You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by cxf newbie <ca...@gmail.com> on 2014/03/12 09:32:48 UTC
Timestamp valid only with double timestamp reference
Hi,
I have this policy on client and server side:
<wsp:Policy wsu:Id="SignMessage"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedElements
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp
</sp:XPath>
</sp:SignedElements>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When I uncomment <SignedElements> then Timestamp reference is doubled but
messsage is VALID.
But when <SignedElements> is commented there is only one timestamp reference
but message is INVALID.
Valid message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-B1B71365459EB8BA9113946113597143">MIIC/DCCAeSgAwIBAgIEUxhIQzANBgkqhkiG9w0BAQsFADBAMQ0wCwYDVQQKDARGaW5hMQ0wCwYDVQQLDARTSU5GMSAwHgYDVQQDDBdzZXJ2ZXIuaW50cmFuZXQuZmluYS5ocjAeFw0xNDAzMDYxMDA1MTNaFw0xNTAzMDYxMDA1MTNaMEAxDTALBgNVBAoMBEZpbmExDTALBgNVBAsMBFNJTkYxIDAeBgNVBAMMF3NlcnZlci5pbnRyYW5ldC5maW5hLmhyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkl6mOrZANHW7eDHXPUJ8GyGU4IhpweENifEQBA2CiNrcNnqzw6MrxqCsNJmf86yVpOSswkYnLLlGBRyKyY1SkqOr8r7hprbtRcz2xtYNQ+lJfR8tHEAqWMd2uBSevVeHZ7W8Ry0OuQXxs1lFgjejIg7yl1BnJuYqtFDHuiFf/E/HYslEw8hFkix4Fbni+lCyanaUkCcBzYTFHJK8PUAr+0CE5ak2HcnElVwumuPSOWPBqxvQ33HcOVEoqGXAXxA5aD9UkUEAibO6n3IUktkBwCjx6CkNvmHm4Ys2Rf9kDRjX9Lc+sR0jd0tBLsqthSJcomYtqK4YNEBfWMsl9EYolwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAqaBteQ2Gxr/7HRfL4oHCvItaNmrIKl8KSIaGTChygLt0Mae3eXsZHbECGICggEGaYIobU6ZjFBYUKc7G8Y6vsrr17Ue1Z1ITGsXx1Iu9aR4bLQXOz4cGegGgETV8u4OYmIanpqEOKw32HUF3ARIYJ6XLo7yWlmFBkXzSyb3SBWlBGiAmaSMbwKH8XbQK5WPp6oD9Vwhqwf9897hFCixWfNJui6cfLfVZAQNtFxXWBZuTwCP265vfTUj32SJGvRHPIWSkw/igUKiChpWOjsuti9X77W9VyhoGItqDZ5cdpeBSusJn4lanyLbD89m0Hdo4wLrRKQYBDW8oRR0HUllrc</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-B1B71365459EB8BA9113946113596981">
<wsu:Created>2014-03-12T08:02:39.698Z</wsu:Created>
<wsu:Expires>2014-03-12T08:07:39.698Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id="SIG-B1B71365459EB8BA9113946113597146"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_B1B71365459EB8BA9113946113596982">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>8sujJKvSraZMQBV7ptRxzR89J4Y=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZLoYk9F55lQdrUMTaG4+4A1WgdICUeofLAusaTTD46SXsi/F+gFTo+LfL0RW/QYDsM48Qo1RRXh7AJ4oZskpnfxdsYzw1BLg9O38whNoLQ6XGLIA5OFARFodnYOex5D3ytSjsRhcCEQqPgdjc/q7uGfYpTpybBvgFSmR6dWLMCEP6vPeFhtwHNJtMM0AhphbtbSeCNqF0Y871cXBt8ckFuxFazQnI1ywER8uD4z1XGNuTo4iO8EzpyAobFnzN0gb5j4wymyo6RhOmuILT9WASQ4UWD27GJegS2PKXEVpSRWCV/rOSyEfqBBl5DrzgCB4eV9OX4clB92mO2EtDYbXDg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-B1B71365459EB8BA9113946113597144">
<wsse:SecurityTokenReference
wsu:Id="STR-B1B71365459EB8BA9113946113597145">
<wsse:Reference
URI="#X509-B1B71365459EB8BA9113946113597143"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soap:Body wsu:Id="_B1B71365459EB8BA9113946113596982"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sad:SendAccountingDocumentAckMsg
