You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ted Toth <te...@potomacfusion.com> on 2004/12/01 15:42:54 UTC

.Net WSE incompatibility

 

I am trying to call a Java based web service which uses WSS4J for
WS-Security. This service includes a SAML assertion which gets signed. When
my .Net client using WSE 2.0 sp1 receives the response and processes the
<security> element it throws the following exception:

 

 

Unhandled Exception: Microsoft.Web.Services2.Security.SecurityFault: An
error was discovered processing the <Security> header --->

System.Security.Cryptography.CryptographicException: WSE502: The target
element referenced by the following id can not be found in the message:

id-16345030.  Make sure that the element is present at the time when the
signing or encryption operation is performed.

 

 

   at

Microsoft.Web.Services2.Security.SignatureReference.CalculateHashValue(XmlDo

cument document, CanonicalXmlNodeList refList)

 

 

   at

Microsoft.Web.Services2.Security.MessageSignature.CheckDigestedReferences()

 

 

   at

Microsoft.Web.Services2.Security.MessageSignature.CheckAsymmetricSignature(A

symmetricKeyAlgorithm key)

 

 

   at Microsoft.Web.Services2.Security.MessageSignature.CheckSignature()

 

 

The pertinent portion of the response soap is as follows:

 

 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

 

 

            <ds:SignedInfo>

 

 

                        <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

 

 

                        <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

 

 

                        <ds:Reference URI="#id-16345030">

 

 

                                                            <ds:Transforms>

 

 

 

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

 

 

                                                            </ds:Transforms>

 

 

                                                            <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

 

 

 

<ds:DigestValue>LPPNukHTArY+4PSLz1m4t1CYGSo=</ds:DigestValue>

 

 

                        </ds:Reference>

 

 

            </ds:SignedInfo>

 

 

            <ds:SignatureValue>

 

 

 

PZzNqIRPAestEElchfbOGiHFbFLZygJGnJ28PGRDC+98/kmwCjgKAXMiA4f9mNMOzBN7jP8k

PZzNqIRPAestEElchfbOGiHFbFLZygJGnJ28PGRDC+qfTz

 

 

 

sVc0sY3pQXkIt2kjS7dV49AwfhqKfz2WP2exi09+Ha0bh6yFdB1f0v+qyJPBFeToCTtlCa+y

sVc0sY3pQXkIt2kjS7dV49AwfhqKfz2WP2exi09+Ha0bh6yFdB1f0v+qyJPBFeToCTtlCa+W

sVc0sY3pQXkIt2kjS7dV49AwfhqKfz2WP2exi09+Ha0bh6yFdB1f0v+qyJPBFeToCTtlCa+t

sVc0sY3pQXkIt2kjS7dV49AwfhqKfz2WP2exi09+Ha0bh6yFdB1f0v+qyJPBFeToCTtlCa+D

sVc0sY3pQXkIt2kjS7dV49AwfhqKfz2WP2exi09+Ha0bh6yFdB1f0v+qyJPBFeToCTtlCa+y

 

 

                        VA3h8ifU8NxNUWBsTt4=

 

 

            </ds:SignatureValue>

 

 

            <ds:KeyInfo Id="KeyId-33467534">

 

 

                                                <wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit

y-utility-1.0.xsd" wsu:Id="STRId-15917128"><wsse:Reference

URI="#CertId-14357639" /></wsse:SecurityTokenReference>

 

 

            </ds:KeyInfo>

 

 

</ds:Signature>

 

 

<wsu:Timestamp

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit

y-utility-1.0.xsd"

wsu:Id="id-23243768"><wsu:Created>2004-11-30T02:53:31Z</wsu:Created>

 

 

</wsu:Timestamp>

 

 

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"

xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"

xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit

y-utility-1.0.xsd" AssertionID="c9e58c959da9006badfc085a3a526f75"

IssueInstant="2004-11-30T02:53:31.160Z" Issuer="CN=service-consumer,
OU=Other, OU=PKI, OU=DoD, O=U.S. Government, C=US" MajorVersion="1"

MinorVersion="1" wsu:Id="id-16345030">

 

 

 

 

 

From

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec

/html/ws-security-xml-tokens.asp>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/

html/ws-security-xml-tokens.asp

 

 

3.3. Identifying and Referencing Security Tokens

 

 

The WS-Security

<http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security-xml-tok

ens.asp?frame=true#ws-security-xml-tokens_wssec#ws-security-xml-tokens_wssec

>  specification defines the wsu:Id attribute as the common mechanism 

> for

referencing security tokens by "Id" (the specification describes the reasons
for this). Since the SAML specification does not allow attribute
extensibility on the <saml:Assertion> element, this specification allows the
<saml:AssertionIDReference> element to be placed inside of a
<wsse:SecurityTokenReference> element. When this element is encountered
within a reference, the recipient, if it supports SAML assertion tokens,
MUST know to de-reference the SAML Assertion ID reference to identify the
correct SAML assertion to use as the security token.

 

 

 

So it seem to me that the SignedInfo Reference for the signed SAML assertion
should be its AssertionID and not the wsu:Id which probably shouldn't have
been added to the Assertion element in the first place.

 

 

 

Ted

 

cell: 512.415.3128
tedx@potomacfusion.com
YahooIM: txtoth

Yahoo Messenger: txtoth