Identify Cert in Soap request - certificate

I am receiving a SOAP message that contains:
- wsse:BinarySecurityToken
- KeyInfo
etc.
The Problem is that there are multiple certs that corresponds to that in my truststore, i want to identify which Cert this SOAP REQUEST contains.
Sample Header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-******************">
**************</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-***************" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mes soapenv touc" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-***************************">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mes touc" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>**************=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>**************</ds:SignatureValue>
<ds:KeyInfo Id="KI-**********************">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-*******************" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-*********************" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>

Related

jmeter - WS Security for SOAP - SOAPMessage Timestamp&Token&Signature - problem with orders

I have been using this WS Security for SOAP plugin in jmeter for a long time. It works properly.
But I came across an interesting phenomenon about my current job. I would like to know if anyone has relevant experience on the subject!
The service we used to use as "asmx" has been changed to "svc". I'd like to test call this with a certificate.
A new feature has become the technology in the meantime, so that the service also requires a timestamp in the call, which is also signed.
By setting the jmeter components provided by the wss module properly, the tags in the wssecurity header are created in the following order, depending on which is higher in the hierarchy list:
Watch the timestamp!
<soapenv:Header>
<wsse:Security >
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
OR
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>...
However, neither order is appropriate for the service.
By tricking and rebuilding the request with string operations. The correct order would be:
<soapenv:Header>
<wsse:Security >
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<wsu:Timestamp >
<wsu:Created></wsu:Created>
<wsu:Expires></wsu:Expires>
</wsu:Timestamp>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod >
<ec:InclusiveNamespaces />
</ds:CanonicalizationMethod>
<ds:SignatureMethod >
<ds:Reference>
<ds:Transforms>
<ds:Transform>
<ec:InclusiveNamespaces/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod/>
<ds:DigestValue>...=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>...
However, I didn't see any way to set such an order!
Does anyone have any idea how I could solve this "nicely"?

Databricks SSO authentication failed | Google IdP

I've configured Databricks SSO 2.0 to work with Google as IdP
When I try to test it I receive this error: "Single Sign-On authentication failed."
Tracking the SAML messages everything looks correct:
SAML REQUEST:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
Version="2.0"
IssueInstant="2021-10-19T12:38:10Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
>
<saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML RESPONSE:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
ID="_d32****e5002e8760******d431c69"
InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_cb5ee***08cb7***********bd194"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_cb5ee92*******0652**2145*******4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****#********.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
SessionIndex="_**ee**********7c40*****cddbbd194"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
All information in the SAML looks correct, my email, google ID, databricks url, still it keeps failing.
This is the doc for Google workspace SSO:
v1: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html
v2: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html
Troubleshooting docs:
https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#troubleshooting
If you are using Google Workspace (formerly GSuite) single sign-on (SSO v2.0).
Double-check Step 7: (Required) Select Signed response.. The response also has to be signed.
The solution is to mark the signed response to the signature will come before the assertion tag
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://*************.cloud.databricks.com/saml/consume"
ID="******************d3952e02"
InResponseTo="ONELOGIN_bc2cb9***************7-bb86-0***********fc4"
IssueInstant="2021-10-28T12:48:45.663Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=************</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_****************46dd50562**************52e02">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>***********2kA0VqohW***************OeeTyCnKuvVlGI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>*****************************JmIrnaHPRjm87OXyqnvOhNBjKD24BfBxnodbUmx9IeWKT4mBS13huje99DBl9S9
USPnKD3zwb1htVBWbT1TxSeD6EUZbl8**********************************3ODow==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDd**************************************UgwwH4Y/yQZx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

