Generating SignatureValue using HMAC-SHA1 in XML

The signature method is HMAC-SHA1, and I already have <SignedInfo> generated. The problem is that I am not sure what to use as the key in the HMAC calculation.

I noticed that there are two <Entropy> with enclosing <BinarySecret> from the initial request (RST) and response (RSTR). I read from WS-Trust that this indicates that I could generate a proof key using these two binary values from the 开发者_开发百科<BinarySecret> and PSHA1 as specified in <ComputeKey> tag from the response. However, I could never get the same signature value as the one in the sample from the service provider.

Any information would help!

As an example:

• The binary secret from RST is grrlUUfhuNwlvQzQ4bV6TT3wA8ieZPltIf4+H7nIvCE=
• The binary secret from RSTR is YLABh3ZmZyiO5gvVLZe9J4JPd9w59KGeTFwE85XlzxE=
• The correct signature value is nXJEN8p1nupMA/00TK03VZlADkU=
• The signature value I generate is bEGpeRFsznafFRf86g281zKV3Ro=
• The content of SignInfo is as follow

<SignedInfo>
   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
   <Reference URI="#_0">
    <Transforms>
     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>CwMGnFZklO7XsDfFguzl0tw7iHM=</DigestValue>
   </Reference>
  </SignedInfo>

Did you remember to base64 decode the values before hashing/verifying? You can hash with sha256 without a key by using hash() by the way.