You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Chris Nappin <C....@ABM-UK.COM> on 2005/09/02 10:15:43 UTC
signature verification failures
Hi,
I've been trying for some time now to get a simple working example of wss4j using signatures, but am struggling with the current sparse level of documentation. I can get UsernameToken working fine, but with Signatures I've only got as far as sending what I think is a valid SOAP request with a signature on it, but the server rejects it as it thinks the signature is invalid.
I'll outline what I'm doing, I assume it's something simple I am doing something wrong?
- I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP
- I created a client key using keytool (i.e. a self-signed X509 v1 certificate using RSA), exported it as a certificate and imported it into the server's keystore
- My client code uses the WSS4JHandler, with the following settings:
- action = Signature
- signaturePropFile = client-signature.properties (which references client.keystore)
- user = clientkey
- signatureKeyIdentifier = DirectReference
- My server-config.wsdd uses the WSDoAllReceiver handler, with the following settings:
- action = Signature
- signaturePropFile = server-signature.properties (which references server.keystore)
(I would use signatureKeyIdentifier = IssuerSerial, as this is what most of the examples I've seen use, but I'm unsure where the long hex serial number comes from?)
keytool -printcert on my client certificate gives:
Owner: CN=clientkey
Issuer: CN=clientkey
Serial number: 43175c89
Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005 Certificate fingerprints:
MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E
SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE
The SOAP request is:
POST /sidWS/services/SecureService HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.2.1
Host: localhost:9080
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: "http://localhost:8080/sidWS/services/SecureService"
Content-Length: 2885
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
essage-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
n-profile-1.0#X509v3"
wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA1UEA
xMJY2xpZW50a2V5MB4XDTA1
MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR86XK
x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sfcuvk
Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUAPiaz+A4GB
AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrsAHBm+whEn
EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVFdcBj
jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-20214052">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKByaRvZZ
a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORysJC9Kco3ttafBUlytRhVe7Ac=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-15308417">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference URI="#CertId--34480"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
<ns1:name>Bert</ns1:name>
<ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Envelope>
The server stack trace is:
Verification failed for URI "#id-20214052"
org.apache.ws.security.WSSecurityException: The signature verification failed at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:183)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Chris Nappin
Technical Architect
ABM United Kingdom Limited
Telephone: +44 (0) 115 977 6999
Facsimile: +44 (0) 115 977 6850
Web: http://www.abm-uk.com
ABM for Intelligent Solutions
CONFIDENTIALITY & PRIVILEGE NOTICE
This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: signature verification failures
Posted by Werner Dittmann <We...@t-online.de>.
Chris,
your setup seems to be correct. Looking at the
error message it tells us, that the verfication
for the SOAP Body failed. The computed digest value
doe not match the stored digest value in the reference.
Looking at the request you included in the mail I see very
strange linebreaks in the middle of words. Because other lines
are longer I don't think it is part of the e-mail formatting.
Another strange thing is the duoble "--" in the cert identifier.
Is there any chance that the SOAP request was modified during
the transfer? At least this would explain the failure.
btw, did you look at package.html in **/security/axis. Even if
its outdated it gives you some hints how to do Signature etc.
Regards,
Werner
Chris Nappin wrote:
> Hi,
>
> I've been trying for some time now to get a simple working example of wss4j using signatures, but am struggling with the current sparse level of documentation. I can get UsernameToken working fine, but with Signatures I've only got as far as sending what I think is a valid SOAP request with a signature on it, but the server rejects it as it thinks the signature is invalid.
>
> I'll outline what I'm doing, I assume it's something simple I am doing something wrong?
>
> - I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP
>
> - I created a client key using keytool (i.e. a self-signed X509 v1 certificate using RSA), exported it as a certificate and imported it into the server's keystore
>
> - My client code uses the WSS4JHandler, with the following settings:
> - action = Signature
> - signaturePropFile = client-signature.properties (which references client.keystore)
> - user = clientkey
> - signatureKeyIdentifier = DirectReference
>
> - My server-config.wsdd uses the WSDoAllReceiver handler, with the following settings:
> - action = Signature
> - signaturePropFile = server-signature.properties (which references server.keystore)
>
>
> (I would use signatureKeyIdentifier = IssuerSerial, as this is what most of the examples I've seen use, but I'm unsure where the long hex serial number comes from?)