Sign SOAP message in java using wss4j and X509KeyIdentifier method

I need to sign a SOAP message in java using X.509 certificate.
I already implemented it using libraries 'com.sun.org.apache.xml.internal.security' and 'java.security'.
This is how my signed SOAP message looks like:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/*encoded value*/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
/*signature value*/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
/*certificate*/
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
/*other encoded data*/
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</soapenv:Header>
<soapenv:Body>
/*SOAP message body*/
</soapenv:Envelope>
But I need my SOAP message to include 'wsse:SecurityTokenReference' and 'wsse:KeyIdentifier' instead of 'ds:X509Data' and 'ds:X509Certificate' tag.
Expected signed SOAP message is:
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-554C045BCDA442589F146244518693410" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-554C045BCDA442589F14624451869339">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/**encoded value/</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/*signature value*/</ds:SignatureValue>
<ds:KeyInfo Id="KI-554C045BCDA442589F14624451869337">
<wsse:SecurityTokenReference wsu:Id="STR-554C045BCDA442589F14624451869338">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
/*certificate*/</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-554C045BCDA442589F14624451869339" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
/*message body*/
</soapenv:Body>
</soapenv:Envelope>
I googled and found that expected signed SOAP message is signed by using wss4j api.
But I am not able to implement this api successfully and get the desired result.
Could anybody please guide how to use wss4j to sign a SOAP message?

