You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Chris Nappin <C....@ABM-UK.COM> on 2005/09/02 11:49:48 UTC
RE: signature verification failures
Thanks for confirming my setup is correct. Unfortunately that then means
I have a more difficult problem to resolve ;-(
I've attached the client code and the various configuration files, the
service doesn't have any security-specific code in it (yet).
The SOAP request has been copied, pasted and reformatted from a few
emails so ignore the line breaks. It looked like valid XML in tcpmon.
Any ideas where the double "--" in the cert identifier comes from?
Yes, I've read the package documentation many times. This document
contains a few odd contradictions you might be able to clear up? In the
"Combine UsernameToken and Encryption" section, it has the following
setting:
<parameter name="encryptionUser"
value="16c73ab6-b892-458f-abf5-2f875f74882e" />
The description for this setting is as follows:
encryptionUser - the name or identifier of the user who owns the public
key to encrypt the data. Usually this is the name or alias name of the
owner's certificate in a keystore.
Is the name/alias for the public key really the long hex number
mentioned in the parameter?
-----Original Message-----
From: Werner Dittmann [mailto:Werner.Dittmann@t-online.de]
Sent: 02 September 2005 09:53
To: Chris Nappin
Cc: wss4j-dev@ws.apache.org
Subject: Re: signature verification failures
Chris,
your setup seems to be correct. Looking at the
error message it tells us, that the verfication
for the SOAP Body failed. The computed digest value
doe not match the stored digest value in the reference.
Looking at the request you included in the mail I see very
strange linebreaks in the middle of words. Because other lines
are longer I don't think it is part of the e-mail formatting.
Another strange thing is the duoble "--" in the cert identifier.
Is there any chance that the SOAP request was modified during
the transfer? At least this would explain the failure.
btw, did you look at package.html in **/security/axis. Even if
its outdated it gives you some hints how to do Signature etc.
Regards,
Werner
Chris Nappin wrote:
> Hi,
>
> I've been trying for some time now to get a simple working example
of wss4j using signatures, but am struggling with the current sparse
level of documentation. I can get UsernameToken working fine, but with
Signatures I've only got as far as sending what I think is a valid SOAP
request with a signature on it, but the server rejects it as it thinks
the signature is invalid.
>
> I'll outline what I'm doing, I assume it's something simple I am doing
something wrong?
>
> - I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2,
Windows XP
>
> - I created a client key using keytool (i.e. a self-signed X509 v1
certificate using RSA), exported it as a certificate and imported it
into the server's keystore
>
> - My client code uses the WSS4JHandler, with the following settings:
> - action = Signature
> - signaturePropFile = client-signature.properties (which
references client.keystore)
> - user = clientkey
> - signatureKeyIdentifier = DirectReference
>
> - My server-config.wsdd uses the WSDoAllReceiver handler, with the
following settings:
> - action = Signature
> - signaturePropFile = server-signature.properties (which
references server.keystore)
>
>
> (I would use signatureKeyIdentifier = IssuerSerial, as this is what
most of the examples I've seen use, but I'm unsure where the long hex
serial number comes from?)
>
> keytool -printcert on my client certificate gives:
>
> Owner: CN=clientkey
> Issuer: CN=clientkey
> Serial number: 43175c89
> Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49
GMT 2005 Certificate fingerprints:
> MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E
> SHA1:
9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE
>
> The SOAP request is:
>
> POST /sidWS/services/SecureService HTTP/1.0
> Content-Type: text/xml; charset=utf-8
> Accept: application/soap+xml, application/dime, multipart/related,
text/*
> User-Agent: Axis/1.2.1
> Host: localhost:9080
> Cache-Control: no-cache
> Pragma: no-cache
> SOAPAction: "http://localhost:8080/sidWS/services/SecureService"
> Content-Length: 2885
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security
>
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curi
> ty-secext-1.0.xsd"
soapenv:mustUnderstand="1"><wsse:BinarySecurityToken
>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
>
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
ap-m
> essage-security-1.0#Base64Binary"
>
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
toke
> n-profile-1.0#X509v3"
>
wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA
1UEA
> xMJY2xpZW50a2V5MB4XDTA1
>
MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0G
CSqG
>
SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR
86XK
>
x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sf
cuvk
>
Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUA
Piaz+A4GB
>
AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrs
AHBm+whEn
>
EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVF
dcBj
> jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalizatio
nMethod>
> <ds:SignatureMethod
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMet
hod>
> <ds:Reference URI="#id-20214052">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKBya
RvZZ
>
a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORys
JC9Kco3ttafBUlytRhVe7Ac=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-15308417">
> <wsse:SecurityTokenReference
>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urit
> y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference
URI="#CertId--34480"
>
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
toke
> n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urit
> y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal
xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
>
<ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Enve
lope>
>
> The server stack trace is:
>
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification
failed at
org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEng
ine.java:644)
> at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:334)
> at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:259)
> at
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:
183)
> at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.j
ava:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.j
ava:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
> at
org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.j
ava:327)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
> at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:252)
> at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
> at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilte
r.java:81)
> at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)
> at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
> at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:213)
> at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)
> at
org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipa
lValve.java:39)
> at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
sociationValve.java:153)
> at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
ava:59)
> at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
> at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
> at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
> at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
> at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85
6)
> at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:744)
> at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)
> at
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorker
Thread.java:112)
> at java.lang.Thread.run(Thread.java:595)
>
>
> Chris Nappin
> Technical Architect
>
> ABM United Kingdom Limited
> Telephone: +44 (0) 115 977 6999
> Facsimile: +44 (0) 115 977 6850
> Web: http://www.abm-uk.com
>
> ABM for Intelligent Solutions
>
>
>
> CONFIDENTIALITY & PRIVILEGE NOTICE
>
> This e-mail is confidential to its intended recipient. It may also be
privileged. Neither the confidentiality nor any privilege attaching to
this e-mail is waived lost or destroyed by reason that it has been
mistakenly transmitted to a person or entity other than its intended
recipient. If you are not the intended recipient please notify us
immediately by telephone or fax at the numbers provided above or e-mail
by Reply To Author and return the printed e-mail to us by post at our
expense. We believe, but do not warrant, that this e-mail and any
attachments are virus-free, but you should check. We may monitor traffic
data of both business and personal e-mails. We are not liable for any
opinions expressed by the sender where this is a non-business e-mail. If
you do not receive all the message, or if you have difficulty with the
transmission, please telephone us immediately.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
CONFIDENTIALITY & PRIVILEGE NOTICE
This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately.