You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by Mike O'Connell <mc...@gmail.com> on 2011/12/05 10:59:06 UTC
Signature verification failure with loose ds:Reference in payload.
Hi All
I'm having some signature verification issues when receiving a signed message (using the AS4 specification).
In AS4 the spec allows for a receipt to contain the ds:Reference (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously received for verification purposes. However I suspect that the signature validation process picks this reference up and fails when attempting to verify the ds:Reference (URI id-5) in the ds:Signature element.
Can someone confirm that its either omitting the ds:Reference (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the verification or that its attempting to verify that ds:Reference (URI AS4-1340D972B85-751B2@000000000_1).
I've tried digging though the source, but can't find where the reference list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature implementation is as per:
XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
Please see logs (and message) below...
Thanks,
Mike
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
<ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
<wsse:SecurityTokenReference wsu:Id="STR-6C1B8765799420834813230790910796">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
<ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1">
<eb:SignalMessage>
<eb:MessageInfo>
<eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
<eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
<eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
</eb:MessageInfo>
<eb:Receipt>
<ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
<ebbpsig:MessagePartNRInformation>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig env wsu"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
</ds:Reference>
</ebbpsig:MessagePartNRInformation>
</ebbpsig:NonRepudiationInformation>
</eb:Receipt>
</eb:SignalMessage>
</eb:Messaging>
</env:Header>
<env:Body/>
</env:Envelope>
Performing Security header verification
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial 1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
[DEBUG] SignatureProcessor - XML Signature verification has failed
[DEBUG] SignatureProcessor - Signature Validation check: true
[DEBUG] SignatureProcessor - Reference #id-1 check: false
Security Error: : The signature or decryption was invalid
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Mike O'Connell <mc...@gmail.com>.
Hi Colm,
I found the problem, I was importing the ds:Reference node using the following Java code:
newNode.getOwnerDocument().adoptNode(oldNode.cloneNode(true));
However this doesn't create an appropriate copy (?) and is not included correctly in the SOAP envelope document so then is not included in the signed message.
By creating a new node including the cloned children the signature then works and is verified correctly.
Thanks and Apologies,
Mike
On 05 Dec 2011, at 2:20 PM, Colm O hEigeartaigh wrote:
> Hi Mike,
>
> Could you supply a test-case that I could take a look at?
>
> Colm.
>
> On Mon, Dec 5, 2011 at 11:32 AM, Mike O'Connell <mc...@gmail.com> wrote:
>> Hi Colm,
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>>
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>>
>> received for verification purposes. However I suspect that the signature
>>
>> validation process picks this reference up and fails when attempting to
>>
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
>>
>>
>> The reference in the signature points to "#id-1", which is the Id of
>> the "Messaging" element. Why would the Reference with id
>> "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be
>> interfering with signature validation, as it's a different URI?
>>
>>
>> When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or
>> omit the ds:Reference element surrounding it the signature verification
>> works perfectly. See another request below with the ds:Reference URI
>> attribute removed from the receipt element.
>>
>> Thanks,
>>
>> Mike
>>
>>
>>
>>
>>
>>
>> Performing Security header verification
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> [DEBUG] SignatureProcessor - Found signature element
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> C=ZA,CN=localhost
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> C=ZA,CN=localhost (serial 1305901688879)
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> C=ZA,CN=localhost
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> WSSResult - id: SIG-2
>> WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n#
>> WSSResult - signature-value: [B@3c0b655a
>> WSSResult - principal: C=ZA, CN=localhost
>> WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8"
>> standalone="no"?>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>> <env:Header>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> env:mustUnderstand="true">
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-2">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:CanonicalizationMethod>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#id-1">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh
>> KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3
>> Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue>
>> <ds:KeyInfo Id="KI-827486330BFAA824D313230845533145">
>> <wsse:SecurityTokenReference
>> wsu:Id="STR-827486330BFAA824D313230845533146">
>> <ds:X509Data>
>> <ds:X509IssuerSerial>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>> </ds:X509IssuerSerial>
>> </ds:X509Data>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> <eb:Messaging
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="id-1">
>> <eb:SignalMessage>
>> <eb:MessageInfo>
>> <eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp>
>>
>> <eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId>
>>
>> <eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId>
>> </eb:MessageInfo>
>> <eb:Receipt>
>> <ebbpsig:NonRepudiationInformation
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>> <ebbpsig:MessagePartNRInformation>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> env wsu"/>
>> </ds:Transform>
>> </ds:Transforms>
>>
>> <ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue>
>> </ds:Reference>
>> </ebbpsig:MessagePartNRInformation>
>> </ebbpsig:NonRepudiationInformation>
>> </eb:Receipt>
>> </eb:SignalMessage>
>> </eb:Messaging>
>> </env:Header>
>> <env:Body/>
>> </env:Envelope>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <mc...@gmail.com> wrote:
>>
>> Hi Colm,
>>
>>
>> Wss4j - 1.6.3
>>
>> Metro - 2.1.1
>>
>> bcprov - jre6 145
>>
>>
>> Apologies, Copy&Paste error:
>>
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>>
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>>
>> received for verification purposes. However I suspect that the signature
>>
>> validation process picks this reference up and fails when attempting to
>>
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
>>
>>
>> Can someone confirm that its either omitting the ds:Reference
>>
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the
>>
>> verification or that its attempting to verify that ds:Reference
>>
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1).