IRS ACA 1095B BulkRequestTransmitter: Invalid WS Security Header - SOAP UI

I am trying to Invoke IRS ACA 1095 B Ws through SOAP UI. I have configured Keystore in SOAP UI which when imported says OK. I have signed the 3 elements referring the IRS Doc, ACABusinessHeader, ACATransmitterManifestReqDtl and Timestamp. I have tried with and without, Gzip/ Wsa Header/ Attachment/ MTOM still for a simple SOAP Request without any file attachment I am having :
The WS Security Header in the message is invalid. Please review the transmission instructions outlined in Section 5 of the AIR Submission Composition and Reference Guide located at https://www.irs.gov/for-Tax-Pros/Software-Developers/Information-Returns/Affordable-Care-Act-Information-Return-AIR-Program, correct any issues, and try again.
Error Code: TPE 1122.
I have attached the complete SOAP Ui Request Message.
Any sort of Help is appreciated.
--->
enter code here
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Transmission_AATS2016 HTTP/1.1
Content-Encoding: gzip
Accept-Encoding: gzip,deflate
Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart#soapui.org>"; start-info="text/xml"; boundary="----=_Part_0_1488514502.1456157000203"
SOAPAction: "BulkRequestTransmitter"
MIME-Version: 1.0
Transfer-Encoding: chunked
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:urn4="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="SIG-F8EA5798DFE03264EF145615675816614" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn1 urn2 urn3 urn4 wsu xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635274">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635275">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-E9877CA7A36541AA6A1455820267635276">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="oas1 soapenv urn urn1 urn2 urn3 urn4 xd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo Id="RE-Dacted">
<wsse:SecurityTokenReference wsu:Id="STR-abcdefghijklmnopqredacted">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<urn3:ACASecurityHeader/>
<urn:ACABusinessHeader wsu:Id="id-E9877CA7A36541AA6A1455820267635274">
<urn1:UniqueTransmissionId>abcd-efgh:1234</urn1:UniqueTransmissionId>
<urn2:Timestamp>2016-02-17T15:17:47Z</urn2:Timestamp>
</urn:ACABusinessHeader>
<urn1:ACATransmitterManifestReqDtl wsu:Id="id-E9877CA7A36541AA6A1455820267635275">
<urn1:PriorYearDataInd>0</urn1:PriorYearDataInd>
<urn2:EIN>12-34567</urn2:EIN>
<urn1:TestFileCd>T</urn1:TestFileCd>
<urn1:TransmitterNameGrp>
<urn1:BusinessNameLine1Txt>SOME VALUE</urn1:BusinessNameLine1Txt>
</urn1:TransmitterNameGrp>
<urn1:CompanyInformationGrp>
<urn1:MailingAddressGrp>
<urn1:USAddressGrp>
<urn1:AddressLine1Txt>SOME ADRESS</urn1:AddressLine1Txt>
<urn2:CityNm>SOME CITY</urn2:CityNm>
<urn1:USStateCd>AB</urn1:USStateCd>
<urn2:USZIPCd>12345</urn2:USZIPCd>
<urn2:USZIPExtensionCd>6789</urn2:USZIPExtensionCd>
</urn1:USAddressGrp>
</urn1:MailingAddressGrp>
<urn1:ContactNameGrp>
<urn2:PersonFirstNm>First</urn2:PersonFirstNm>
<urn2:PersonLastNm>Last</urn2:PersonLastNm>
</urn1:ContactNameGrp>
<urn1:ContactPhoneNum>123-456-7890</urn1:ContactPhoneNum>
</urn1:CompanyInformationGrp>
<urn1:VendorInformationGrp>
<urn1:VendorCd>Some Vendor</urn1:VendorCd>
<urn1:ContactNameGrp>
<urn2:PersonFirstNm>First</urn2:PersonFirstNm>
<urn2:PersonLastNm>Last</urn2:PersonLastNm>
</urn1:ContactNameGrp>
<urn1:ContactPhoneNum>Phone</urn1:ContactPhoneNum>
</urn1:VendorInformationGrp>
<urn1:TotalPayeeRecordCnt>1</urn1:TotalPayeeRecordCnt>
<urn1:TotalPayerRecordCnt>1</urn1:TotalPayerRecordCnt>
<urn1:SoftwareId>A12345678</urn1:SoftwareId>
<urn1:FormTypeCd>1094-1095B</urn1:FormTypeCd>
<urn2:BinaryFormatCd>application/xml</urn2:BinaryFormatCd>
<urn2:ChecksumAugmentationNum>garbage-value</urn2:ChecksumAugmentationNum>
<urn2:AttachmentByteSizeNum>1234</urn2:AttachmentByteSizeNum>
<urn1:DocumentSystemFileNm>some</urn1:DocumentSystemFileNm>
</urn1:ACATransmitterManifestReqDtl>
<wsu:Timestamp wsu:Id="id-E9877CA7A36541AA6A1455820267635276">
