XML Signature Syntax and Processing

xmldsig.md

Spreedly uses the xmldsig library to perform the signing. To properly sign an xml request, enclose the entire xml request to be signed in xml_dsig template tags.

Nodes that should not be changed.

Do not modify the <wsse:Security> node. It must be formatted as given. This binary security token node will be generated on the server along with the timestamp.

Attributes that should not be changed.

Changes to the wsu:Id attribute of any node will cause signature failures.

Content that can be modified.

The institutionName, the appID or the body content may be modified without causing signature failures. Content means the text between the xml tags.

Sample successful doEcho request

curl https://core.spreedly.com/v1/receivers/<Receiver Token>/deliver.xml \
  -u 'Your credentials here' \
  -H 'Content-Type:application/xml' \
  -d '<delivery>
        <url>https://ws.mastercard.com/mtf/MRS/DiagnosticService</url>
        <headers><![CDATA[Content-Type: text/xml;charset=utf-8]]></headers>
        <body><![CDATA[{{#xml_dsig}}<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:ns1="http://diagnostic.ws.mcrewards.mastercard.com/"
                  xmlns:ns2="http://common.ws.mcrewards.mastercard.com/">
    <soapenv:Header>
        <com:identity xmlns:com="http://common.ws.mcrewards.mastercard.com/"
                      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
            <com:appID>0</com:appID>
            <com:institutionName>loyaltyangels</com:institutionName>
        </com:identity>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
                    <ds:Reference URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfxe07c3068-8f69-e115-2c9c-6c5f4df49fdd">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                    <ds:Reference URI="#pfx1819ec29-f57f-d26e-e323-f5734617170e">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue/>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue/>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference>
                        <wsse:Reference
                                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                                URI="#pfxb65d8fe8-185a-4edc-6589-3a08270deca3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsse:BinarySecurityToken
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    wsu:Id="pfxb65d8fe8-185a-4edc-6589-3a08270deca3"
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
                {{#binary_security_token}}{{/binary_security_token}}</wsse:BinarySecurityToken>
            <wsu:Timestamp
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    wsu:Id="pfxbafb5d83-3a99-50af-d6b9-ceb1b8e64b5c">
                <wsu:Created>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Created>
                <wsu:Expires>{{#utc_timestamp}}{{/utc_timestamp}}</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  wsu:Id="pfx1819ec29-f57f-d26e-e323-f5734617170e">
        <ns1:doEcho>{{ credit_card_number }}</ns1:doEcho>
    </soapenv:Body>
</soapenv:Envelope>{{/xml_dsig}}]]></body>
        <payment_method_token>9j3umvz8pXJSdCak58APhPm7i87</payment_method_token>
</delivery>'