You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Nicholas G Harlow <nh...@us.ibm.com> on 2005/12/21 21:57:45 UTC
Signature Verification Problem
Hi,
I am trying to sign and verify a fragment from the body of a SOAP envelope
and keep the signature in a Security header of the SOAP Header.
I enabled DEBUG tracing and get the following output when I try to verify
the signature. Is there anything in this output that jumps out as being
incorrect? I appreciate any help you can give me. Thanks.
Nick
_______________________________________
Signed Doc: <soapenv:Envelope
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><Security><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#utID">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>OtSRcbvLU/hP54Q9Qz0zT1cD5sY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kTZIMauji4YL87DtzkTfjjCmVRM2qf2Djr61P8jODqaXGmMhg0my3g==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2
ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl
dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC
REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD
VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T
gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv
8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX
Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv
u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC
gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR
cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK
8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC
FA9ab72kKuB5geYGeckbBrcgPnZk
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:DSAKeyValue>
<ds:P>
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAcc=
</ds:P>
<ds:Q>l2BQjxUjC8yykrmCouuEC/BYHPU=</ds:Q>
<ds:G>
9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
Zl6Ae1UlZAFMO/7PSSo=
</ds:G>
<ds:Y>
Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEY
qY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3
x04lGaZ8jUYZL3gZTNI=
</ds:Y>
</ds:DSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></Security></soapenv:Header><soapenv:Body><wss:UsernameToken
xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
ID="utID"><wss:Username>joe</wss:Username><wss:Password>foobar</wss:Password><wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-12-21T20:52:21Z</wsu:Created></wss:UsernameToken></soapenv:Body></soapenv:Envelope>
2314 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Signature", "utID")
2314 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:SignedInfo", "utID")
2314 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:SignatureMethod", "utID")
2314 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm -
Create URI "http://www.w3.org/2000/09/xmldsig#dsa-sha1" class
"org.apache.xml.security.algorithms.implementations.SignatureDSA"
2314 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request
for URI http://www.w3.org/2000/09/xmldsig#dsa-sha1
2314 [main] DEBUG
org.apache.xml.security.algorithms.implementations.SignatureDSA - Created
SignatureDSA using SHA1withDSA
2314 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:KeyInfo", "utID")
2314 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
getX509CertificateFromInternalResolvers() with 0 resolvers
2314 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't find
a X509Certificate using the per-KeyInfo key resolvers
2314 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
getX509CertificateFromStaticResolvers() with 7 resolvers
2324 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
- Can I resolve ds:X509Data
2324 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
- Can I resolve ds:KeyValue
2324 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
- Can I resolve ds:X509Data?
2324 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
- Yes Sir, I can
2334 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:X509Certificate", "utID")
2334 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I could find a
X509Certificate using the system-wide key resolvers
2334 [main] DEBUG org.apache.xml.security.signature.Manifest - verify 1
References
2334 [main] DEBUG org.apache.xml.security.signature.Manifest - I am not
requested to follow nested Manifests
2334 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Reference", "utID")
2334 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request
for URI http://www.w3.org/2000/09/xmldsig#sha1
2334 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- I was asked to create a ResourceResolver and got 0
2334 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- extra resolvers to my existing 4 system-wide resolvers
2334 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP
2334 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP
- quick fail for empty URIs and local ones
2334 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem
2344 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverFragment
2344 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverFragment -
State I can resolve reference: "#utID"
2344 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdType() Search for ID utID
2344 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdUsingDOM() Search for ID utID
2344 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInDSNamespace() Search for ID utID