xmlns:sad="http://fina.hr/ebox/ws/SendAccountingDocument/v0.1">
<bwsc:MessageAck
xmlns:bwsc="http://fina.hr/eracun/boxwebservicecomponents">
<bwsc:MessageID>9fd6f1e6-75f9-475c-bd1b-5cf583218579</bwsc:MessageID>
<bwsc:MessageAckID>1</bwsc:MessageAckID>
<bwsc:MessageType>12</bwsc:MessageType>
<bwsc:AckStatus>ACCEPTED</bwsc:AckStatus>
<bwsc:AckStatusCode>1</bwsc:AckStatusCode>
<bwsc:AckStatusText>Poruka_zaprimljena</bwsc:AckStatusText>
</bwsc:MessageAck>
</sad:SendAccountingDocumentAckMsg>
</soap:Body>
</soap:Envelope>
Is doubled reference really the problem ?
Shall another side be capable to valid this message even with doubled
reference ?
How can I fix this problem ?
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Yes, without "IncludeTimestamo" signature verification passes.
Maybe I look in the wrong direction but <Signature> tag in
*DOMXMLSignature.DOMSignatureValue.sigValueElem* has different namespaces
than *DOMXMLSignature.ownerDoc *<Signature> tag.
If this is not useful I will try again...
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741731.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
I'm not familiar with Websphere and so there's no point in sending me a
project for it. Using WSS4J on Websphere appears to be problematic....
If you remove the "IncludeTimestamp" policy does signature verification
pass? Could you debug + try to figure out where this extra namespace is
coming from?
Colm.
On Wed, Mar 19, 2014 at 12:39 PM, cxf newbie <ca...@gmail.com> wrote:
> Web service project is inside enterprise archive.
> EAR is composed of dynamic web project (web service) and utility project
> (java project).
> It is deployed on WebSphere 8.0, locally (also runtime is WebSphere JRE 8.0
> -> Java 6).
>
> Version on the service side is 2.7.11-SNAPSHOT (the same on the client
> side).
>
> Used jars are:
> spring-beans-3.2.4.RELEASE.jar
> spring-context-3.2.4.RELEASE.jar
> spring-jdbc-3.2.4.RELEASE.jar
> spring-web-3.2.4.RELEASE.jar
> org.springframework.transaction-3.0.2.RELEASE.jar
> spring-core-3.2.4.RELEASE.jar
> spring-binding-1.0.6.jar
> jibx-run.jar
> spring-expression-3.2.4.RELEASE.jar
> spring-aop-3.2.4.RELEASE.jar
> commons-lang3-3.1.jar
> jibx-extras.jar
> *wss4j-1.6.14.jar*
> xmlschema-core-2.1.0.jar
> *xmlsec-1.5.6.jar*
> log4j-1.2.17.jar
> slf4j-api-1.7.5.jar
> slf4j-log4j12-1.7.5.jar
> *cxf-2.7.11-SNAPSHOT.jar*
> *cxf-rt-ws-policy-2.7.11-20140313.064705-27.jar*
> *cxf-rt-ws-security-2.7.11-20140313.065101-27.jar*
> *neethi-3.0.3.jar*
>
> I can send you web service ear but I need some time to clean up some files.
> It is a bit commercial.
>
> Will it be useful for you if I deploy web service to presentation
> environment and send you url ?
> Or soapUI project will be more useful ?
>
> On service side I put this in log4j.properties:
>
> log4j.logger.org.apache=DEBUG
> log4j.logger.hr=DEBUG
> log4j.logger.javax.xml=DEBUG
> log4j.logger.org.bouncycastle=DEBUG
>
> Is there any option which will be more suitable ?
