You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Brian Nielsen <br...@sweetxml.org> on 2005/07/04 21:49:53 UTC
RE: Problem checking signatures (from WSE 2.0 to wss4j)
Werner,
Thanks for clearing that out, so okay, the problem is the
certificate/signature. I've tried to create a small program to do my own
verification, based on the xml-sec samples with some luck, but it has not
help me much. I took the response i got from WSE 2.0 and tried to reproduce
the signature, but that can't even get the digest right. I've look at some
of the code inside wss4j, but it's "steeeeep" uphill for me. I've attached
the result i get as an XML file, with both the wss-stuff and my "own"
signature element in the header. And my program sample are inserted below.
Has anyone had the same problem?
Does anyone have a clue to what could be wrong or something I should try
out?
Thanks in advance - any ideas will be much appreciated since I've allready
spend quite some time on this, and have no intention of giving up :-)
Also, I've tried switching between JDK 1.4.2 and 5.0, with some weird
problems, should i stick with 1.4.2 or should the be no problems with
either?
Best regards
Brian
org.apache.xml.security.Init.init();
String keystoreType = "PKCS12";
String keystoreFile = "cpr.p12";
String keystorePass = "cpr";
String privateKeyAlias = "cpr server certificate";
String privateKeyPass = "cpr";
String certificateAlias = "cpr server certificate";
File signatureFile = new File(AXIS_SIGNATURE_FILENAME);
KeyStore ks = KeyStore.getInstance(keystoreType);
FileInputStream fis = new FileInputStream(keystoreFile);
ks.load(fis, keystorePass.toCharArray());
PrivateKey privateKey = (PrivateKey)
ks.getKey(privateKeyAlias,
privateKeyPass.toCharArray());
DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
File soapFile = new File("dotNet-response.xml");
Document soapDocument = db.parse(soapFile);
Element bodyElement = (Element)
soapDocument.getElementsByTagNameNS(
"http://schemas.xmlsoap.org/soap/envelope/",
"Body").item(0);
Element headerElement = (Element)
soapDocument.getElementsByTagNameNS(
"http://schemas.xmlsoap.org/soap/envelope/",
"Header").item(0);
// org.w3c.dom.Document doc = db.newDocument();
String BaseURI = soapFile.toURL().toString();
XMLSignature sig = new XMLSignature(soapDocument, BaseURI,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
headerElement.appendChild(sig.getElement());
org.apache.ws.security.WSSConfig wssConf =
org.apache.ws.security.WSSConfig
.getDefaultWSConfig();
ResourceResolverSpi eir =
EnvelopeIdResolver.getInstance(wssConf);
sig.addResourceResolver(eir);
sig.addDocument("#Id-eb849637-bd22-465e-891c-3b713e222c15");
X509Certificate cert = (X509Certificate) ks
.getCertificate(certificateAlias);
sig.addKeyInfo(cert);
// sig.addKeyInfo(cert.getPublicKey());
sig.sign(privateKey);
FileOutputStream f = new FileOutputStream(signatureFile);
XMLUtils.outputDOMc14nWithComments(soapDocument, f);
f.close();
System.out.println("Wrote signature to " + f.toString());
for (int i = 0; i <
sig.getSignedInfo().getSignedContentLength(); i++) {
System.out.println("--- Signed Content follows
---");
System.out.println(new String(sig.getSignedInfo()
.getSignedContentItem(i)));
}
}
-----Original Message-----
From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
Sent: 29. juni 2005 16:30
To: Brian Nielsen; fx-dev@ws.apache.org
Subject: AW: Problem checking signatures
Brian,
the message "Verification successful for URI" means that the computed digest
value over the referenced part of the messag is ok.
The SignatureValue is then computed over the part that is enclosed by
"<SignedInfo>" tags. If somehow this part of the message is modified then
the computation of the hash for this part fails. Even inserting a blank or
an additional linefeed causes failure - so _no_ modification after
Signature.
AFAIK the SignatureValue is the hash over the SignedInfo encrypted with the
private key of the Signer, the check the signature decrypt with public key,
compute hash over SignedInfo (after checking the enclosed DigestValues) and
compare the results.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: Brian Nielsen [mailto:brian@sweetxml.org]
> Gesendet: Mittwoch, 29. Juni 2005 14:30
> An: fx-dev@ws.apache.org
> Betreff: Problem checking signatures
>
>
>
> My scenario is signature/ecrypt request/response from wss4j to
> WSE2.0SP3.
> The request sign/encrypt goes fine, and for the reponse the decryption
> is also okay, but the signature fails. The strange thing is that i get
> the following on the console:
>
> Verification successful for URI
> "#Id-e1f13ac7-1af6-4f79-a76c-2489d05e3816"
>
> I can see that this message comes from the call to
> "sig.checkSignatureValue(certs[0]);" in WSSecurityEngine and that the
> return value is "false". [1] is a pretty print of the reponse, that
> I've confined to just signing to focus on the problem.
>
> Has anyone got an idea of what's happening and a solution? I know that
> there could be more information nessesary, so please write back if
> you've got any clues.
