Signature validation not querying in truststore/cacerts for certificate alias

[Olve Hansen <ol...@gmail.com>]

I am currently investigating a "bug" and I have patched the AbstractCrypto
class as described in my previous post
(http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200811.mbox/%3C20739755.post@talk.nabble.com%3E). 
I can see during debugging that the patch works, as I find the alias of my
added key, and thus it must come from my own (non-default) keystore. This
led me one step further in the process, but I am now stopped again... 

During the signature processing of a message I find that the signature
validation doesn't even try to check in the truststore for the certificate
(getAliasForX509Cert only checks in the keystore), as the following
threaddump shows:
	  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:214)
	  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:194)
	  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:520)
	  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:498)
	  at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:280)
	  at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:85)
	  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
	  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
	  at
org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor.validateMessage(Wss4jSecurityInterceptor.java:498)
	  at
org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:104)
[snip]

I am of the opinion that public certificates of trusted parties should go
into the truststore, and not in the key-store, but WSS4J is unable to
support this organisation of stores.  

I see that checking both stores is done already getAliasForDN(..) via
getAlias(..). Are there any reasons why the X509 alias lookup methods
doesn't query the truststore/cacerts? 

I propose checking first in keystore for the getAliasForX509Cert(..) methods
as well. 


All of the getAliasForX509Cert(..)-methods checks for the alias only in the
keystore, not in the truststore (aka cacerts). I guess this should be done
symmetrically for all those methods,if it should be done at all that is.


I have tried this approach for the
org.apache.ws.security.components.crypto.CryptoBase#getAliasForX509Cert and
it works fine...

Anyone who has any thoughts about this?

BTW, this is done in WSS4J version 1.5.4, using Spring-WS version 1.5.5.


Regards, 
Olve Hansen
-- 
View this message in context: http://www.nabble.com/Signature-validation-not-querying-in-truststore-cacerts-for-certificate-alias-tp20748366p20748366.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Signature validation not querying in truststore/cacerts for certificate alias

[Olve Hansen <ol...@gmail.com>]

Ok, thanks. I have just started meddling with wssecurity, so I get easily
confused. 

I will tweak settings and find our preferred setup. We use 1.5.4, what was
the specifics of the issue you fixed since then? We haven't signed any of
our client-certs though, just put them in a keystore, and it works. The
verifyTrust method hasn't warned of anything wrong so far.

-- 
Olve


Colm O hEigeartaigh wrote:
> 
> 
>> We want to set up a keystore holding only our service priv/pub key
> pair, 
>> and a truststore for all client-keys.
> 
> The truststore should contain the CA-cert that signed the client certs,
> not the actual client certs.
> 
> So essentially you're getting an error in the signature processor
> because it can't find the client cert in the keystore. One way around
> this, is to sign using direct reference rather than issuer-serial, and
> thus include the X.509 cert in the SOAP request.
> 
>> So this actually means that verifyTrust is broken, since it requires
> that
>> the cert is in keystore for validation of the signature, but when it
> comes
>> to trustVerification it always checks the keystore first.
> 
> No I don't think so. Are you looking at the latest version on trunk? I
> fixed a bug in this method since 1.5.4 was released.
> 
> The logic is as follows:
>  - Search the keystore/truststore for the transmitted certificate
> (direct trust)
>  - Else look for the CA that issued the cert in either the keystore or
> truststore
>  - Check the trust path of the issuer
> 
> So this should work fine if the CA of the cert is in the truststore but
> not in the keystore. Having said that, some work definitely needs to be
> done on separation of concerns for the next release.
> 
> Colm.
> 
> -----Original Message-----
> From: Olve Hansen [mailto:olvesh@gmail.com] 
> Sent: 02 December 2008 13:22
> To: wss4j-dev@ws.apache.org
> Subject: RE: Signature validation not querying in truststore/cacerts for
> certificate alias
> 
> 
> 
> Colm O hEigeartaigh wrote:
>> 
>> Hi Olve,
>> 
>> IMO the behaviour you describe is not a bug. 
>> 
> 
> I agree, I have read the javadocs on the getAliasForX509Cert  method
> more
> carefully, and I understand a bit more. But then I don't understand the
> best
> way to do what I want to do.
> 
> 
> 
> Colm O hEigeartaigh wrote:
>> 
>>> During the signature processing of a message I find that the
> signature
>>> validation doesn't even try to check in the truststore for the
>> certificate
>>> (getAliasForX509Cert only checks in the keystore)
>> 
>> There is a separation of concerns in WSS4J between signature
>> verification and trust verification. The SignatureProcessor only cares
>> about validating the signature, it doesn't care about if the
> certificate
>> is trusted or not, and that's why it doesn't search the truststore.
>> 
>> The trust verification takes place at a latter stage, line 516:
>> 
>>
> https://fisheye.springframework.org/browse/spring-ws/trunk/security/src/
>>
> main/java/org/springframework/ws/soap/security/wss4j/Wss4jSecurityInterc
>> eptor.java?r=1351
>> 
>> I agree though that some work is needed in this area in terms of
> clarity
>> and consistency...something to look at for the next release I guess.
>> 
>> Colm.
>> 
> 
> Thaks for the pointer, I have now been digging a bit in the spring-ws
> and
> wss4j code and found the following.
> 
> First, let me give some context about the case at hand.. We are
> developing a
> service that receives encrypted order from many clients, and we get
> encrypted and signed messages at the endpoint. The replies are also
> encrypted and signed.
> 
> We want to set up a keystore holding only our service priv/pub key pair,
> and
> a truststore for all client-keys. 
> 
> Using the current version of WSS4J I then get the following error when
> separating this way, also after I have the patched version from my other
> recent mail, allowing me to specify what truststore to use.
> 
> DEBUG
> org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor []
> - Validating message [AxiomSoapMessage
> {http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [Encrypt
> Signature] (Wss4jSecurityInterceptor.java:485)
> WARN org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor
> []
> - Could not validate request: The signature or decryption was invalid;
> nested exception is org.apache.ws.security.WSSecurityException: The
> signature or 
> 
> decryption was invalid (AbstractWsSecurityInterceptor.java:256)
> DEBUG org.springframework.ws.server.MessageTracing.sent [] - Sent
> response
> [AxiomSoapMessage {http://schemas.xmlsoap.org/soap/envelope/}Fault] for
> request [AxiomSoapMessage
> {http://www.w3.org/2001/04/xmlenc#}EncryptedData] 
> 
> (MessageDispatcher.java:179)
> 
> 
> If I change getAliasForX509Cert to also look for certificates in the
> truststore, this works. I see from the javadoc on that method, that this
> might not be the ideal way to do it. 
> 
> What I want to accomplish is an easy way for the people maintaining this
> service after I have left (yes I am a consultant) so that we can use the
> keystore defined in WebSphere. Also I want the public keys of the
> client-services to be only one place. 
> 
> I can of course point to the cacerts/truststore for the
> validationSignatureCrypto property in spring-ws, using the truststore as
> keystore... 
> 
> As it is now, if we separate trust and keystore totally, a signature has
> to
> be in the keystore to be verified as a valid signature.
> 
> Next the verifyCertificateTrust method in Wss4jSecurityInterceptor.java
> utltimately calls org.apache.ws.security.handler.WSHandler#verifyTrust,
> and
> that method checks first for the cert in the keystore,
> (getAliasForX509Cert:997) and then in both key and truststore, but first
> in
> keystore (getCertificates:1005). 
> 
> So this actually means that verifyTrust is broken, since it requires
> that
> the cert is in keystore for validation of the signature, but when it
> comes
> to trustVerification it always checks the keystore first.
> 
> Hmm, this became a long email - does this makes sens?
> 
> --
> Olve
> 
> -----
> -- 
>  Olve Hansen 
> -- 
> View this message in context:
> http://www.nabble.com/Signature-validation-not-querying-in-truststore-ca
> certs-for-certificate-alias-tp20748366p20791998.html
> Sent from the WSS4J mailing list archive at Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> 


-----
-- 
 Olve Hansen 
-- 
View this message in context: http://www.nabble.com/Signature-validation-not-querying-in-truststore-cacerts-for-certificate-alias-tp20748366p20811471.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Signature validation not querying in truststore/cacerts for certificate alias

[Colm O hEigeartaigh <co...@progress.com>]

> We want to set up a keystore holding only our service priv/pub key
pair, 
> and a truststore for all client-keys.

The truststore should contain the CA-cert that signed the client certs,
not the actual client certs.

So essentially you're getting an error in the signature processor
because it can't find the client cert in the keystore. One way around
this, is to sign using direct reference rather than issuer-serial, and
thus include the X.509 cert in the SOAP request.

> So this actually means that verifyTrust is broken, since it requires
that
> the cert is in keystore for validation of the signature, but when it
comes
> to trustVerification it always checks the keystore first.

No I don't think so. Are you looking at the latest version on trunk? I
fixed a bug in this method since 1.5.4 was released.

The logic is as follows:
 - Search the keystore/truststore for the transmitted certificate
(direct trust)
 - Else look for the CA that issued the cert in either the keystore or
truststore
 - Check the trust path of the issuer

So this should work fine if the CA of the cert is in the truststore but
not in the keystore. Having said that, some work definitely needs to be
done on separation of concerns for the next release.

Colm.

-----Original Message-----
From: Olve Hansen [mailto:olvesh@gmail.com] 
Sent: 02 December 2008 13:22
To: wss4j-dev@ws.apache.org
Subject: RE: Signature validation not querying in truststore/cacerts for
certificate alias



Colm O hEigeartaigh wrote:
> 
> Hi Olve,
> 
> IMO the behaviour you describe is not a bug. 
> 

I agree, I have read the javadocs on the getAliasForX509Cert  method
more
carefully, and I understand a bit more. But then I don't understand the
best
way to do what I want to do.



Colm O hEigeartaigh wrote:
> 
>> During the signature processing of a message I find that the
signature
>> validation doesn't even try to check in the truststore for the
> certificate
>> (getAliasForX509Cert only checks in the keystore)
> 
> There is a separation of concerns in WSS4J between signature
> verification and trust verification. The SignatureProcessor only cares
> about validating the signature, it doesn't care about if the
certificate
> is trusted or not, and that's why it doesn't search the truststore.
> 
> The trust verification takes place at a latter stage, line 516:
> 
>
https://fisheye.springframework.org/browse/spring-ws/trunk/security/src/
>
main/java/org/springframework/ws/soap/security/wss4j/Wss4jSecurityInterc
> eptor.java?r=1351
> 
> I agree though that some work is needed in this area in terms of
clarity
> and consistency...something to look at for the next release I guess.
> 
> Colm.
> 

Thaks for the pointer, I have now been digging a bit in the spring-ws
and
wss4j code and found the following.

First, let me give some context about the case at hand.. We are
developing a
service that receives encrypted order from many clients, and we get
encrypted and signed messages at the endpoint. The replies are also
encrypted and signed.

We want to set up a keystore holding only our service priv/pub key pair,
and
a truststore for all client-keys. 

Using the current version of WSS4J I then get the following error when
separating this way, also after I have the patched version from my other
recent mail, allowing me to specify what truststore to use.

DEBUG
org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor []
- Validating message [AxiomSoapMessage
{http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [Encrypt
Signature] (Wss4jSecurityInterceptor.java:485)
WARN org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor
[]
- Could not validate request: The signature or decryption was invalid;
nested exception is org.apache.ws.security.WSSecurityException: The
signature or 

decryption was invalid (AbstractWsSecurityInterceptor.java:256)
DEBUG org.springframework.ws.server.MessageTracing.sent [] - Sent
response
[AxiomSoapMessage {http://schemas.xmlsoap.org/soap/envelope/}Fault] for
request [AxiomSoapMessage
{http://www.w3.org/2001/04/xmlenc#}EncryptedData] 

(MessageDispatcher.java:179)


If I change getAliasForX509Cert to also look for certificates in the
truststore, this works. I see from the javadoc on that method, that this
might not be the ideal way to do it. 

What I want to accomplish is an easy way for the people maintaining this
service after I have left (yes I am a consultant) so that we can use the
keystore defined in WebSphere. Also I want the public keys of the
client-services to be only one place. 

I can of course point to the cacerts/truststore for the
validationSignatureCrypto property in spring-ws, using the truststore as
keystore... 

As it is now, if we separate trust and keystore totally, a signature has
to
be in the keystore to be verified as a valid signature.

Next the verifyCertificateTrust method in Wss4jSecurityInterceptor.java
utltimately calls org.apache.ws.security.handler.WSHandler#verifyTrust,
and
that method checks first for the cert in the keystore,
(getAliasForX509Cert:997) and then in both key and truststore, but first
in
keystore (getCertificates:1005). 

So this actually means that verifyTrust is broken, since it requires
that
the cert is in keystore for validation of the signature, but when it
comes
to trustVerification it always checks the keystore first.

Hmm, this became a long email - does this makes sens?

--
Olve

-----
-- 
 Olve Hansen 
-- 
View this message in context:
http://www.nabble.com/Signature-validation-not-querying-in-truststore-ca
certs-for-certificate-alias-tp20748366p20791998.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Signature validation not querying in truststore/cacerts for certificate alias

[Olve Hansen <ol...@gmail.com>]

Colm O hEigeartaigh wrote:
> 
> Hi Olve,
> 
> IMO the behaviour you describe is not a bug. 
> 

I agree, I have read the javadocs on the getAliasForX509Cert  method more
carefully, and I understand a bit more. But then I don't understand the best
way to do what I want to do.



Colm O hEigeartaigh wrote:
> 
>> During the signature processing of a message I find that the signature
>> validation doesn't even try to check in the truststore for the
> certificate
>> (getAliasForX509Cert only checks in the keystore)
> 
> There is a separation of concerns in WSS4J between signature
> verification and trust verification. The SignatureProcessor only cares
> about validating the signature, it doesn't care about if the certificate
> is trusted or not, and that's why it doesn't search the truststore.
> 
> The trust verification takes place at a latter stage, line 516:
> 
> https://fisheye.springframework.org/browse/spring-ws/trunk/security/src/
> main/java/org/springframework/ws/soap/security/wss4j/Wss4jSecurityInterc
> eptor.java?r=1351
> 
> I agree though that some work is needed in this area in terms of clarity
> and consistency...something to look at for the next release I guess.
> 
> Colm.
> 

Thaks for the pointer, I have now been digging a bit in the spring-ws and
wss4j code and found the following.

First, let me give some context about the case at hand.. We are developing a
service that receives encrypted order from many clients, and we get
encrypted and signed messages at the endpoint. The replies are also
encrypted and signed.

We want to set up a keystore holding only our service priv/pub key pair, and
a truststore for all client-keys. 

Using the current version of WSS4J I then get the following error when
separating this way, also after I have the patched version from my other
recent mail, allowing me to specify what truststore to use.

DEBUG org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor []
- Validating message [AxiomSoapMessage
{http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [Encrypt
Signature] (Wss4jSecurityInterceptor.java:485)
WARN org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor []
- Could not validate request: The signature or decryption was invalid;
nested exception is org.apache.ws.security.WSSecurityException: The
signature or 

decryption was invalid (AbstractWsSecurityInterceptor.java:256)
DEBUG org.springframework.ws.server.MessageTracing.sent [] - Sent response
[AxiomSoapMessage {http://schemas.xmlsoap.org/soap/envelope/}Fault] for
request [AxiomSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData] 

(MessageDispatcher.java:179)


If I change getAliasForX509Cert to also look for certificates in the
truststore, this works. I see from the javadoc on that method, that this
might not be the ideal way to do it. 

What I want to accomplish is an easy way for the people maintaining this
service after I have left (yes I am a consultant) so that we can use the
keystore defined in WebSphere. Also I want the public keys of the
client-services to be only one place. 

I can of course point to the cacerts/truststore for the
validationSignatureCrypto property in spring-ws, using the truststore as
keystore... 

As it is now, if we separate trust and keystore totally, a signature has to
be in the keystore to be verified as a valid signature.