>
> keytool -printcert on my client certificate gives:
>
> Owner: CN=clientkey
> Issuer: CN=clientkey
> Serial number: 43175c89
> Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005 Certificate fingerprints:
> MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E
> SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE
>
> The SOAP request is:
>
> POST /sidWS/services/SecureService HTTP/1.0
> Content-Type: text/xml; charset=utf-8
> Accept: application/soap+xml, application/dime, multipart/related, text/*
> User-Agent: Axis/1.2.1
> Host: localhost:9080
> Cache-Control: no-cache
> Pragma: no-cache
> SOAPAction: "http://localhost:8080/sidWS/services/SecureService"
> Content-Length: 2885
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
> ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
> essage-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
> n-profile-1.0#X509v3"
> wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA1UEA
> xMJY2xpZW50a2V5MB4XDTA1
> MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR86XK
> x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sfcuvk
> Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUAPiaz+A4GB
> AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrsAHBm+whEn
> EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVFdcBj
> jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="#id-20214052">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKByaRvZZ
> a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORysJC9Kco3ttafBUlytRhVe7Ac=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-15308417">
> <wsse:SecurityTokenReference
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference URI="#CertId--34480"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
> n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Envelope>
>
> The server stack trace is:
>
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification failed at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
> at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:183)
> at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
> at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
> at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
> at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
> at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
> at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
> at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
> at java.lang.Thread.run(Thread.java:595)
>
>
> Chris Nappin
> Technical Architect
>
> ABM United Kingdom Limited
> Telephone: +44 (0) 115 977 6999
> Facsimile: +44 (0) 115 977 6850
> Web: http://www.abm-uk.com
>
> ABM for Intelligent Solutions
>
>
>
> CONFIDENTIALITY & PRIVILEGE NOTICE
>
> This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: signature verification failures
Posted by Werner Dittmann <We...@t-online.de>.
Chris,
your setup seems to be correct. Looking at the
error message it tells us, that the verfication
for the SOAP Body failed. The computed digest value
doe not match the stored digest value in the reference.
Looking at the request you included in the mail I see very
strange linebreaks in the middle of words. Because other lines
are longer I don't think it is part of the e-mail formatting.
Another strange thing is the duoble "--" in the cert identifier.
Is there any chance that the SOAP request was modified during
the transfer? At least this would explain the failure.
btw, did you look at package.html in **/security/axis. Even if
its outdated it gives you some hints how to do Signature etc.
Regards,
Werner
Chris Nappin wrote:
> Hi,
>
> I've been trying for some time now to get a simple working example of wss4j using signatures, but am struggling with the current sparse level of documentation. I can get UsernameToken working fine, but with Signatures I've only got as far as sending what I think is a valid SOAP request with a signature on it, but the server rejects it as it thinks the signature is invalid.
>
> I'll outline what I'm doing, I assume it's something simple I am doing something wrong?
>
> - I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP
>
> - I created a client key using keytool (i.e. a self-signed X509 v1 certificate using RSA), exported it as a certificate and imported it into the server's keystore
>
> - My client code uses the WSS4JHandler, with the following settings:
> - action = Signature
> - signaturePropFile = client-signature.properties (which references client.keystore)
> - user = clientkey
> - signatureKeyIdentifier = DirectReference
>
> - My server-config.wsdd uses the WSDoAllReceiver handler, with the following settings:
> - action = Signature
> - signaturePropFile = server-signature.properties (which references server.keystore)
>
>
> (I would use signatureKeyIdentifier = IssuerSerial, as this is what most of the examples I've seen use, but I'm unsure where the long hex serial number comes from?)
>
> keytool -printcert on my client certificate gives:
>
> Owner: CN=clientkey
> Issuer: CN=clientkey
> Serial number: 43175c89
> Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005 Certificate fingerprints:
> MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E
> SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE
>
> The SOAP request is:
>
> POST /sidWS/services/SecureService HTTP/1.0
> Content-Type: text/xml; charset=utf-8
> Accept: application/soap+xml, application/dime, multipart/related, text/*
> User-Agent: Axis/1.2.1
> Host: localhost:9080
> Cache-Control: no-cache
> Pragma: no-cache
> SOAPAction: "http://localhost:8080/sidWS/services/SecureService"
> Content-Length: 2885
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
> ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
> essage-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
> n-profile-1.0#X509v3"
> wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA1UEA
> xMJY2xpZW50a2V5MB4XDTA1
> MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR86XK
> x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sfcuvk
> Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUAPiaz+A4GB
> AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrsAHBm+whEn
> EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVFdcBj
> jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="#id-20214052">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKByaRvZZ
> a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORysJC9Kco3ttafBUlytRhVe7Ac=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-15308417">
> <wsse:SecurityTokenReference
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference URI="#CertId--34480"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
> n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Envelope>
>
> The server stack trace is:
>
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification failed at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
> at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:183)
> at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
> at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
> at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
> at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
> at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
> at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
> at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
> at java.lang.Thread.run(Thread.java:595)
>
>
> Chris Nappin
> Technical Architect
>
> ABM United Kingdom Limited
> Telephone: +44 (0) 115 977 6999
> Facsimile: +44 (0) 115 977 6850
> Web: http://www.abm-uk.com
>
> ABM for Intelligent Solutions
>
>
>
> CONFIDENTIALITY & PRIVILEGE NOTICE
>
> This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org