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>>
>> <env:Header>
>>
>> <wsse:Security
>>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> env:mustUnderstand="true">
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>> Id="SIG-2">
>>
>> <ds:SignedInfo>
>>
>> <ds:CanonicalizationMethod
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>> </ds:CanonicalizationMethod>
>>
>> <ds:SignatureMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>> <ds:Reference URI="#id-1">
>>
>> <ds:Transforms>
>>
>> <ds:Transform
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ds:SignedInfo>
>>
>>
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>>
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>>
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>>
>> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>>
>> <wsse:SecurityTokenReference
>>
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>>
>> <ds:X509Data>
>>
>> <ds:X509IssuerSerial>
>>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>>
>> </ds:X509IssuerSerial>
>>
>> </ds:X509Data>
>>
>> </wsse:SecurityTokenReference>
>>
>> </ds:KeyInfo>
>>
>> </ds:Signature>
>>
>> </wsse:Security>
>>
>> <eb:Messaging
>>
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> wsu:Id="id-1">
>>
>> <eb:SignalMessage>
>>
>> <eb:MessageInfo>
>>
>> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>>
>>
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>>
>>
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>>
>> </eb:MessageInfo>
>>
>> <eb:Receipt>
>>
>> <ebbpsig:NonRepudiationInformation
>>
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>>
>> <ebbpsig:MessagePartNRInformation>
>>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>>
>> <ds:Transforms>
>>
>> <ds:Transform
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>>
>> env wsu"/>
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ebbpsig:MessagePartNRInformation>
>>
>> </ebbpsig:NonRepudiationInformation>
>>
>> </eb:Receipt>
>>
>> </eb:SignalMessage>
>>
>> </eb:Messaging>
>>
>> </env:Header>
>>
>> <env:Body/>
>>
>> </env:Envelope>
>>
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>>
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>>
>> [DEBUG] SignatureProcessor - Found signature element
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>>
>> C=ZA,CN=localhost
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>>
>> C=ZA,CN=localhost (serial 1305901688879)
>>
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>>
>> C=ZA,CN=localhost
>>
>> [DEBUG] SignatureProcessor - Verify XML Signature
>>
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>>
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>>
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>>
>> Security Error: : The signature or decryption was invalid
>>
>>
>>
>> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
>>
>>
>> Hi Mike,
>>
>>
>> Firstly, what version of WSS4J are you using?
>>
>>
>> Secondly, I don't understand your explanation, e.g. where is "id-5" in
>>
>> the message you posted? Is the signature referring to another message
>>
>> that was previously received?
>>
>>
>> Colm.
>>
>>
>> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
>>
>>
>> Hi All
>>
>>
>>
>> I'm having some signature verification issues when receiving a signed
>>
>>
>> message (using the AS4 specification).
>>
>>
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>>
>>
>> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>>
>>
>> received for verification purposes. However I suspect that the signature
>>
>>
>> validation process picks this reference up and fails when attempting to
>>
>>
>> verify the ds:Reference (URI id-5) in the ds:Signature element.
>>
>>
>>
>> Can someone confirm that its either omitting the ds:Reference
>>
>>
>> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>>
>>
>> verification or that its attempting to verify that ds:Reference
>>
>>
>> (URI AS4-1340D972B85-751B2@000000000_1).
>>
>>
>>
>> I've tried digging though the source, but can't find where the reference
>>
>>
>> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>>
>>
>> implementation is as per:
>>
>>
>>
>> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>>
>>
>>
>> Please see logs (and message) below...
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Mike
>>
>>
>>
>>
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>>
>>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>>
>>
>> <env:Header>
>>
>>
>> <wsse:Security
>>
>>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>>
>> env:mustUnderstand="true">
>>
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>>
>> Id="SIG-2">
>>
>>
>> <ds:SignedInfo>
>>
>>
>> <ds:CanonicalizationMethod
>>
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>>
>> <ec:InclusiveNamespaces
>>
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>>
>> </ds:CanonicalizationMethod>
>>
>>
>> <ds:SignatureMethod
>>
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>>
>> <ds:Reference URI="#id-1">
>>
>>
>> <ds:Transforms>
>>
>>
>> <ds:Transform
>>
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>>
>> <ec:InclusiveNamespaces
>>
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>>
>> </ds:Transform>
>>
>>
>> </ds:Transforms>
>>
>>
>> <ds:DigestMethod
>>
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>
>> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>>
>>
>> </ds:Reference>
>>
>>
>> </ds:SignedInfo>
>>
>>
>>
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>>
>>
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>>
>>
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>>
>>
>> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>>
>>
>> <wsse:SecurityTokenReference
>>
>>
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>>
>>
>> <ds:X509Data>
>>
>>
>> <ds:X509IssuerSerial>
>>
>>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>>
>>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>>
>>
>> </ds:X509IssuerSerial>
>>
>>
>> </ds:X509Data>
>>
>>
>> </wsse:SecurityTokenReference>
>>
>>
>> </ds:KeyInfo>
>>
>>
>> </ds:Signature>
>>
>>
>> </wsse:Security>
>>
>>
>> <eb:Messaging
>>
>>
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>>
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>>
>> wsu:Id="id-1">
>>
>>
>> <eb:SignalMessage>
>>
>>
>> <eb:MessageInfo>
>>
>>
>> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>>
>>
>>
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>>
>>
>>
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>>
>>
>> </eb:MessageInfo>
>>
>>
>> <eb:Receipt>
>>
>>
>> <ebbpsig:NonRepudiationInformation
>>
>>
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>>
>>
>> <ebbpsig:MessagePartNRInformation>
>>
>>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>>
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>>
>>
>> <ds:Transforms>
>>
>>
>> <ds:Transform
>>
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>>
>> <ec:InclusiveNamespaces
>>
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>>
>>
>> env wsu"/>
>>
>>
>> </ds:Transform>
>>
>>
>> </ds:Transforms>
>>
>>
>> <ds:DigestMethod
>>
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>
>>
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>>
>>
>> </ds:Reference>
>>
>>
>> </ebbpsig:MessagePartNRInformation>
>>
>>
>> </ebbpsig:NonRepudiationInformation>
>>
>>
>> </eb:Receipt>
>>
>>
>> </eb:SignalMessage>
>>
>>
>> </eb:Messaging>
>>
>>
>> </env:Header>
>>
>>
>> <env:Body/>
>>
>>
>> </env:Envelope>
>>
>>
>>
>> Performing Security header verification
>>
>>
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>>
>>
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>>
>>
>> [DEBUG] SignatureProcessor - Found signature element
>>
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>>
>>
>> C=ZA,CN=localhost
>>
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>>
>>
>> C=ZA,CN=localhost (serial 1305901688879)
>>
>>
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>>
>>
>> C=ZA,CN=localhost
>>
>>
>> [DEBUG] SignatureProcessor - Verify XML Signature
>>
>>
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>>
>>
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>>
>>
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>>
>>
>> Security Error: : The signature or decryption was invalid
>>
>>
>>
>>
>>
>> --
>>
>> Colm O hEigeartaigh
>>
>>
>> Talend Community Coder
>>
>> http://coders.talend.com
>>
>>
>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Mike,
Could you supply a test-case that I could take a look at?
Colm.
On Mon, Dec 5, 2011 at 11:32 AM, Mike O'Connell <mc...@gmail.com> wrote:
> Hi Colm,
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
>
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>
> received for verification purposes. However I suspect that the signature
>
> validation process picks this reference up and fails when attempting to
>
> verify the ds:Reference (URI id-1) in the ds:Signature element.
>
>
> The reference in the signature points to "#id-1", which is the Id of
> the "Messaging" element. Why would the Reference with id
> "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be
> interfering with signature validation, as it's a different URI?
>
>
> When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or
> omit the ds:Reference element surrounding it the signature verification
> works perfectly. See another request below with the ds:Reference URI
> attribute removed from the receipt element.
>
> Thanks,
>
> Mike
>
>
>
>
>
>
> Performing Security header verification
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
> [DEBUG] SignatureProcessor - Found signature element
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
> C=ZA,CN=localhost
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
> C=ZA,CN=localhost (serial 1305901688879)
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
> C=ZA,CN=localhost
> [DEBUG] SignatureProcessor - Verify XML Signature
> WSSResult - id: SIG-2
> WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n#
> WSSResult - signature-value: [B@3c0b655a
> WSSResult - principal: C=ZA, CN=localhost
> WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8"
> standalone="no"?>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
> <env:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> env:mustUnderstand="true">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh
> KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3
> Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-827486330BFAA824D313230845533145">
> <wsse:SecurityTokenReference
> wsu:Id="STR-827486330BFAA824D313230845533146">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> <eb:Messaging
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-1">
> <eb:SignalMessage>
> <eb:MessageInfo>
> <eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp>
>
> <eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId>
>
> <eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId>
> </eb:MessageInfo>
> <eb:Receipt>
> <ebbpsig:NonRepudiationInformation
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
> <ebbpsig:MessagePartNRInformation>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
> env wsu"/>
> </ds:Transform>
> </ds:Transforms>
>
> <ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue>
> </ds:Reference>
> </ebbpsig:MessagePartNRInformation>
> </ebbpsig:NonRepudiationInformation>
> </eb:Receipt>
> </eb:SignalMessage>
> </eb:Messaging>
> </env:Header>
> <env:Body/>
> </env:Envelope>
>
>
>
>
>
>
>
> On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <mc...@gmail.com> wrote:
>
> Hi Colm,
>
>
> Wss4j - 1.6.3
>
> Metro - 2.1.1
>
> bcprov - jre6 145
>
>
> Apologies, Copy&Paste error:
>
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
>
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>
> received for verification purposes. However I suspect that the signature
>
> validation process picks this reference up and fails when attempting to
>
> verify the ds:Reference (URI id-1) in the ds:Signature element.
