Skip to content

Instantly share code, notes, and snippets.

@mrezentes

mrezentes/xmldsig.md

Last active February 14, 2017 21:56
Show Gist options
  • Save mrezentes/fa8eec814f5aaf30220116adea235db2 to your computer and use it in GitHub Desktop.
Save mrezentes/fa8eec814f5aaf30220116adea235db2 to your computer and use it in GitHub Desktop.
Download ZIP
XML Signature Syntax and Processing
Raw
xmldsig.md

Spreedly uses the xmldsig library to perform the signing. To properly sign an xml request, enclose the entire xml request to be signed in xml_dsig template tags.

Nodes that should not be changed.

Do not modify the <wsse:Security> node. It must be formatted as given. This binary security token node will be generated on the server along with the timestamp.

Attributes that should not be changed.

Changes to the wsu:Id attribute of any node will cause signature failures.

Content that can be modified.

The institutionName, the appID or the body content may be modified without causing signature failures. Content means the text between the xml tags.

Sample successful doEcho request

curl https://core.spreedly.com/v1/receivers/<Receiver Token>/deliver.xml \
  -u 'Your credentials here' \
  -H 'Content-Type:application/xml' \
  -d '<delivery>
        <url>https://ws.mastercard.com/mtf/MRS/DiagnosticService</url>
        <headers><![CDATA[Content-Type: text/xml;charset=utf-8]]></headers>
        <body><![CDATA[{{#xml_dsig}}<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:ns1="http://diagnostic.ws.mcrewards.mastercard.com/"
                  xmlns:ns2="http://common.ws.mcrewards.mastercard.com/">
    <soapenv:Header>
        <com:identity xmlns:com="http://common.ws.mcrewards.mastercard.com/"
                      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
            <com:appID>0</com:appID>
            <com:institutionName>ThisNameIsSpecifiedByMastercard</com:institutionName>
        </com:identity>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
                    <ds:Reference URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfx1819ec29-f57f-d26e-e323-f5734617170e">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue/>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference>
                        <wsse:Reference
                                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                                URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsse:BinarySecurityToken
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    wsu:Id="pfxb65d8fe8-185a-4edc-6589-3a08270deca3"
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
                {{#binary_security_token}}{{/binary_security_token}}</wsse:BinarySecurityToken>
            <wsu:Timestamp
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    wsu:Id="pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                <wsu:Created>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Created>
                <wsu:Expires>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfx1819ec29-f57f-d26e-e323-f5734617170e">
        <ns1:doEcho>{{ credit_card_number }}</ns1:doEcho>
    </soapenv:Body>
</soapenv:Envelope>{{/xml_dsig}}]]></body>
        <payment_method_token>9j3umvz8pXJSdCak58APhPm7i87</payment_method_token>
</delivery>'
@jknipp
Copy link

jknipp commented Feb 14, 2017

The following are prerequisites of using this script and must be performed against https://core.spreedly.com the test environment.

  1. Create a Mastercard MTF Receiver
  2. Create a Payment Method, using a test card
  3. You may need to update the institutionName and/or the appID

You should receive a transaction response body similar to below, which let's us know that the request succeeded - Hello [FILTERED] should be in the xml response.

<body>
<![CDATA[
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:kd4="http://www.ibm.com/KD4Soap" xmlns:dat="http://mastercard.com/eis/bnb/servicev1_1/datatypes" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><kd4:KD4SoapHeaderV2>PRODESB4_STL|591328829|170214190731183</kd4:KD4SoapHeaderV2><dat:bridgeUniqId>PRODESB4_STL|591328829|170214190731183</dat:bridgeUniqId></soapenv:Header><env:Body><ns1:doEchoResponse xmlns:ns1="http://diagnostic.ws.mcrewards.mastercard.com/">Hello [FILTERED]</ns1:doEchoResponse></env:Body></env:Envelope>]]>
    
</body>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment