web service handler which verifies the digital signature.
  Everything works fine when we don't add the digital signatures. The SOAP message without the digital signature doesn't have the SOAP header. I've listed the SOAP message with the digital signature below.
  <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
       xmlns:ns0="http://xxx.xxx.xxx/1.4/"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <env:Header>
            <wsse:Security
                 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:SignedInfo>
                           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
                           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                           <ds:Reference URI="#Body">
                                <ds:Transforms>
                                     <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
                                </ds:Transforms>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                                <ds:DigestValue>...</ds:DigestValue>
                           </ds:Reference>
                      </ds:SignedInfo>
                      <ds:SignatureValue>
                      </ds:SignatureValue>
                      <ds:KeyInfo>
                           <ds:X509Data>
                                <ds:X509Certificate>
                                </ds:X509Certificate>
                           </ds:X509Data>
                           <ds:KeyValue>
                                <ds:RSAKeyValue>
                                     <ds:Modulus>
                                     </ds:Modulus>
                                     <ds:Exponent>AQAB</ds:Exponent>
                                </ds:RSAKeyValue>
                           </ds:KeyValue>
                      </ds:KeyInfo>
                 </ds:Signature>
            </wsse:Security>
       </env:Header>
       <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body">
            <ns0:SearchRequestMessage
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:gml="http://www.opengis.net/gml"
                 xmlns:xxx="http://xxx.xxx.xxxl/1.4/"
                 xmlns:ns5="http://www.w3.org/1999/xlink"
                 >
                 <xxx:SearchCriteria itemsPerPage="10" maxTimeOut="180000" startIndex="1" startPage="1" totalResults="25">
                 </xxx:SearchCriteria>
            </ns0:SearchRequestMessage>
       </env:Body>
  </env:Envelope>
  We are using Oracle AS 10.1.3.3.0, WSDL 1.1, and SOAP 1.2. Everything works fine with WSDL 1.1 and SOAP 1.1.

  Take a look 'How to Use a Custom Serializer with Oracle Application Server Web Services' [1].
  In your case, you should be looking at BeanMultiRefSerializer (org.apache.soap.encoding.soapenc), which will serialize your data using href and providing a way to deal with cycles.
  All the best,
  Eric
  [1] http://www.oracle.com/technology/tech/webservices/htdocs/samples/serialize/index.html

• Security Issues: SSL on SOAP Adapter and Digital Signature in BPM

  Hi there,
  we're developing a R/3-XI-3rd Party Application scenario, where the XI/3rd Party communication is based on a webservice (SOAP adapter with SSL). Also, the messages in the XI/3rd Party communication must be digitally signed. I've got some questions on both subjects.
  1. About the SSL. I've started to investigate what will be necessary to enable the HTTPS option under SOAP Adapter (it's not enabled now). If I'm not correct, all I need to do is:
  - check whether the SAP Java Crypto Lib is installed in the Web AS;
  - generate the certificate request in the Visual Administrator and, after acquiring the certificate, store it with the KeyStorage option.
  Is that right?
  I'm considering that I won't need to use SSL in the ABAP Web AS, only the J2EE Java Engine (since the SOAP Adapter is based on J2EE).
  2. About the digital signature. As a first solution, we had decided on accessing a webservice based on another machine running a signature application. We'd send the unsigned XML and receive a signed XML. But since that needed to be done into the BPM, I thought that using a piece of Java code in a mapping would suit it better.
  But to be able to use the hashing/encrypting/encoding algorithms, which library needs to be installed? Is it the same SAP Java Crypto Lib that was installed for the SSL enabling?
  Thanks in advance!

  Hello Henrique,
  1. You're right. For detailed instructions please have a look at the online help: http://help.sap.com/nw04 - Security - Network and Transport Layer Security - Transport Layer Security on the SAP J2EE Engine
  2. The SOAP adapter supports security profiles. Please have a look at the online docu http://help.sap.com/nw04 -Process Integration - SAP Exchange Infrastructure - Runtime - Connectivty - Adapters - SOPA Adapter - Configuring the Sender SOAP adapter and from the link under Security Parameters to the Sender Agreement. You'll find some additional information in the following document: http://service.sap.com/~sapdownload/011000358700002767992005E/HowToMLSXI30_02_final.pdf
  Rgds.,
  Andreas

• How to remove encryption in digital signature

  How to remove the encryption in the digital signatur
  I sign document and signature encrypt document hence not allowing future amendments.  How to remove encryption ??