>
>
> Can someone confirm that its either omitting the ds:Reference
>
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the
>
> verification or that its attempting to verify that ds:Reference
>
> (URI AS4-1340DA8B82E-C7F0C@000000000_1).
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>
> <env:Header>
>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> env:mustUnderstand="true">
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
> Id="SIG-2">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
> </ds:CanonicalizationMethod>
>
> <ds:SignatureMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <ds:Reference URI="#id-1">
>
> <ds:Transforms>
>
> <ds:Transform
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
> </ds:Transform>
>
> </ds:Transforms>
>
> <ds:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
>
> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>
> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>
> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>
> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>
> <wsse:SecurityTokenReference
>
> wsu:Id="STR-6C1B8765799420834813230790910796">
>
> <ds:X509Data>
>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>
> </ds:X509IssuerSerial>
>
> </ds:X509Data>
>
> </wsse:SecurityTokenReference>
>
> </ds:KeyInfo>
>
> </ds:Signature>
>
> </wsse:Security>
>
> <eb:Messaging
>
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> wsu:Id="id-1">
>
> <eb:SignalMessage>
>
> <eb:MessageInfo>
>
> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>
>
> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>
>
> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>
> </eb:MessageInfo>
>
> <eb:Receipt>
>
> <ebbpsig:NonRepudiationInformation
>
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>
> <ebbpsig:MessagePartNRInformation>
>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>
> <ds:Transforms>
>
> <ds:Transform
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>
> env wsu"/>
>
> </ds:Transform>
>
> </ds:Transforms>
>
> <ds:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>
> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>
> </ds:Reference>
>
> </ebbpsig:MessagePartNRInformation>
>
> </ebbpsig:NonRepudiationInformation>
>
> </eb:Receipt>
>
> </eb:SignalMessage>
>
> </eb:Messaging>
>
> </env:Header>
>
> <env:Body/>
>
> </env:Envelope>
>
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>
> [DEBUG] SignatureProcessor - Found signature element
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>
> C=ZA,CN=localhost
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>
> C=ZA,CN=localhost (serial 1305901688879)
>
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>
> C=ZA,CN=localhost
>
> [DEBUG] SignatureProcessor - Verify XML Signature
>
> [DEBUG] SignatureProcessor - XML Signature verification has failed
>
> [DEBUG] SignatureProcessor - Signature Validation check: true
>
> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>
> Security Error: : The signature or decryption was invalid
>
>
>
> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
>
>
> Hi Mike,
>
>
> Firstly, what version of WSS4J are you using?
>
>
> Secondly, I don't understand your explanation, e.g. where is "id-5" in
>
> the message you posted? Is the signature referring to another message
>
> that was previously received?
>
>
> Colm.
>
>
> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
>
>
> Hi All
>
>
>
> I'm having some signature verification issues when receiving a signed
>
>
> message (using the AS4 specification).
>
>
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
>
>
> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>
>
> received for verification purposes. However I suspect that the signature
>
>
> validation process picks this reference up and fails when attempting to
>
>
> verify the ds:Reference (URI id-5) in the ds:Signature element.
>
>
>
> Can someone confirm that its either omitting the ds:Reference
>
>
> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>
>
> verification or that its attempting to verify that ds:Reference
>
>
> (URI AS4-1340D972B85-751B2@000000000_1).
>
>
>
> I've tried digging though the source, but can't find where the reference
>
>
> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>
>
> implementation is as per:
>
>
>
> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>
>
>
> Please see logs (and message) below...