>
>
> Thanks.
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741516.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Web service project is inside enterprise archive.
EAR is composed of dynamic web project (web service) and utility project
(java project).
It is deployed on WebSphere 8.0, locally (also runtime is WebSphere JRE 8.0
-> Java 6).
Version on the service side is 2.7.11-SNAPSHOT (the same on the client
side).
Used jars are:
spring-beans-3.2.4.RELEASE.jar
spring-context-3.2.4.RELEASE.jar
spring-jdbc-3.2.4.RELEASE.jar
spring-web-3.2.4.RELEASE.jar
org.springframework.transaction-3.0.2.RELEASE.jar
spring-core-3.2.4.RELEASE.jar
spring-binding-1.0.6.jar
jibx-run.jar
spring-expression-3.2.4.RELEASE.jar
spring-aop-3.2.4.RELEASE.jar
commons-lang3-3.1.jar
jibx-extras.jar
*wss4j-1.6.14.jar*
xmlschema-core-2.1.0.jar
*xmlsec-1.5.6.jar*
log4j-1.2.17.jar
slf4j-api-1.7.5.jar
slf4j-log4j12-1.7.5.jar
*cxf-2.7.11-SNAPSHOT.jar*
*cxf-rt-ws-policy-2.7.11-20140313.064705-27.jar*
*cxf-rt-ws-security-2.7.11-20140313.065101-27.jar*
*neethi-3.0.3.jar*
I can send you web service ear but I need some time to clean up some files.
It is a bit commercial.
Will it be useful for you if I deploy web service to presentation
environment and send you url ?
Or soapUI project will be more useful ?
On service side I put this in log4j.properties:
log4j.logger.org.apache=DEBUG
log4j.logger.hr=DEBUG
log4j.logger.javax.xml=DEBUG
log4j.logger.org.bouncycastle=DEBUG
Is there any option which will be more suitable ?
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741516.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by Colm O hEigeartaigh <co...@apache.org>.
The test-case doesn't work for me - there are no instructions as to how to
run it. In any case, the problem appears to be on the service side. What
version of CXF is on the service side + how is it deployed? Also, in the
logs you sent, there is only detailed debugging information given for the
client, not the service.
Colm.
On Wed, Mar 19, 2014 at 10:04 AM, cxf newbie <ca...@gmail.com> wrote:
> Hi,
>
> I am sending you test client as jar:
>
> Test-java.jar <http://cxf.547215.n5.nabble.com/file/n5741507/Test-java.jar
> >
>
> There is jibx 1.2.5 inside with build script.
> JKS has self signed certificate for testing purposes.
>
> If you will need any additional informations please let me know.
>
>
> Thanks.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741507.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Hi,
I am sending you test client as jar:
Test-java.jar <http://cxf.547215.n5.nabble.com/file/n5741507/Test-java.jar>
There is jibx 1.2.5 inside with build script.
JKS has self signed certificate for testing purposes.
If you will need any additional informations please let me know.
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741507.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you create a test-case that shows the problem + I will take a look?
Colm.
On Sat, Mar 15, 2014 at 10:04 AM, cxf newbie <ca...@gmail.com> wrote:
> Sorry,
>
> In my previous message I put the wrong list of web service jars.
> This one is the correct:
>
> server_jars.txt
> <http://cxf.547215.n5.nabble.com/file/n5741360/server_jars.txt>
>
>
> Thanks.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741360.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Sorry,
In my previous message I put the wrong list of web service jars.
This one is the correct:
server_jars.txt
<http://cxf.547215.n5.nabble.com/file/n5741360/server_jars.txt>
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741360.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Hi Colm,
I was using 2.7.10.
I upgraded to CXF 2.7.11-SNAPSHOT but still get the same error.
Logs and used jars:
wss4j_client.log
<http://cxf.547215.n5.nabble.com/file/n5741357/wss4j_client.log>
wss4j_server.log
<http://cxf.547215.n5.nabble.com/file/n5741357/wss4j_server.log>
client_jars.txt
<http://cxf.547215.n5.nabble.com/file/n5741357/client_jars.txt>
server_jars.txt
<http://cxf.547215.n5.nabble.com/file/n5741357/server_jars.txt>
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741357.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by Colm O hEigeartaigh <co...@apache.org>.
The logs don't tell me much beyond that either the signature is not
verifying, or that one of the signed references is not valid. First off,
what version of CXF are you using? I've tried your original policy without
the SignedElements part with the current CXF 2.7.11-SNAPSHOT code and it
works fine. If you are not using a modern version of CXF then you should
upgrade...if you are then enable DEBUG logging and send this to the list.
Colm.
On Wed, Mar 12, 2014 at 1:00 PM, cxf newbie <ca...@gmail.com> wrote:
> Hi Colm,
>
> Thanks for your response.
>
> I am sending you logs (without SignedElements policy):
>
> client.log <http://cxf.547215.n5.nabble.com/file/n5741153/client.log>
> tcp_ip_monitor.txt
> <http://cxf.547215.n5.nabble.com/file/n5741153/tcp_ip_monitor.txt>
>
>
> Thanks.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741153.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Timestamp valid only with double timestamp reference
Posted by cxf newbie <ca...@gmail.com>.
Hi Colm,
Thanks for your response.
I am sending you logs (without SignedElements policy):
client.log <http://cxf.547215.n5.nabble.com/file/n5741153/client.log>
tcp_ip_monitor.txt
<http://cxf.547215.n5.nabble.com/file/n5741153/tcp_ip_monitor.txt>
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140p5741153.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Timestamp valid only with double timestamp reference
Posted by Colm O hEigeartaigh <co...@apache.org>.
The Timestamp is automatically signed when using the Symmetric or
Asymmetric Bindings. Therefore you don't have to add the SignedElements
XPath expression for the Timestamp (this explains why you see two
references to the Timestamp in the Signature). I'm not sure why it's
failing without the SignedElements policy. Can you attach the request +
error message/stacktrace on the receiving side?
Colm.
On Wed, Mar 12, 2014 at 8:32 AM, cxf newbie <ca...@gmail.com> wrote:
> Hi,
>
> I have this policy on client and server side:
>
>
> <wsp:Policy wsu:Id="SignMessage"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
> ">
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict
> />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedElements
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:XPath xmlns:soap="
> http://schemas.xmlsoap.org/soap/envelope/"
>
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
> /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp
> </sp:XPath>
> </sp:SignedElements>
> <sp:SignedParts
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:Body />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> When I uncomment <SignedElements> then Timestamp reference is doubled but
> messsage is VALID.
> But when <SignedElements> is commented there is only one timestamp
> reference
> but message is INVALID.
>
> Valid message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> <wsse:Security soap:mustUnderstand="1"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wsse:BinarySecurityToken
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> "
>
