You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Raffaele Sgarro <ra...@gmail.com> on 2020/08/03 19:31:56 UTC

[Error] WSSecurityException: The signature or decryption was invalid

I'm programming a client for a SOAP service that is configured through a
policy in the WSDL
<https://gist.github.com/RaffaeleSgarro/60791b4ffdacae692d53c449de6d0ffb>.
The service responds with a message that would be perfectly fine to work
with, but has a signature that makes CXF throw an error and hence halting
the execution of the program. From the XML of the response I can't tell if
there's something wrong with CXF of the response itself, mainly because the
piece:

<ds:KeyInfo>
  <wsse:SecurityTokenReference>
    <wsse:KeyIdentifier
            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
            EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
            KTK582+s/nxWsbkIeNRTRDH+ju0=
    </wsse:KeyIdentifier>
  </wsse:SecurityTokenReference></ds:KeyInfo>

is not enough for me to understand where the certificate to verify the
signature is supposed to be found.

The full (and syntax highlighted) XML of the response is here
<https://stackoverflow.com/questions/63234657/is-the-signature-in-the-following-soap-response-valid-can-it-be-validated-altog>.
Can CXF tell if the message is valid using only the message itself and the
given policy? Or do I need some other piece of information? If that's the
case, how can I pass it?


Thanks,
Raffaele

Re: [Error] WSSecurityException: The signature or decryption was invalid

Posted by Raffaele Sgarro <ra...@gmail.com>.

Thanks, Colm.

In fact the exception is thrown because my Crypto implementation (a PKCS11
hardware security token) used by my client to sign the SOAP request does
not contain the certificate used by the server to sign its SOAP response.

The hack I used to make the certificate available is subclassing
MerlinDevice. The code is simple but feels very dirty.

I wonder if a better way exists or can be added to WSS4J.

Il giorno mar 11 ago 2020 alle ore 11:33 Colm O hEigeartaigh <
coheigea@apache.org> ha scritto:

> Yes, it's a valid response. CXF/WSS4J handles the SubjectKeyIdentifier case
> as follows:
>
>
> https://github.com/apache/ws-wss4j/blob/420947d684383aeed40a2e41717da6197fb1d9dd/ws-security-common/src/main/java/org/apache/wss4j/common/token/SecurityTokenReference.java#L373
>
> This extracts the SKI bytes from the message and asks the Crypto
> implementation to match it to a Certificate stored in the keystore:
>
>
> https://github.com/apache/ws-wss4j/blob/7707ffa5bcb1d903eb8e21cbd059dc94649cd5a5/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L1144
>
> So the corresponding certificate should be stored in your local signature
> keystore and it should work.
>
> Colm.
>
> On Mon, Aug 3, 2020 at 8:32 PM Raffaele Sgarro <ra...@gmail.com>
> wrote:
>
> > I'm programming a client for a SOAP service that is configured through a
> > policy in the WSDL
> > <https://gist.github.com/RaffaeleSgarro/60791b4ffdacae692d53c449de6d0ffb
> >.
> > The service responds with a message that would be perfectly fine to work
> > with, but has a signature that makes CXF throw an error and hence halting
> > the execution of the program. From the XML of the response I can't tell
> if
> > there's something wrong with CXF of the response itself, mainly because
> the
> > piece:
> >
> > <ds:KeyInfo>
> >   <wsse:SecurityTokenReference>
> >     <wsse:KeyIdentifier
> >             ValueType="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> > "
> >             EncodingType="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> > ">
> >             KTK582+s/nxWsbkIeNRTRDH+ju0=
> >     </wsse:KeyIdentifier>
> >   </wsse:SecurityTokenReference></ds:KeyInfo>
> >
> > is not enough for me to understand where the certificate to verify the
> > signature is supposed to be found.
> >
> > The full (and syntax highlighted) XML of the response is here
> > <
> >
> https://stackoverflow.com/questions/63234657/is-the-signature-in-the-following-soap-response-valid-can-it-be-validated-altog
> > >.
> > Can CXF tell if the message is valid using only the message itself and
> the
> > given policy? Or do I need some other piece of information? If that's the
> > case, how can I pass it?
> >
> >
> > Thanks,
> > Raffaele
> >
>

Re: [Error] WSSecurityException: The signature or decryption was invalid

Posted by Colm O hEigeartaigh <co...@apache.org>.

Yes, it's a valid response. CXF/WSS4J handles the SubjectKeyIdentifier case
as follows:

https://github.com/apache/ws-wss4j/blob/420947d684383aeed40a2e41717da6197fb1d9dd/ws-security-common/src/main/java/org/apache/wss4j/common/token/SecurityTokenReference.java#L373

This extracts the SKI bytes from the message and asks the Crypto
implementation to match it to a Certificate stored in the keystore:

https://github.com/apache/ws-wss4j/blob/7707ffa5bcb1d903eb8e21cbd059dc94649cd5a5/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L1144

So the corresponding certificate should be stored in your local signature
keystore and it should work.

Colm.

On Mon, Aug 3, 2020 at 8:32 PM Raffaele Sgarro <ra...@gmail.com>
wrote:

> I'm programming a client for a SOAP service that is configured through a
> policy in the WSDL
> <https://gist.github.com/RaffaeleSgarro/60791b4ffdacae692d53c449de6d0ffb>.
> The service responds with a message that would be perfectly fine to work
> with, but has a signature that makes CXF throw an error and hence halting
> the execution of the program. From the XML of the response I can't tell if
> there's something wrong with CXF of the response itself, mainly because the
> piece:
>
> <ds:KeyInfo>
>   <wsse:SecurityTokenReference>
>     <wsse:KeyIdentifier
>             ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>             EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> ">
>             KTK582+s/nxWsbkIeNRTRDH+ju0=
>     </wsse:KeyIdentifier>
>   </wsse:SecurityTokenReference></ds:KeyInfo>
>
> is not enough for me to understand where the certificate to verify the
> signature is supposed to be found.
>
> The full (and syntax highlighted) XML of the response is here
> <
> https://stackoverflow.com/questions/63234657/is-the-signature-in-the-following-soap-response-valid-can-it-be-validated-altog
> >.
> Can CXF tell if the message is valid using only the message itself and the
> given policy? Or do I need some other piece of information? If that's the
> case, how can I pass it?
>
>
> Thanks,
> Raffaele
>