  Thanks George for the help, I managed to create my own ID using your
  approach, Advanced > Security Settings > Digital IDs > add ID, but when I
  signed it with the PDF of my signature, it is showed as my name in Typing
  such as "XXX YY", instead of the handwritten form. I managed to use the
  same PDF of my signature (signed and converted to PDF) last week when I
  used the Pro 9, how can I attach my signature the same way in handwritten
  form instead of being convered to "XXX YY" and appears "digitally signed"
  Thanks again.

• Using a digital signature in 7.0 after it is created

  I created a digital signature in Acrobat 7.0. I'll use it once to sign a document. When I create a new document and try to sign it, it says my password is incorrect. I know it is not incorrect as I had only created it barely 5 minutes before. And I wrote it down! What is going on? Do I need to recreate a new digital signature for every document I sign? I'm not using third party verification.
  Thank you in advance for your thoughts and advice.

  Most third party signature pads require two things. 
  1.  An Acrobat plug-in
  2.  A device driver to connect the plug-in to device data being used for the signture.
  Which third party Signature Pad are you using and which software are you using in conjunction with the Signature Pad.

• Wrong Digital Signature for Add-on - After Install - When Start Add - on

  Hi there,
  I have created Addon Installer with the B1DE Installer Setup. After that also use batch file AddOnRegDataGen.bat to Generate Ard File.
  After I addon install successfully, BUT when I want to Start it , It Prompts message
  "Wrong Digital Signature for Add-on."
  I do not know more what to make, already I read all the answers of the SDN and I did not solve the problem.
  I am losing the hopes. Please Help!
  Thanks a lot!

  Hi
  Try editing the AddOnRegDataGen.bat and changing the version number to corellate to the setup executable you have created and then execute the batch file to recreate a new ard file.
  Regards
  John

• Outlook 2010 "forgets" Encryption and Digital Signature preferences

  We have several users in our enterprise environment who's Encryption and Signature preferences are not being retained in Outlook. They, seemingly randomly, lose the selected Sign and Encrypt all mail options throughout the day. We are using smart card certificates,
  Outlook 2010 and Exchange 2010...
  Has anyone seen this or do you have suggestions on what to look at?

  Hi,
  How did you use the smart card in your environment? Did you use a reader that is attached to your computer or it is inserted to the USB interface of your computer?
  Does those users who have the problem use the smart card in a different behavior comparing to those don’t have the problem?
  We should keep the smart card inserted when you want to digitally sign or encrypt your messages. When the smart card is removed, the certificate is no longer available.
  If I’ve misunderstood something, please feel free to let me know.
  Regards,
  Steve Fan
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• GPO For Outlook Certificates Used For Encryption and Digital Signatures?

  How can we configure a group policy to distribute certificates to Outlook 2010 users so they can digitally sign and encrypt messages without requiring much effort on their end?
  The users will become confused and make mistakes if we ask them to follow instructions on how to download and import certificates into Outlook 2010 manually.  Can we automate this with Group Policy?

  Would a certificate "autoenrollment" GPO work for these types of certificates?
  Yes. Here's a good guide. The user will still need to choose to sign, or encrypt, unless you want to enforce that in some way. If you are sending signed or encrypted email outside of your AD, you will need to solve how the recipients will get your root cert,
  etc.
  http://davidmtechblog.blogspot.com.au/2013/06/exchange-2010-security-smime-part-1.html
  http://davidmtechblog.blogspot.com.au/2013/07/exchange-2010-security-smime-part-2.html
  http://davidmtechblog.blogspot.com.au/2013/07/exchange-2010-security-smime-part-3.html
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• WSS4J with Soap and XML digital signatures

  Hi,
  I need to write a web client to access data from my friend's server
  However, I do not have access to the WSDL or the Axis part and instead need to manually generate the SOAP
  message that needs to be sent . I have been able to generate the SOAP body without the WSS4J part but I haven't been able to get it working
  with the security part. I have read through the documents on the OASIS website but haven't been able to find any sample java code to
  help me on this. Can you please give me some pointers on this ? Some sort of sample java code would be extremely helpful.
  thanks,

  gary,
        How did you configure  the subsystem. could you plz expalain me in detail. bond_chaitu at yahoo.com
  kris.