> wsu:Id="X509-B1B71365459EB8BA9113946113597143">MIIC/DCCAeSgAwIBAgIEUxhIQzANBgkqhkiG9w0BAQsFADBAMQ0wCwYDVQQKDARGaW5hMQ0wCwYDVQQLDARTSU5GMSAwHgYDVQQDDBdzZXJ2ZXIuaW50cmFuZXQuZmluYS5ocjAeFw0xNDAzMDYxMDA1MTNaFw0xNTAzMDYxMDA1MTNaMEAxDTALBgNVBAoMBEZpbmExDTALBgNVBAsMBFNJTkYxIDAeBgNVBAMMF3NlcnZlci5pbnRyYW5ldC5maW5hLmhyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkl6mOrZANHW7eDHXPUJ8GyGU4IhpweENifEQBA2CiNrcNnqzw6MrxqCsNJmf86yVpOSswkYnLLlGBRyKyY1SkqOr8r7hprbtRcz2xtYNQ+lJfR8tHEAqWMd2uBSevVeHZ7W8Ry0OuQXxs1lFgjejIg7yl1BnJuYqtFDHuiFf/E/HYslEw8hFkix4Fbni+lCyanaUkCcBzYTFHJK8PUAr+0CE5ak2HcnElVwumuPSOWPBqxvQ33HcOVEoqGXAXxA5aD9UkUEAibO6n3IUktkBwCjx6CkNvmHm4Ys2Rf9kDRjX9Lc+sR0jd0tBLsqthSJcomYtqK4YNEBfWMsl9EYolwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAqaBteQ2Gxr/7HRfL4oHCvItaNmrIKl8KSIaGTChygLt0Mae3eXsZHbECGICggEGaYIobU6ZjFBYUKc7G8Y6vsrr17Ue1Z1ITGsXx1Iu9aR4bLQXOz4cGegGgETV8u4OYmIanpqEOKw32HUF3ARIYJ6XLo7yWlmFBkXzSyb3SBWlBGiAmaSMbwKH8XbQK5WPp6oD9Vwhqwf9897hFCixWfNJui6cfLfVZAQNtFxXWBZuTwCP265vfTUj32SJGvRHPIWSkw/igUKiChpWOjsuti9X77W9VyhoGItqDZ5cdpeBSusJn4lanyLbD89m0Hdo4wLrRKQYBDW8oRR0HUllrc</wsse:BinarySecurityToken>
> <wsu:Timestamp wsu:Id="TS-B1B71365459EB8BA9113946113596981">
> <wsu:Created>2014-03-12T08:02:39.698Z</wsu:Created>
> <wsu:Expires>2014-03-12T08:07:39.698Z</wsu:Expires>
> </wsu:Timestamp>
> <ds:Signature Id="SIG-B1B71365459EB8BA9113946113597146"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#_B1B71365459EB8BA9113946113596982">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>8sujJKvSraZMQBV7ptRxzR89J4Y=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
>
> <ds:SignatureValue>ZLoYk9F55lQdrUMTaG4+4A1WgdICUeofLAusaTTD46SXsi/F+gFTo+LfL0RW/QYDsM48Qo1RRXh7AJ4oZskpnfxdsYzw1BLg9O38whNoLQ6XGLIA5OFARFodnYOex5D3ytSjsRhcCEQqPgdjc/q7uGfYpTpybBvgFSmR6dWLMCEP6vPeFhtwHNJtMM0AhphbtbSeCNqF0Y871cXBt8ckFuxFazQnI1ywER8uD4z1XGNuTo4iO8EzpyAobFnzN0gb5j4wymyo6RhOmuILT9WASQ4UWD27GJegS2PKXEVpSRWCV/rOSyEfqBBl5DrzgCB4eV9OX4clB92mO2EtDYbXDg==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-B1B71365459EB8BA9113946113597144">
> <wsse:SecurityTokenReference
> wsu:Id="STR-B1B71365459EB8BA9113946113597145">
> <wsse:Reference
> URI="#X509-B1B71365459EB8BA9113946113597143"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> "/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
> <soap:Body wsu:Id="_B1B71365459EB8BA9113946113596982"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <sad:SendAccountingDocumentAckMsg
> xmlns:sad="http://fina.hr/ebox/ws/SendAccountingDocument/v0.1">
> <bwsc:MessageAck
> xmlns:bwsc="http://fina.hr/eracun/boxwebservicecomponents">
>
> <bwsc:MessageID>9fd6f1e6-75f9-475c-bd1b-5cf583218579</bwsc:MessageID>
> <bwsc:MessageAckID>1</bwsc:MessageAckID>
> <bwsc:MessageType>12</bwsc:MessageType>
> <bwsc:AckStatus>ACCEPTED</bwsc:AckStatus>
> <bwsc:AckStatusCode>1</bwsc:AckStatusCode>
> <bwsc:AckStatusText>Poruka_zaprimljena</bwsc:AckStatusText>
> </bwsc:MessageAck>
> </sad:SendAccountingDocumentAckMsg>
> </soap:Body>
> </soap:Envelope>
>
> Is doubled reference really the problem ?
> Shall another side be capable to valid this message even with doubled
> reference ?
> How can I fix this problem ?
>
> Thanks.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com