>
>
>
> Thanks,
>
>
>
> Mike
>
>
>
>
>
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>
>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>
>
> <env:Header>
>
>
> <wsse:Security
>
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
>
> env:mustUnderstand="true">
>
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
>
> Id="SIG-2">
>
>
> <ds:SignedInfo>
>
>
> <ds:CanonicalizationMethod
>
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
>
> <ec:InclusiveNamespaces
>
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
>
> </ds:CanonicalizationMethod>
>
>
> <ds:SignatureMethod
>
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
>
> <ds:Reference URI="#id-1">
>
>
> <ds:Transforms>
>
>
> <ds:Transform
>
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
>
> <ec:InclusiveNamespaces
>
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
>
> </ds:Transform>
>
>
> </ds:Transforms>
>
>
> <ds:DigestMethod
>
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>
> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>
>
> </ds:Reference>
>
>
> </ds:SignedInfo>
>
>
>
> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>
>
> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>
>
> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>
>
> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>
>
> <wsse:SecurityTokenReference
>
>
> wsu:Id="STR-6C1B8765799420834813230790910796">
>
>
> <ds:X509Data>
>
>
> <ds:X509IssuerSerial>
>
>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>
>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>
>
> </ds:X509IssuerSerial>
>
>
> </ds:X509Data>
>
>
> </wsse:SecurityTokenReference>
>
>
> </ds:KeyInfo>
>
>
> </ds:Signature>
>
>
> </wsse:Security>
>
>
> <eb:Messaging
>
>
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
>
> wsu:Id="id-1">
>
>
> <eb:SignalMessage>
>
>
> <eb:MessageInfo>
>
>
> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>
>
>
> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>
>
>
> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>
>
> </eb:MessageInfo>
>
>
> <eb:Receipt>
>
>
> <ebbpsig:NonRepudiationInformation
>
>
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>
>
> <ebbpsig:MessagePartNRInformation>
>
>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
>
> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>
>
> <ds:Transforms>
>
>
> <ds:Transform
>
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
>
> <ec:InclusiveNamespaces
>
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>
>
> env wsu"/>
>
>
> </ds:Transform>
>
>
> </ds:Transforms>
>
>
> <ds:DigestMethod
>
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>
>
> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>
>
> </ds:Reference>
>
>
> </ebbpsig:MessagePartNRInformation>
>
>
> </ebbpsig:NonRepudiationInformation>
>
>
> </eb:Receipt>
>
>
> </eb:SignalMessage>
>
>
> </eb:Messaging>
>
>
> </env:Header>
>
>
> <env:Body/>
>
>
> </env:Envelope>
>
>
>
> Performing Security header verification
>
>
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>
>
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>
>
> [DEBUG] SignatureProcessor - Found signature element
>
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>
>
> C=ZA,CN=localhost
>
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>
>
> C=ZA,CN=localhost (serial 1305901688879)
>
>
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>
>
> C=ZA,CN=localhost
>
>
> [DEBUG] SignatureProcessor - Verify XML Signature
>
>
> [DEBUG] SignatureProcessor - XML Signature verification has failed
>
>
> [DEBUG] SignatureProcessor - Signature Validation check: true
>
>
> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>
>
> Security Error: : The signature or decryption was invalid
>
>
>
>
>
> --
>
> Colm O hEigeartaigh
>
>
> Talend Community Coder
>
> http://coders.talend.com
>
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Mike O'Connell <mc...@gmail.com>.
Hi Colm,
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
>
> The reference in the signature points to "#id-1", which is the Id of
> the "Messaging" element. Why would the Reference with id
> "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be
> interfering with signature validation, as it's a different URI?
When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or omit the ds:Reference element surrounding it the signature verification works perfectly. See another request below with the ds:Reference URI attribute removed from the receipt element.
Thanks,
Mike
Performing Security header verification
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial 1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
WSSResult - id: SIG-2
WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n#
WSSResult - signature-value: [B@3c0b655a
WSSResult - principal: C=ZA, CN=localhost
WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh
KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3
Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue>
<ds:KeyInfo Id="KI-827486330BFAA824D313230845533145">
<wsse:SecurityTokenReference wsu:Id="STR-827486330BFAA824D313230845533146">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
<ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1">
<eb:SignalMessage>
<eb:MessageInfo>
<eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp>
<eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId>
<eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId>
</eb:MessageInfo>
<eb:Receipt>
<ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
<ebbpsig:MessagePartNRInformation>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig env wsu"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue>
</ds:Reference>
</ebbpsig:MessagePartNRInformation>
</ebbpsig:NonRepudiationInformation>
</eb:Receipt>
</eb:SignalMessage>
</eb:Messaging>
</env:Header>
<env:Body/>
</env:Envelope>
> On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <mc...@gmail.com> wrote:
>> Hi Colm,
>>
>> Wss4j - 1.6.3
>> Metro - 2.1.1
>> bcprov - jre6 145
>>
>> Apologies, Copy&Paste error:
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
>>
>> Can someone confirm that its either omitting the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the
>> verification or that its attempting to verify that ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1).
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>> <env:Header>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> env:mustUnderstand="true">
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-2">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:CanonicalizationMethod>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#id-1">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>> <wsse:SecurityTokenReference
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>> <ds:X509Data>
>> <ds:X509IssuerSerial>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>> </ds:X509IssuerSerial>
>> </ds:X509Data>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> <eb:Messaging
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="id-1">
>> <eb:SignalMessage>
>> <eb:MessageInfo>
>> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>>
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>>
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>> </eb:MessageInfo>
>> <eb:Receipt>
>> <ebbpsig:NonRepudiationInformation
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>> <ebbpsig:MessagePartNRInformation>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> env wsu"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>> </ds:Reference>
>> </ebbpsig:MessagePartNRInformation>
>> </ebbpsig:NonRepudiationInformation>
>> </eb:Receipt>
>> </eb:SignalMessage>
>> </eb:Messaging>
>> </env:Header>
>> <env:Body/>
>> </env:Envelope>
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> [DEBUG] SignatureProcessor - Found signature element
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> C=ZA,CN=localhost
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> C=ZA,CN=localhost (serial 1305901688879)
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> C=ZA,CN=localhost
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>> Security Error: : The signature or decryption was invalid
>>
>>
>> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
>>
>> Hi Mike,
>>
>> Firstly, what version of WSS4J are you using?