>
> Best regards
> Brian Nielsen
>
>
> [1]
> <?xml version="1.0" encoding="utf-8"?>
> <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecuri
> ty-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-wssecurit
> y-utility-1.0.xsd">
> <soap:Header>
>
> <wsa:Action>http://www.oio.dk/arkitektur/webservice/security/a
> tedResponse</w
> sa:Action>
>
> <wsa:MessageID>uuid:d7a59b71-f5c8-4789-b9a9-5e27b08dbdad</wsa:
> MessageID>
>
> <wsa:RelatesTo>uuid:3de201e3-1b79-48c7-b195-0207ea3bad58</wsa:
> RelatesTo>
>
> <wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/
> anonymous</wsa
> :To>
> <wsse:Security soap:mustUnderstand="1">
> <wsu:Timestamp
> wsu:Id="Timestamp-8ba94dc8-5688-4fb9-9d05-31ccb1ec9f94">
> <wsu:Created>2005-06-29T11:31:55Z</wsu:Created>
> <wsu:Expires>2005-06-29T11:36:55Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:BinarySecurityToken
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-x509-toke
> n-profile-1.0#X509v3"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
> 401-wss-soap-m
> essage-security-1.0#Base64Binary"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-wssecurit
> y-utility-1.0.xsd"
> wsu:Id="SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae">MI
> IELzCCAxegAwIB
> AgIKG07I7gAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtYbWx0b2
> 9scyBDQTAeFw0w
> NDA4MTUxMzAxMDRaFw0wNTA4MTUxMzExMDRaMHYxCzAJBgNVBAYTAkRLMRUwEw
> YDVQQHEwxDb3Bl
> bmhhZ2VuIEsxJzAlBgNVBAoTHk5hdGlvbmFsIElUIGFuZCBUZWxlY29tIEFnZW
> 5jeTENMAsGA1UE
> CxMETklUQTEYMBYGA1UEAxMPeG1sdG9vbHMub2lvLmRrMIGfMA0GCSqGSIb3DQ
> EBAQUAA4GNADCB
> iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+bOUUsj4xW
> CtbJq2fkw/
> iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+tOgt
> Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+NqDhv9JRkmKn
> Ho5UjOVoyv
> Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+DgLb
> bDSVQM2WK/zQLhXjxfn/yYsHDwIDAQABo4IBoTCCAZ0wDgYDVR0PAQH/BAQDAg
> TwMEQGCSqGSIb3
> DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDg
> MCBzAKBggqhkiG
> 9w0DBzATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUK955SSfcZEG27E
> fKy76R64hB4Jcw
> HwYDVR0jBBgwFoAUI9iI5DYhchM3V6IfXb3cq8DiJZYwZQYDVR0fBF4wXDBaoF
> igVoYpaHR0cDov
> L2l0czI2L0NlcnRFbnJvbGwvWG1sdG9vbHMlMjBDQS5jcmyGKWZpbGU6Ly9cXG
> l0czI2XENlcnRF
> bnJvbGxcWG1sdG9vbHMgQ0EuY3JsMIGIBggrBgEFBQcBAQR8MHowOwYIKwYBBQ
> UHMAKGL2h0dHA6
> Ly9pdHMyNi9DZXJ0RW5yb2xsL2l0czI2X1htbHRvb2xzJTIwQ0EuY3J0MDsGCC
> sGAQUFBzAChi9m
> aWxlOi8vXFxpdHMyNlxDZXJ0RW5yb2xsXGl0czI2X1htbHRvb2xzIENBLmNydD
> ANBgkqhkiG9w0B
> AQUFAAOCAQEAkSKwxWUsGnkLe+ogRfFBoGwVvTSpJKR41Qjri5e0LKndG7BrU8
> 2ZmAsWreUa
> AQUFAAOCAQEAkSKwxWUsGnkLe+PbVp
> WrlrsRwoPHuwXrtm0LHRLrjKLSzkW9fxjMoKJejlKGwwNJHYi2XzumTtt7DSSw
> VfR6zgJrY27xKj
> 1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+ss
> 6ajvdcRCW0
> 1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+k13L
> H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+kDDK6
> /Y+8UqfLTc
> H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+gJiG
> QUWuUq1JUAd/qCcdOujsefNAG0Uraj//2azQrtjA1sXx2V6tMw==</wsse:Bin
> arySecurityTok
> en>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <Reference
> URI="#Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>
> <DigestValue>iDgY5vodA7dsKqrWWXJT0ynFJzI=</DigestValue>
> </Reference>
> </SignedInfo>
>
> <SignatureValue>TQ1okwAi9CQS5vNCSxR2p2vaRKjbYF2YYx3XtOA/lhm9yk
> wxCQpNlOwio4U0
> eE3ko1IwRmG8/ATqkTEZ8AKQVsg6w3xRqTcKjs2jQPj3Q8epOsXeie6OEuYeD1
> wSbsPYoaP0jBAC
> Wbdd1TR2OMiqjEENvIPGAw9jaTz0Ldp4uSU=</SignatureValue>
> <KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-x509-toke
> n-profile-1.0#X509v3" />
> </wsse:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body wsu:Id="Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
> <PersonalCPRDataStructure
> xmlns="http://rep.oio.dk/xkom.dk/xml/schemas/2004/08/01/">
> <PersonName>
> <PersonGivenName
> xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">F
> ornavn</Person
> GivenName>
> <PersonMiddleName
> xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">M
> ellemnavn</Per
> sonMiddleName>
> <PersonSurnameName
> xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">E
> fternavn</Pers
> onSurnameName>
> </PersonName>
> </PersonalCPRDataStructure>
> </soap:Body>
> </soap:Envelope>
>
>
>