You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by cxf newbie <ca...@gmail.com> on 2014/02/01 11:51:49 UTC
WebSphere 8, wss4j and cxf signature validation
Hi everybody,
I am using Websphere 8.0.0.7 and cxf in java project (client) and web
project (service).
Used jars are:
- cxf-2.7.5
- wss4j-1.6.10
- xmlsec-1.5.4
Databinding is JiBX.
First I made service.
To avoid well known bug "org.apache.ws.security.WSSecurityException: General
security error (Unable to load class
org.apache.ws.security.processor.SignatureProcessor)", I reworked
SignatureProcessor and WSSecSignature classes:
public SignatureProcessor() {
// Try to install the Santuario Provider - fall back to the JDK
provider if this does
// not work
// try {
signatureFactory = XMLSignatureFactory.getInstance("DOM", new
XMLDSigRI());
// } catch (NoSuchProviderException ex) {
// signatureFactory = XMLSignatureFactory.getInstance("DOM");
// }
// try {
keyInfoFactory = KeyInfoFactory.getInstance("DOM", new
XMLDSigRI());
// } catch (NoSuchProviderException ex) {
// keyInfoFactory = KeyInfoFactory.getInstance("DOM");
// }
}
Yes, I also tried recommended solution:
"WSSConfig.setAddJceProviders(false);" in "contextInitialized(final
ServletContextEvent pEvent)" but it did not work.
With this fix, when I test service in soapUI everything is OK.
Then I made client.
My client config is:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:p="http://cxf.apache.org/policy"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<cxf:bus>
<cxf:features>
<p:policies />
</cxf:features>
</cxf:bus>
<jaxws:client name="{http://fina.hr/ebox/ws/v0.1}B2CFinaDocumentPortType"
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="hr.ws.callbacks.UTPasswordCallback" />
<entry key="ws-security.signature.username" value="client" />
<entry key="ws-security.signature.properties"
value="client-crypto.properties" />
</jaxws:properties>
<jaxws:dataBinding>
<bean class="org.apache.cxf.jibx.JibxDataBinding" />
</jaxws:dataBinding>
<jaxws:inInterceptors>
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
</jaxws:outInterceptors>
</jaxws:client>
</beans>
Policy on server and client side is the same:
<wsp:Policy wsu:Id="SignMessage"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body />
<sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp
</sp:XPath>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Without above mentioned change, on source line in SignatureProcessor which
says:
"boolean signatureOk = xmlSignature.validate(context);"
debugger runs into "com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl" else it
runs into "org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature".
After "validate(context)" method my reworked class returns null when this
code is executed: ((DOMReference)
(xmlSignature.getSignedInfo().getReferences().get(1))).getCalculatedDigestValue()
On index 0 is timestamp signature and on index 1 is body signature.
Next, when debugger comes into DOMSignatureMethod.verify() method:
Provider p = (Provider)context.getProperty
("org.jcp.xml.dsig.internal.dom.SignatureProvider");
signature = (p == null)
? Signature.getInstance(getJCAAlgorithm())
: Signature.getInstance(getJCAAlgorithm(), p);
these are the debgger values:
algorithm field: SHA1withRSA
service field: com.ibm.crypto.provider.SHA1withRSA
returnedService field:
Provider IBMJCE Service Signature.SHA1withRSA
com.ibm.crypto.provider.SHA1withRSA
Aliases [SHA-1withRSA, SHAwithRSA, SHA-1/RSA, SHA1/RSA, SHA/RSA, RSA,
OID.1.3.14.3.2.26, 1.3.14.3.2.26, OID.1.2.840.113549.1.1.5,
1.2.840.113549.1.1.5]
provider = IBMJCE version 1.2
algorithm = SHA1withRSA
provider field: IBMJCE version 1.2
java.security.Signature (runtime implementation is
java.security.Signature$SignatureImpl) on line "return
signature.verify(sig);" in DOMSignatureMethod class returns false;
When I remove WebSphere Application Server v8.0 JRE and compile and run
client with Java JRE 1.6.0_33-b03 error is still present.
