XML signature reference digestion value is different than it is supposed to be (probably not doing exc c14n correctly)

Question

I have to create a request for getting a SAML ticket and I am stuck with the digestvalues. As far as I understand I have to use exclusive c14n, then sha256 then base64, but I'm receiving different value than the example code I received. As far as I know, this should be deterministic, so I'm quite alarmed that I receive different results, my guess is that I am not doing c14n correctly.

Please help me find a way to get a matching digestvalue!

Please help me find why TS-b71cc963-f3dc-4331-8cd7-7220251036a1's digestvalue is 6Xvvo93TJJKX5Ux++DwrZ/NyTHfUl0qWY03kQD1DAbk= and not UP/MwNj717XaghK9JgAhzTE3R85HPmc3t2ysOf2dLTY= which I receive.

My received example (that I must follow):

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:v1="http://eeszt.gov.hu/ns/sts/api/ws/v1">
   <soap:Header>
      <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <ds:Signature Id="SIG-c5c27aaa-6ac4-4d1e-a644-794ea2acba2b" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="soap v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
               <ds:Reference URI="#X509-f1cc51a9-03ee-41a7-8523-5006514a3461">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="soap v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>JKQ3D5UTcWxbReDXRscOJBkz37gekL5OpvrE2ud4698=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#TS-b71cc963-f3dc-4331-8cd7-7220251036a1">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="wsse soap v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>6Xvvo93TJJKX5Ux++DwrZ/NyTHfUl0qWY03kQD1DAbk=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#id-b30d9fe6-914f-4e68-ab40-68edb076ec31">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>9tjjUJrCf7WhU6AenFw4ukiDLI4Lj8i53ysi1LKYNMo=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>here_is_signature</ds:SignatureValue>
            <ds:KeyInfo Id="KI-32f1e4d0-b7a7-45d0-9aaf-9fc08c1a6084">
               <wsse:SecurityTokenReference wsu:Id="STR-caf0012d-8a9f-4aa4-8b54-cc3af04114db">
                  <wsse:Reference URI="#X509-f1cc51a9-03ee-41a7-8523-5006514a3461" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <wsu:Timestamp wsu:Id="TS-b71cc963-f3dc-4331-8cd7-7220251036a1">
            <wsu:Created>2024-11-21T15:10:09.510Z</wsu:Created>
            <wsu:Expires>2024-11-21T15:15:09.510Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-f1cc51a9-03ee-41a7-8523-5006514a3461">here_is_the_509</wsse:BinarySecurityToken>
      </wsse:Security>
   </soap:Header>
   <soap:Body wsu:Id="id-b30d9fe6-914f-4e68-ab40-68edb076ec31" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <v1:X509SamlRequest>
         <v1:userId>here_will_be_id</v1:userId>
      </v1:X509SamlRequest>
   </soap:Body>
</soap:Envelope>

I calulate with

<wsu:Timestamp wsu:Id="TS-b71cc963-f3dc-4331-8cd7-7220251036a1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2024-11-21T15:10:09.510Z</wsu:Created><wsu:Expires>2024-11-21T15:15:09.510Z</wsu:Expires></wsu:Timestamp>

as canonanization value and use https://emn178.github.io/online-tools/sha256.html for the conversion before implementing it by hand.

Any help would be appreciated!

Answer 1

PHP
$canonicalized_time = $timestamp->C14N(); 
$digest_time = base64_encode(pack("H*", hash("sha256",$canonicalized_time )));  

This gives back the correct result. I am still not sure why do they simple C14N instead of exc C14N.

The lesson should be: if it does not happen, make sure that:

1. The hex is converted to binary before base64
2. Try multiple C14N, because they sometime lie to you

Please correct me if I said anything wrong.