>>
>> Secondly, I don't understand your explanation, e.g. where is "id-5" in
>> the message you posted? Is the signature referring to another message
>> that was previously received?
>>
>> Colm.
>>
>> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
>>
>> Hi All
>>
>>
>> I'm having some signature verification issues when receiving a signed
>>
>> message (using the AS4 specification).
>>
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>>
>> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>>
>> received for verification purposes. However I suspect that the signature
>>
>> validation process picks this reference up and fails when attempting to
>>
>> verify the ds:Reference (URI id-5) in the ds:Signature element.
>>
>>
>> Can someone confirm that its either omitting the ds:Reference
>>
>> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>>
>> verification or that its attempting to verify that ds:Reference
>>
>> (URI AS4-1340D972B85-751B2@000000000_1).
>>
>>
>> I've tried digging though the source, but can't find where the reference
>>
>> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>>
>> implementation is as per:
>>
>>
>> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>>
>>
>> Please see logs (and message) below...
>>
>>
>> Thanks,
>>
>>
>> Mike
>>
>>
>>
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>>
>> <env:Header>
>>
>> <wsse:Security
>>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> env:mustUnderstand="true">
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>> Id="SIG-2">
>>
>> <ds:SignedInfo>
>>
>> <ds:CanonicalizationMethod
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>> </ds:CanonicalizationMethod>
>>
>> <ds:SignatureMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>> <ds:Reference URI="#id-1">
>>
>> <ds:Transforms>
>>
>> <ds:Transform
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ds:SignedInfo>
>>
>>
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>>
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>>
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>>
>> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>>
>> <wsse:SecurityTokenReference
>>
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>>
>> <ds:X509Data>
>>
>> <ds:X509IssuerSerial>
>>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>>
>> </ds:X509IssuerSerial>
>>
>> </ds:X509Data>
>>
>> </wsse:SecurityTokenReference>
>>
>> </ds:KeyInfo>
>>
>> </ds:Signature>
>>
>> </wsse:Security>
>>
>> <eb:Messaging
>>
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> wsu:Id="id-1">
>>
>> <eb:SignalMessage>
>>
>> <eb:MessageInfo>
>>
>> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>>
>>
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>>
>>
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>>
>> </eb:MessageInfo>
>>
>> <eb:Receipt>
>>
>> <ebbpsig:NonRepudiationInformation
>>
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>>
>> <ebbpsig:MessagePartNRInformation>
>>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>>
>> <ds:Transforms>
>>
>> <ds:Transform
>>
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> <ec:InclusiveNamespaces
>>
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>>
>> env wsu"/>
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod
>>
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ebbpsig:MessagePartNRInformation>
>>
>> </ebbpsig:NonRepudiationInformation>
>>
>> </eb:Receipt>
>>
>> </eb:SignalMessage>
>>
>> </eb:Messaging>
>>
>> </env:Header>
>>
>> <env:Body/>
>>
>> </env:Envelope>
>>
>>
>> Performing Security header verification
>>
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>>
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>>
>> [DEBUG] SignatureProcessor - Found signature element
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>>
>> C=ZA,CN=localhost
>>
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>>
>> C=ZA,CN=localhost (serial 1305901688879)
>>
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>>
>> C=ZA,CN=localhost
>>
>> [DEBUG] SignatureProcessor - Verify XML Signature
>>
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>>
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>>
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>>
>> Security Error: : The signature or decryption was invalid
>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Mike,
> In AS4 the spec allows for a receipt to contain the ds:Reference
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
> received for verification purposes. However I suspect that the signature
> validation process picks this reference up and fails when attempting to
> verify the ds:Reference (URI id-1) in the ds:Signature element.
The reference in the signature points to "#id-1", which is the Id of
the "Messaging" element. Why would the Reference with id
"AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be
interfering with signature validation, as it's a different URI?
You can get more information about what's going on if you use Java
Util Logging, and set the logging level to FINEST. You should see what
is being digested.
Colm.
On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <mc...@gmail.com> wrote:
> Hi Colm,
>
> Wss4j - 1.6.3
> Metro - 2.1.1
> bcprov - jre6 145
>
> Apologies, Copy&Paste error:
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
> received for verification purposes. However I suspect that the signature
> validation process picks this reference up and fails when attempting to
> verify the ds:Reference (URI id-1) in the ds:Signature element.
>
> Can someone confirm that its either omitting the ds:Reference
> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the
> verification or that its attempting to verify that ds:Reference
> (URI AS4-1340DA8B82E-C7F0C@000000000_1).