Next the verifyCertificateTrust method in Wss4jSecurityInterceptor.java
utltimately calls org.apache.ws.security.handler.WSHandler#verifyTrust, and
that method checks first for the cert in the keystore,
(getAliasForX509Cert:997) and then in both key and truststore, but first in
keystore (getCertificates:1005). 

So this actually means that verifyTrust is broken, since it requires that
the cert is in keystore for validation of the signature, but when it comes
to trustVerification it always checks the keystore first.

Hmm, this became a long email - does this makes sens?

--
Olve

-----
-- 
 Olve Hansen 
-- 
View this message in context: http://www.nabble.com/Signature-validation-not-querying-in-truststore-cacerts-for-certificate-alias-tp20748366p20791998.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Signature validation not querying in truststore/cacerts for certificate alias

[Colm O hEigeartaigh <co...@progress.com>]

Hi Olve,

IMO the behaviour you describe is not a bug. 

> During the signature processing of a message I find that the signature
> validation doesn't even try to check in the truststore for the
certificate
> (getAliasForX509Cert only checks in the keystore)

There is a separation of concerns in WSS4J between signature
verification and trust verification. The SignatureProcessor only cares
about validating the signature, it doesn't care about if the certificate
is trusted or not, and that's why it doesn't search the truststore.

The trust verification takes place at a latter stage, line 516:

https://fisheye.springframework.org/browse/spring-ws/trunk/security/src/
main/java/org/springframework/ws/soap/security/wss4j/Wss4jSecurityInterc
eptor.java?r=1351

I agree though that some work is needed in this area in terms of clarity
and consistency...something to look at for the next release I guess.

Colm.

-----Original Message-----
From: Olve Hansen [mailto:olvesh@gmail.com] 
Sent: 29 November 2008 15:51
To: wss4j-dev@ws.apache.org
Subject: Signature validation not querying in truststore/cacerts for
certificate alias


I am currently investigating a "bug" and I have patched the
AbstractCrypto
class as described in my previous post
(http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200811.mbox/%3C20
739755.post@talk.nabble.com%3E). 
I can see during debugging that the patch works, as I find the alias of
my
added key, and thus it must come from my own (non-default) keystore.
This
led me one step further in the process, but I am now stopped again... 

During the signature processing of a message I find that the signature
validation doesn't even try to check in the truststore for the
certificate
(getAliasForX509Cert only checks in the keystore), as the following
threaddump shows:
	  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(
CryptoBase.java:214)
	  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(
CryptoBase.java:194)
	  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509Issue
rSerialAlias(SecurityTokenReference.java:520)
	  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509Issue
rSerial(SecurityTokenReference.java:498)
	  at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(S
ignatureProcessor.java:280)
	  at
org.apache.ws.security.processor.SignatureProcessor.handleToken(Signatur
eProcessor.java:85)
	  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:311)
	  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:228)
	  at
org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor.vali
dateMessage(Wss4jSecurityInterceptor.java:498)
	  at
org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handl
eRequest(AbstractWsSecurityInterceptor.java:104)
[snip]

I am of the opinion that public certificates of trusted parties should
go
into the truststore, and not in the key-store, but WSS4J is unable to
support this organisation of stores.  

I see that checking both stores is done already getAliasForDN(..) via
getAlias(..). Are there any reasons why the X509 alias lookup methods
doesn't query the truststore/cacerts? 

I propose checking first in keystore for the getAliasForX509Cert(..)
methods
as well. 


All of the getAliasForX509Cert(..)-methods checks for the alias only in
the
keystore, not in the truststore (aka cacerts). I guess this should be
done
symmetrically for all those methods,if it should be done at all that is.


I have tried this approach for the
org.apache.ws.security.components.crypto.CryptoBase#getAliasForX509Cert
and
it works fine...

Anyone who has any thoughts about this?

BTW, this is done in WSS4J version 1.5.4, using Spring-WS version 1.5.5.


Regards, 
Olve Hansen
-- 
View this message in context:
http://www.nabble.com/Signature-validation-not-querying-in-truststore-ca
certs-for-certificate-alias-tp20748366p20748366.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org