<wsu:Created>2016-02-17T15:41:09.678Z</wsu:Created>
<wsu:Expires>2016-02-20T10:21:09.678Z</wsu:Expires>
</wsu:Timestamp>
<wsa:Action>BulkRequestTransmitter</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn4:ACABulkRequestTransmitter>
<urn2:BulkExchangeFile>
</urn2:BulkExchangeFile>
</urn4:ACABulkRequestTransmitter>
</soapenv:Body>
</soapenv:Envelope>
I see the wsu:Timestamp is outside the wsse:Security, I have attached outgoing WS-Security configuration of my working SOAP UI, cross check with yours.
After applying the outgoing headers, submit the request as is and do not format the request!
My outgoing WS-Security configuration of SOAP UI
My outgoing WS-Security configuration of SOAP UI-TimeStamp
SOAP UI KeyStore using pfx file.
SOAP UI KeyStore
Request payload:
POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Transmission_AATS2016 HTTP/1.1
SOAPAction: BulkRequestTransmitter
Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart#soapui.org>
"; start-info="text/xml"; boundary="----=_Part_26_1277305220.1456248891536"
Host: la.www4.irs.gov
Content-Length: 17728
Expect: 100-continue
Connection: Keep-Alive
------=_Part_26_1277305220.1456248891536
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart#soapui.org>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3ED4996B507C9FE4891456248845324120" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-3ED4996B507C9FE4891456248845320116">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-D4CA0E52B9727D4C0A14551257302705">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-1781945826">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="s" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>.....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>.....</ds:SignatureValue>
<ds:KeyInfo Id="KI-3ED4996B507C9FE4891456248845324118">
<wsse:SecurityTokenReference wsu:Id="STR-3ED4996B507C9FE4891456248845324119">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">....</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-3ED4996B507C9FE4891456248845320116">
<wsu:Created>2016-02-23T17:34:05.320Z</wsu:Created>
<wsu:Expires>2016-05-26T04:27:12.320Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<ns0:ACABusinessHeader ns1:Id="id-1781945826" ns2:anyAttr="anyAttrContents" xmlns:ns0="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns2="urn:us:gov:treasury:irs:msg:acabusinessheaderanyAttr">
<ns3:UniqueTransmissionId xmlns:ns3="urn:us:gov:treasury:irs:ext:aca:air:7.0">5a79b747-f622-4fe0-b5a7-4ab52226bc70:SYS12:xxxxx::T</ns3:UniqueTransmissionId>
<ns4:Timestamp xmlns:ns4="urn:us:gov:treasury:irs:common">2016-02-09T12:34:33Z</ns4:Timestamp>
</ns0:ACABusinessHeader>
<ACATransmitterManifestReqDtl d1p1:Id="id-D4CA0E52B9727D4C0A14551257302705" xsi:schemaLocation="urn:us:gov:treasury:irs:msg:form1094-1095BCtransmitterreqmessage IRS-Form1094-1095BCTransmitterReqMessage.xsd" xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:d1p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:irs="urn:us:gov:treasury:irs:common" xmlns:n1="urn:us:gov:treasury:irs:msg:form1094-1095BCtransmitterreqmessage" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
</ACATransmitterManifestReqDtl>
</s:Header>
<s:Body>
<ns0:ACABulkRequestTransmitter version="1.0" xmlns:ns0="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<ns1:BulkExchangeFile xmlns:ns1="urn:us:gov:treasury:irs:common">
<inc:Include href="cid:1094B_Request_xxxxx_20160211T170145000Z.xml" xmlns:inc="http://www.w3.org/2004/08/xop/include"/>
</ns1:BulkExchangeFile>
</ns0:ACABulkRequestTransmitter>
</s:Body>
</s:Envelope>
------=_Part_26_1277305220.1456248891536
Content-Type: text/xml; charset=Cp1252;
name=1094B_Request_xxxxx_20160211T170145000Z.xml
Content-Transfer-Encoding: quoted-printable
Content-ID: <1094B_Request_xxxxx_20160211T170145000Z.xml>
Content-Disposition: attachment;name="1094B_Request_xxxxx_20160211T170145000Z.xml";
filename="1094B_Request_xxxxx_20160211T170145000Z.xml"
< 1094 Bulk file removed>
------=_Part_26_1277305220.1456248891536--