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
> <env:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> env:mustUnderstand="true">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
> <wsse:SecurityTokenReference
> wsu:Id="STR-6C1B8765799420834813230790910796">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> <eb:Messaging
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-1">
> <eb:SignalMessage>
> <eb:MessageInfo>
> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>
> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>
> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
> </eb:MessageInfo>
> <eb:Receipt>
> <ebbpsig:NonRepudiationInformation
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
> <ebbpsig:MessagePartNRInformation>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
> env wsu"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
> </ds:Reference>
> </ebbpsig:MessagePartNRInformation>
> </ebbpsig:NonRepudiationInformation>
> </eb:Receipt>
> </eb:SignalMessage>
> </eb:Messaging>
> </env:Header>
> <env:Body/>
> </env:Envelope>
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
> [DEBUG] SignatureProcessor - Found signature element
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
> C=ZA,CN=localhost
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
> C=ZA,CN=localhost (serial 1305901688879)
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
> C=ZA,CN=localhost
> [DEBUG] SignatureProcessor - Verify XML Signature
> [DEBUG] SignatureProcessor - XML Signature verification has failed
> [DEBUG] SignatureProcessor - Signature Validation check: true
> [DEBUG] SignatureProcessor - Reference #id-1 check: false
> Security Error: : The signature or decryption was invalid
>
>
> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
>
> Hi Mike,
>
> Firstly, what version of WSS4J are you using?
>
> Secondly, I don't understand your explanation, e.g. where is "id-5" in
> the message you posted? Is the signature referring to another message
> that was previously received?
>
> Colm.
>
> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
>
> Hi All
>
>
> I'm having some signature verification issues when receiving a signed
>
> message (using the AS4 specification).
>
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
>
> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>
> received for verification purposes. However I suspect that the signature
>
> validation process picks this reference up and fails when attempting to
>
> verify the ds:Reference (URI id-5) in the ds:Signature element.
>
>
> Can someone confirm that its either omitting the ds:Reference
>
> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>
> verification or that its attempting to verify that ds:Reference
>
> (URI AS4-1340D972B85-751B2@000000000_1).
>
>
> I've tried digging though the source, but can't find where the reference
>
> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>
> implementation is as per:
>
>
> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>
>
> Please see logs (and message) below...
>
>
> Thanks,
>
>
> Mike
>
>
>
>
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>
> <env:Header>
>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> env:mustUnderstand="true">
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
> Id="SIG-2">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
> </ds:CanonicalizationMethod>
>
> <ds:SignatureMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <ds:Reference URI="#id-1">
>
> <ds:Transforms>
>
> <ds:Transform
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>
> </ds:Transform>
>
> </ds:Transforms>
>
> <ds:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
>
> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>
> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>
> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>
> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>
> <wsse:SecurityTokenReference
>
> wsu:Id="STR-6C1B8765799420834813230790910796">
>
> <ds:X509Data>
>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>
> </ds:X509IssuerSerial>
>
> </ds:X509Data>
>
> </wsse:SecurityTokenReference>
>
> </ds:KeyInfo>
>
> </ds:Signature>
>
> </wsse:Security>
>
> <eb:Messaging
>
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> wsu:Id="id-1">
>
> <eb:SignalMessage>
>
> <eb:MessageInfo>
>
> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>
>
> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>
>
> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>
> </eb:MessageInfo>
>
> <eb:Receipt>
>
> <ebbpsig:NonRepudiationInformation
>
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>
> <ebbpsig:MessagePartNRInformation>
>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>
> <ds:Transforms>
>
> <ds:Transform
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>
> env wsu"/>
>
> </ds:Transform>
>
> </ds:Transforms>
>
> <ds:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>
> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>
> </ds:Reference>
>
> </ebbpsig:MessagePartNRInformation>
>
> </ebbpsig:NonRepudiationInformation>
>
> </eb:Receipt>
>
> </eb:SignalMessage>
>
> </eb:Messaging>
>
> </env:Header>
>
> <env:Body/>
>
> </env:Envelope>
>
>
> Performing Security header verification
>
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>
> [DEBUG] SignatureProcessor - Found signature element
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>
> C=ZA,CN=localhost
>
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>
> C=ZA,CN=localhost (serial 1305901688879)
>
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>
> C=ZA,CN=localhost
>
> [DEBUG] SignatureProcessor - Verify XML Signature
>
> [DEBUG] SignatureProcessor - XML Signature verification has failed
>
> [DEBUG] SignatureProcessor - Signature Validation check: true
>
> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>
> Security Error: : The signature or decryption was invalid
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Mike O'Connell <mc...@gmail.com>.
Hi Colm,
Wss4j - 1.6.3
Metro - 2.1.1
bcprov - jre6 145
Apologies, Copy&Paste error:
In AS4 the spec allows for a receipt to contain the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously received for verification purposes. However I suspect that the signature validation process picks this reference up and fails when attempting to verify the ds:Reference (URI id-1) in the ds:Signature element.
Can someone confirm that its either omitting the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the verification or that its attempting to verify that ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1).