And finally log:
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {Content-Language=[hr-HR], content-type=[text/xml; charset=UTF-8],
Date=[Sat, 01 Feb 2014 09:03:34 GMT], transfer-encoding=[chunked],
X-Powered-By=[Servlet/3.0]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-E8FF036ABD555867E813912454151257">MIIByTCCATKgAwIBAgIEUuPDQTANBgkqhkiG9w0BAQUFADApMScwJQYDVQQDEx5EVE9NTEpFTk9WSUMyLmludHJhbmV0LmZpbmEuaHIwHhcNMTQwMTI1MTM1OTI5WhcNMTUwMTI1MTM1OTI5WjApMScwJQYDVQQDEx5EVE9NTEpFTk9WSUMyLmludHJhbmV0LmZpbmEuaHIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIInpcJ6Up8h0IsO1b9xxqi+nNaZnUCQd41b1JCQwz+oyx2K3E0Xqx/6zoszvBcinYjiQoIG05Bag4WmGeS2qRKYoWI7C8JG1gvqSWWc6uO+h3nlLwj5K1KP3vt3SEe9uRzZBYEcKIlvITfZPj3pIXtRgPaEcXJumU1pK2eVZeGdAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAasuozBaoe2QrZJfd63auW6IOE1dEvCrGYXYs1l9EHuBaFKKB7XITJP1hkLGdS9Za/zXRQigKBiw1BFVZjqqot3L7qa16gyzlTlUqStXRZNB+e0HtwpfgrnDTA9ZI0eCL8A8KLvR7i97JALWUFLRUSn/szgDJgCo7TMH1AHg/vnA=</wsse:BinarySecurityToken><wsu:Timestamp
wsu:Id="TS-5"><wsu:Created>2014-02-01T09:03:35.125Z</wsu:Created><wsu:Expires>2014-02-01T09:08:35.125Z</wsu:Expires></wsu:Timestamp><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="SIG-6"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap soapenc
xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#TS-5"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>mYk9GPohcGytkSRdVCyZ7jKOLl8=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id--877976895"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd
xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>U5zFVvHX3MOdxgwzHVXRNwSUcpk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NzQQJi+4wPFMXt2ThTRMcwA/rdoVlScpVVbxEUV59hQfbsGzUs6B/xxBpLKdr4vR09YhI0MJxlg9
JBglPNIEtOwsJGMauUnsyUlzsEUr+jhrjh36Yy1kCmSvEaXvrdTOCx8wufATI11c5Doy/folKmqH
r0+K6aHTUbQEclBRgyY=</ds:SignatureValue><ds:KeyInfo
Id="KI-E8FF036ABD555867E813912454151258"><wsse:SecurityTokenReference
wsu:Id="STR-E8FF036ABD555867E813912454151259"><wsse:Reference
URI="#X509-E8FF036ABD555867E813912454151257"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id--877976895"><sad:SendAccountingDocumentAckMsg
xmlns:sad="http://fina.hr/ebox/ws/SendAccountingDocument/v0.1"><bwsc:MessageAck
xmlns:bwsc="http://fina.hr/eracun/boxwebservicecomponents"><bwsc:MessageID>2d3d0bb3-c560-4fa8-abba-9912aced32b1</bwsc:MessageID><bwsc:MessageAckID>1</bwsc:MessageAckID><bwsc:MessageType>12</bwsc:MessageType><bwsc:AckStatus>ACCEPTED</bwsc:AckStatus><bwsc:AckStatusCode>1</bwsc:AckStatusCode><bwsc:AckStatusText>Poruka
zaprimljena.</bwsc:AckStatusText></bwsc:MessageAck></sad:SendAccountingDocumentAckMsg></soap:Body></soap:Envelope>
--------------------------------------
01.02.2014. 10:03:36 org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
Throwable occurred: org.apache.ws.security.WSSecurityException: The
signature or decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1592)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
at $Proxy22.sendAccountingDocument(Unknown Source)
at test.TestClient.main(TestClient.java:113)
01.02.2014. 10:03:36 org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for
{http://fina.hr/ebox/ws/v0.1}B2CDocumentWebService#{http://fina.hr/ebox/ws/v0.1}sendAccountingDocument
has thrown exception, unwinding now
Throwable occurred: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:784)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:334)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1592)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
at $Proxy22.sendAccountingDocument(Unknown Source)
at test.TestClient.main(TestClient.java:113)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
... 21 more
javax.xml.ws.soap.SOAPFaultException: The signature or decryption was
invalid
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
at $Proxy22.sendAccountingDocument(Unknown Source)
at test.TestClient.main(TestClient.java:113)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1592)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
... 2 more
Understandably, when policy is removed from response message there is no
error.
What I need to do to fix this problem ?
Thanks to everyone !
--
View this message in context: http://cxf.547215.n5.nabble.com/WebSphere-8-wss4j-and-cxf-signature-validation-tp5739363.html
Sent from the cxf-user mailing list archive at Nabble.com.