SOAP Security Header - Cerificates?

SOAP is not one of my friends, so let me please kindly ask for some help.
I have a request to create a SOAP messages to send data to external service.
It have to be authentificated and signed by certificate.
Bellow is show how it should look like - this is a part of the header - "Security".
Let me please ask - what are all those hashes and were can I get them?
(they are "highlighted" with ** ** in code)
Many thanks for any reply, much appreciated.
Kind regards
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-536E4AA6BF962CA97613699845428011">**MIIE+TCCA+GgAwIBAgIKPs365QAAAAAASjANBgkqhkiG9w0BAQUFADBDMRIwEAYKCZImiZPyLGQBGRYCc2sxFTATBgoJkiaJk/IsZAEZFgVzZmVyYTEWMBQGA1UEAxMNU2ZlcmEgVEVTVCBDQTAeFw0xMjEwMDgwOTM3NTBaFw0xMzEwMDgwOTQ3NTBaMIGSMQswCQYDVQQGEwJTSzERMA8GA1UECBMIU2xvdmFraWExEzARBgNVBAcTCkJyYXRpc2xhdmExFTATBgNVBAoMDHNmw6lyYSwgYS5zLjEMMAoGA1UECwwDw5pWMRgwFgYDVQQDEw9TZmVyYSBURVNUIFVzZXIxHDAaBgkqhkiG9w0BCQEWDWluZm9Ac2ZlcmEuc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCMcBeOT8b3Wi3ihpThlU9i12lKAcOx3GPkrey1YN2UmT15Um1bctC1eUkDCS8NCsoenwTk5gFNgZjqX+F3+sdPQVUglNo7iU2/nMZ7gpRFgrgIDrBo/fomkx7hICMShqR5+YiX1KIz90bCbmpmus72/bd+7XKEsRzli4OIx7ztAgMBAAGjggIhMIICHTAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBSDjG5Fmw2UFu9ZqT4OzHpqnGp6dzATBgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTovJSLWZlneg/1zyJnGHLikgHnzTCBlAYDVR0fBIGMMIGJMIGGoIGDoIGAhj9odHRwOi8vdi0zMTAwMC1zci0yazMuc2ZlcmEuc2svQ2VydEVucm9sbC9TZmVyYSUyMFRFU1QlMjBDQS5jcmyGPWZpbGU6Ly9cXHYtMzEwMDAtc3ItMmszLnNmZXJhLnNrXENlcnRFbnJvbGxcU2ZlcmEgVEVTVCBDQS5jcmwwgdgGCCsGAQUFBwEBBIHLMIHIMGMGCCsGAQUFBzAChldodHRwOi8vdi0zMTAwMC1zci0yazMuc2ZlcmEuc2svQ2VydEVucm9sbC92LTMxMDAwLXNyLTJrMy5zZmVyYS5za19TZmVyYSUyMFRFU1QlMjBDQS5jcnQwYQYIKwYBBQUHMAKGVWZpbGU6Ly9cXHYtMzEwMDAtc3ItMmszLnNmZXJhLnNrXENlcnRFbnJvbGxcdi0zMTAwMC1zci0yazMuc2ZlcmEuc2tfU2ZlcmEgVEVTVCBDQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBACjmO/Yz7ZDWmmG99m8IrtBY6mka0jl1CFcagyvawjO1ORa645/bKXHUOgsEdCsvRcuAe8VmANpGLtqnIEzki8P/IiZfwQbHndVxfkwENMHFcLULQnwxKRZA4PS7PkmSkkjy++u2d/F6SWv500ytoVaEQgRKlLfEv8Vps3XxAmJ1DL6eFaMfeC24iftwm6S/IxPbwTudyhSqQXURLIflw6qYlvyS+y+BKc/uPO0YCfTLCxzgVPUMDxKWDECKpcaN1XwucVVZvIDWvE/WQ0IipIKZYExmK+f5aUZbJUCxFtFdAsy1yQlkXPZ6vo8nhB+/ocexlQJtmo2kN8K/PdspBw0=**</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-8">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa ns soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**lFnegWV52e3LoBj3jNxW84oR5tU=**</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**Mvnq3Ms+cExBf1pfBeqNJLM+XEk=**</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**7ktvKkcQQqOm/Uk2cnFg30f9m/A=**</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**D2SnlCJRWR+F95gdjoK42ZI0D98=**</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsa ns soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>bsXg0RlneSpwynQ6czGW0nZ3tb4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ns" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**PjApypt2lSmahivJ0oCNKiud4p4=**</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa ns soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>**bR63weD24Ab0ddtBIt/RVeGSt1g=**</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>**idE8pmhmkjY9c6ultBUrXSTukHfvjhiRdvEDViVIROyEgLE3lweNrtAvyLjalxrLJUGQWu63uvqM 9u4TFAi/moY7SeuLsb8Xd86hEAWWPkp061+Kpg5dV+17N8yDOfNx6wG0WQzchHzCzOKaceuqphQN aM92Qg8MVUsond9mkdI=**</ds:SignatureValue>
<ds:KeyInfo Id="KI-536E4AA6BF962CA97613699845428202">
<wsse:SecurityTokenReference wsu:Id="STR-536E4AA6BF962CA97613699845428213">
<wsse:Reference URI="#X509-536E4AA6BF962CA97613699845428011" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-05-31T07:15:42.305Z</wsu:Created>
<wsu:Expires>2013-05-31T10:02:22.305Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
Let me please ask - what are all those hashes and were can I get them?
(they are "highlighted" with ** ** in code)
Those are SHA1 digest values which you can normally compute with e.g. following method if you are using the .NET framework:
System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash(byte[] dataBytesToHash)
But, in your case, as this are WS-Security SOAP messages you don't have to compute those digest values 'by hand', please look here where you can find all informations needed to solve the task:
WS-Security using the ASMX file in ASP.NET 3.5