2354 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInXENCNamespace() Search for ID utID
2354 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInSOAPSignatureNamespace() Search for ID utID
2354 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInXKMSNamespace() Search for ID utID
2354 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdUnsafeMatchByIdName() Search for ID utID
2364 [main] WARN org.apache.xml.security.utils.IdResolver - Found an
Element using an insecure Id/ID/id search method: wss:UsernameToken
2364 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverFragment -
Try to catch an Element with ID utID and Element was [wss:UsernameToken:
null]
2374 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Transforms", "utID")
2374 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Transform", "utID")
2374 [main] DEBUG org.apache.xml.security.transforms.Transforms - Preform
the (0)th http://www.w3.org/2001/10/xml-exc-c14n# transform
2374 [main] INFO org.apache.xml.security.signature.Reference -
Verification successful for URI "#utID"
2374 [main] DEBUG org.apache.xml.security.signature.Manifest - The
Reference has Type
Signed info verify: true
2374 [main] DEBUG org.apache.xml.security.signature.Manifest - verify 1
References
2374 [main] DEBUG org.apache.xml.security.signature.Manifest - I am not
requested to follow nested Manifests
2374 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Reference", "utID")
2374 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request
for URI http://www.w3.org/2000/09/xmldsig#sha1
2374 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- I was asked to create a ResourceResolver and got 0
2374 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- extra resolvers to my existing 4 system-wide resolvers
2374 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP
2374 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP
- quick fail for empty URIs and local ones
2374 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem
2374 [main] DEBUG org.apache.xml.security.utils.resolver.ResourceResolver
- check resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverFragment
2374 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverFragment -
State I can resolve reference: "#utID"
2374 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdType() Search for ID utID
2374 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdUsingDOM() Search for ID utID
2374 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInDSNamespace() Search for ID utID
2384 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInXENCNamespace() Search for ID utID
2384 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInSOAPSignatureNamespace() Search for ID utID
2394 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdInXKMSNamespace() Search for ID utID
2394 [main] DEBUG org.apache.xml.security.utils.IdResolver -
getElementByIdUnsafeMatchByIdName() Search for ID utID
2404 [main] WARN org.apache.xml.security.utils.IdResolver - Found an
Element using an insecure Id/ID/id search method: wss:UsernameToken
2404 [main] DEBUG
org.apache.xml.security.utils.resolver.implementations.ResolverFragment -
Try to catch an Element with ID utID and Element was [wss:UsernameToken:
null]
2404 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Transforms", "utID")
2404 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:Transform", "utID")
2404 [main] DEBUG org.apache.xml.security.transforms.Transforms - Preform
the (0)th http://www.w3.org/2001/10/xml-exc-c14n# transform
2404 [main] INFO org.apache.xml.security.signature.Reference -
Verification successful for URI "#utID"
2404 [main] DEBUG org.apache.xml.security.signature.Manifest - The
Reference has Type
2404 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("ds:SignatureMethod", "utID")
2404 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm -
Create URI "http://www.w3.org/2000/09/xmldsig#dsa-sha1" class
"org.apache.xml.security.algorithms.implementations.SignatureDSA"
2404 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request
for URI http://www.w3.org/2000/09/xmldsig#dsa-sha1
2404 [main] DEBUG
org.apache.xml.security.algorithms.implementations.SignatureDSA - Created
SignatureDSA using SHA1withDSA
2404 [main] DEBUG org.apache.xml.security.signature.XMLSignature -
SignatureMethodURI = http://www.w3.org/2000/09/xmldsig#dsa-sha1
2404 [main] DEBUG org.apache.xml.security.signature.XMLSignature -
jceSigAlgorithm = SHA1withDSA
2404 [main] DEBUG org.apache.xml.security.signature.XMLSignature -
jceSigProvider = IBMJCE
2404 [main] DEBUG org.apache.xml.security.signature.XMLSignature -
PublicKey = IBMJCE DSA Public Key:
12886841067839813273229729343448941547402130651238504956298507596951842591373799406716000245914419308496558997860763803644145147755099588766652859960863903534074924873890663522390762628764582901738872199079978665713501510144337715696575772727821032472620712380151494860900719264202522092163141889976390208722
2404 [main] DEBUG org.apache.xml.security.signature.XMLSignature -
SignatureValue = 91 36 48 31 AB A3 8B 86 0B F3 B0 ED CE 44 DF 8E 30 A6 55
13 36 A9 FD 83 8E BE B5 3F C8 CE 0E A6 97 1A 63 21 83 49 B2 DE
2404 [main] DEBUG
org.apache.xml.security.algorithms.implementations.SignatureDSA - Called
DSA.verify() on kTZIMauji4YL87DtzkTfjjCmVRM2qf2Djr61P8jODqaXGmMhg0my3g==
Made it here, sig is valid: false
Signature is valid: false