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
<ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
<wsse:SecurityTokenReference wsu:Id="STR-6C1B8765799420834813230790910796">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
<ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1">
<eb:SignalMessage>
<eb:MessageInfo>
<eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
<eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
<eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
</eb:MessageInfo>
<eb:Receipt>
<ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
<ebbpsig:MessagePartNRInformation>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig env wsu"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
</ds:Reference>
</ebbpsig:MessagePartNRInformation>
</ebbpsig:NonRepudiationInformation>
</eb:Receipt>
</eb:SignalMessage>
</eb:Messaging>
</env:Header>
<env:Body/>
</env:Envelope>
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial 1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
[DEBUG] SignatureProcessor - XML Signature verification has failed
[DEBUG] SignatureProcessor - Signature Validation check: true
[DEBUG] SignatureProcessor - Reference #id-1 check: false
Security Error: : The signature or decryption was invalid
On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
> Hi Mike,
>
> Firstly, what version of WSS4J are you using?
>
> Secondly, I don't understand your explanation, e.g. where is "id-5" in
> the message you posted? Is the signature referring to another message
> that was previously received?
>
> Colm.
>
> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
>> Hi All
>>
>> I'm having some signature verification issues when receiving a signed
>> message (using the AS4 specification).
>>
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-5) in the ds:Signature element.
>>
>> Can someone confirm that its either omitting the ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>> verification or that its attempting to verify that ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1).
>>
>> I've tried digging though the source, but can't find where the reference
>> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>> implementation is as per:
>>
>> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>>
>> Please see logs (and message) below...
>>
>> Thanks,
>>
>> Mike
>>
>>
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>> <env:Header>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> env:mustUnderstand="true">
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-2">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:CanonicalizationMethod>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#id-1">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>> <wsse:SecurityTokenReference
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>> <ds:X509Data>
>> <ds:X509IssuerSerial>
>> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>> </ds:X509IssuerSerial>
>> </ds:X509Data>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> <eb:Messaging
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="id-1">
>> <eb:SignalMessage>
>> <eb:MessageInfo>
>> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>>
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>>
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>> </eb:MessageInfo>
>> <eb:Receipt>
>> <ebbpsig:NonRepudiationInformation
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>> <ebbpsig:MessagePartNRInformation>
>> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> env wsu"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>> </ds:Reference>
>> </ebbpsig:MessagePartNRInformation>
>> </ebbpsig:NonRepudiationInformation>
>> </eb:Receipt>
>> </eb:SignalMessage>
>> </eb:Messaging>
>> </env:Header>
>> <env:Body/>
>> </env:Envelope>
>>
>> Performing Security header verification
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> [DEBUG] SignatureProcessor - Found signature element
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> C=ZA,CN=localhost
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> C=ZA,CN=localhost (serial 1305901688879)
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> C=ZA,CN=localhost
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>> Security Error: : The signature or decryption was invalid
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Signature verification failure with loose ds:Reference in payload.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Mike,
Firstly, what version of WSS4J are you using?
Secondly, I don't understand your explanation, e.g. where is "id-5" in
the message you posted? Is the signature referring to another message
that was previously received?
Colm.
On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mc...@gmail.com> wrote:
> Hi All
>
> I'm having some signature verification issues when receiving a signed
> message (using the AS4 specification).
>
> In AS4 the spec allows for a receipt to contain the ds:Reference
> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
> received for verification purposes. However I suspect that the signature
> validation process picks this reference up and fails when attempting to
> verify the ds:Reference (URI id-5) in the ds:Signature element.
>
> Can someone confirm that its either omitting the ds:Reference
> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
> verification or that its attempting to verify that ds:Reference
> (URI AS4-1340D972B85-751B2@000000000_1).
>
> I've tried digging though the source, but can't find where the reference
> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
> implementation is as per:
>
> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>
> Please see logs (and message) below...
>
> Thanks,
>
> Mike
>
>
>
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
> <env:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> env:mustUnderstand="true">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
> <wsse:SecurityTokenReference
> wsu:Id="STR-6C1B8765799420834813230790910796">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> <eb:Messaging
> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-1">
> <eb:SignalMessage>
> <eb:MessageInfo>
> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>
> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>
> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
> </eb:MessageInfo>
> <eb:Receipt>
> <ebbpsig:NonRepudiationInformation
> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
> <ebbpsig:MessagePartNRInformation>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
> env wsu"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
> </ds:Reference>
> </ebbpsig:MessagePartNRInformation>
> </ebbpsig:NonRepudiationInformation>
> </eb:Receipt>
> </eb:SignalMessage>
> </eb:Messaging>
> </env:Header>
> <env:Body/>
> </env:Envelope>
>
> Performing Security header verification
> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
> [DEBUG] SignatureProcessor - Found signature element
> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
> C=ZA,CN=localhost
> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
> C=ZA,CN=localhost (serial 1305901688879)
> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
> C=ZA,CN=localhost
> [DEBUG] SignatureProcessor - Verify XML Signature
> [DEBUG] SignatureProcessor - XML Signature verification has failed
> [DEBUG] SignatureProcessor - Signature Validation check: true
> [DEBUG] SignatureProcessor - Reference #id-1 check: false
> Security Error: : The signature or decryption was invalid
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com