cancel
Showing results for 
Search instead for 
Did you mean: 

verify digital signature produced by SAP Content Server HTTP 4.5 Interface

Former Member
0 Kudos

I am trying to verify a ‘digital signature’ sent by the SAP Content Server HTTP 4.5 Interface.

In the Java code I am using the class SsfDataPKCS7 - verify method, and it always returns 'false'.

Within the SAP system, using, say, ABAP function SCMS_HTTP_DELETE; I can see the Input data for signing is –

O112300123DCN%3DMNDT,OU%3DDEV,O%3DMANDANT,C%3DGB20070928133751

length = 62

-

The ‘signed data’ created by SAP , passed as secKey is like –

MIIBIwYJKoZIhvcNAQcCoIIBFDCCARACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB8DCB7QIBATBBMDwxCzAJBgNVBAYTAkdCMRAwDgYDVQQKEwdNQU5EQU5UMQwwCgYDVQQLEwNERVYxDTALBgNVBAMTBE1ORFQCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MTAwNDA3NDk0MVowIwYJKoZIhvcNAQkEMRYEFGh5aRofeHPzk%2BjFbBsCsuEtX5J8MAkGByqGSM44BAMEMDAuAhUAizCHFWp1ZZ7hB8fumtocONiSa84CFQCcb2YG7hyDJ8J9oIZbZAXDlRqgEw%3D%3D

( we then decode %2B back to ‘+’, %2F back to ‘/’, %3D back to ‘=’ )

The Java code is -

boolean res = true;

// Load the certificate.

InputStream inStream = new FileInputStream("Mandant_Certificate.crt");

CertificateFactory cf = CertificateFactory.getInstance("X.509");

X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);

inStream.close();

// This is the secKey as received from R/3, with URL-encoded characters decoded.

String base64SecKey = "MIIBIgYJKoZIhvcNAQcCoIIBEzCCAQ8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB7zCB7AIBATBBMDwxCzAJBgNVBAYTAkdCMRAwDgYDVQQKEwdNQU5EQU5UMQwwCgYDVQQLEwNERVYxDTALBgNVBAMTBE1ORFQCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDkyNzA4NTQxNFowIwYJKoZIhvcNAQkEMRYEFB1ATpscjBqU/2HDYcJudhZ53Z6CMAkGByqGSM44BAMELzAtAhRetJmrmyFY25zNrcr2WFBRJMucAIVAKIhF5dTEsIiXuIoaspohWnR86T";

// Decode the secKey from base64.

byte[] secKey = Base64.decode(base64SecKey);

// Load the secKey into an SsfDataPKCS7.

SsfDataPKCS7 secKeyData = new SsfDataPKCS7(new ByteArrayInputStream(secKey));

// Build an address book with our certificate in it.

ISsfPab pab = new SsfPabBasicImpl(new X509Certificate[]);

// Build the message. These are the parameter values from same URL

// that secKey came from.

String message = "O11200120DESCRDCN%3DMNDT,OU%3DDEV,O%3DMANDANT,C%3DGB20070927105414";

ISsfData messageData = new SsfDataPKCS7(new ByteArrayInputStream(message.getBytes()));

// Verify the signature. This prints "false".

SsfSigRcpList signer = new SsfSigRcpList();

try {

res = secKeyData.verify(pab, signer, messageData, cert);

} catch (SsfInvalidDataException e){

System.out.println("Error while verifying data "+e);

}

Has anyone already had this problem and solved it ?

Can anyone help me ?

Thank you in advance,

Andy

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Solution -

The Turgraz library has a different idea of what a X509Certificate object is ,

which is not compatible with Sun's idea.

So - import iaik.x509.X509Certificate;

and then

// Load the certificate.

InputStream inStream = new FileInputStream("Certificate.crt");

X509Certificate cert = new X509Certificate(inStream);

then it works.