You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Brian Nielsen <br...@sweetxml.org> on 2005/07/08 23:45:05 UTC
RE: Problem checking signatures (from WSE 2.0 to wss4j) - found workaround
David gave me the key to a workaround:
<globalConfiguration>
<parameter name="enableNamespacePrefixOptimization" value="false"/>
...
Thank you for that.
I have not had time to grasp what exactly goes wrong, but my first thought
is that it's an error and not a feature to be enabled/disabled in
wsdd-files. Naturally that depends on what the spec says and the need for
interop ;-).
/Brian
-----Original Message-----
From: David Del Vecchio [mailto:ddelvecc@virginia.edu]
Sent: 5. juli 2005 05:55
To: Brian Nielsen
Subject: Re: Problem checking signatures (from WSE 2.0 to wss4j)
So there is an issue with Axis modifying the message XML somewhat before
WSS4J ever gets to process the signature
(http://issues.apache.org/jira/browse/AXIS-1624). This frequently causes
problems with WSE<->WSS4J interop. Anyway, you should be able to disable the
Axis behavior that causes this problem by adding the following to your
server-config.wsdd or client-config.wsdd.
<globalConfiguration>
<parameter name="enableNamespacePrefixOptimization" value="false"/>
...
Of course the problem your seeing could also be caused by something else.
David
Brian Nielsen wrote:
>Werner,
>
>Thanks for clearing that out, so okay, the problem is the
>certificate/signature. I've tried to create a small program to do my
>own verification, based on the xml-sec samples with some luck, but it
>has not help me much. I took the response i got from WSE 2.0 and tried
>to reproduce the signature, but that can't even get the digest right.
>I've look at some of the code inside wss4j, but it's "steeeeep" uphill
>for me. I've attached the result i get as an XML file, with both the
wss-stuff and my "own"
>signature element in the header. And my program sample are inserted below.
>
>Has anyone had the same problem?
>
>Does anyone have a clue to what could be wrong or something I should
>try out?
>
>Thanks in advance - any ideas will be much appreciated since I've
>allready spend quite some time on this, and have no intention of giving
>up :-)
>
>Also, I've tried switching between JDK 1.4.2 and 5.0, with some weird
>problems, should i stick with 1.4.2 or should the be no problems with
>either?
>
>Best regards
>Brian
>
>
> org.apache.xml.security.Init.init();
>
> String keystoreType = "PKCS12";
> String keystoreFile = "cpr.p12";
> String keystorePass = "cpr";
> String privateKeyAlias = "cpr server certificate";
> String privateKeyPass = "cpr";
> String certificateAlias = "cpr server certificate";
> File signatureFile = new File(AXIS_SIGNATURE_FILENAME);
>
> KeyStore ks = KeyStore.getInstance(keystoreType);
> FileInputStream fis = new FileInputStream(keystoreFile);
>
> ks.load(fis, keystorePass.toCharArray());
>
> PrivateKey privateKey = (PrivateKey)
>ks.getKey(privateKeyAlias,
> privateKeyPass.toCharArray());
> DocumentBuilderFactory dbf =
>DocumentBuilderFactory.newInstance();
> dbf.setNamespaceAware(true);
>
> DocumentBuilder db = dbf.newDocumentBuilder();
>
> File soapFile = new File("dotNet-response.xml");
> Document soapDocument = db.parse(soapFile);
>
> Element bodyElement = (Element)
>soapDocument.getElementsByTagNameNS(
> "http://schemas.xmlsoap.org/soap/envelope/",
>"Body").item(0);
> Element headerElement = (Element)
>soapDocument.getElementsByTagNameNS(
> "http://schemas.xmlsoap.org/soap/envelope/",
>"Header").item(0);
> // org.w3c.dom.Document doc = db.newDocument();
>
> String BaseURI = soapFile.toURL().toString();
> XMLSignature sig = new XMLSignature(soapDocument, BaseURI,
> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
>
>Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>
> headerElement.appendChild(sig.getElement());
>
> org.apache.ws.security.WSSConfig wssConf =
>org.apache.ws.security.WSSConfig
> .getDefaultWSConfig();
> ResourceResolverSpi eir =
>EnvelopeIdResolver.getInstance(wssConf);
>
> sig.addResourceResolver(eir);
> sig.addDocument("#Id-eb849637-bd22-465e-891c-3b713e222c15");
>
> X509Certificate cert = (X509Certificate) ks
> .getCertificate(certificateAlias);
>
> sig.addKeyInfo(cert);
> // sig.addKeyInfo(cert.getPublicKey());
> sig.sign(privateKey);
>
> FileOutputStream f = new FileOutputStream(signatureFile);
>
> XMLUtils.outputDOMc14nWithComments(soapDocument, f);
>
> f.close();
> System.out.println("Wrote signature to " + f.toString());
>
> for (int i = 0; i <
>sig.getSignedInfo().getSignedContentLength(); i++) {
> System.out.println("--- Signed Content follows
---");
> System.out.println(new String(sig.getSignedInfo()
> .getSignedContentItem(i)));
> }
> }
>
>
>
>
>-----Original Message-----
>From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
>Sent: 29. juni 2005 16:30
>To: Brian Nielsen; fx-dev@ws.apache.org
>Subject: AW: Problem checking signatures
>
>Brian,
>
>the message "Verification successful for URI" means that the computed
>digest value over the referenced part of the messag is ok.
>
>The SignatureValue is then computed over the part that is enclosed by
>"<SignedInfo>" tags. If somehow this part of the message is modified
>then the computation of the hash for this part fails. Even inserting a
>blank or an additional linefeed causes failure - so _no_ modification
>after Signature.
>
>AFAIK the SignatureValue is the hash over the SignedInfo encrypted with
>the private key of the Signer, the check the signature decrypt with
>public key, compute hash over SignedInfo (after checking the enclosed
>DigestValues) and compare the results.
>
>Regards,
>Werner
>
>
>
>>-----Ursprüngliche Nachricht-----
>>Von: Brian Nielsen [mailto:brian@sweetxml.org]
>>Gesendet: Mittwoch, 29. Juni 2005 14:30
>>An: fx-dev@ws.apache.org
>>Betreff: Problem checking signatures
>>
>>
>>
>>My scenario is signature/ecrypt request/response from wss4j to
>>WSE2.0SP3.
>>The request sign/encrypt goes fine, and for the reponse the decryption
>>is also okay, but the signature fails. The strange thing is that i get
>>the following on the console:
>>
>>Verification successful for URI
>>"#Id-e1f13ac7-1af6-4f79-a76c-2489d05e3816"
>>
>>I can see that this message comes from the call to
>>"sig.checkSignatureValue(certs[0]);" in WSSecurityEngine and that the
>>return value is "false". [1] is a pretty print of the reponse, that
>>I've confined to just signing to focus on the problem.
>>
>>Has anyone got an idea of what's happening and a solution? I know that
>>there could be more information nessesary, so please write back if
>>you've got any clues.
>>
>>Best regards
>>Brian Nielsen
>>
>>
>>[1]
>><?xml version="1.0" encoding="utf-8"?>
>> <soap:Envelope
>>xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
>>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
>>1-wss-wssecuri
>>ty-secext-1.0.xsd"
>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
>>-wss-wssecurit
>>y-utility-1.0.xsd">
>> <soap:Header>
>>
>><wsa:Action>http://www.oio.dk/arkitektur/webservice/security/a
>>tedResponse</w
>>sa:Action>
>>
>><wsa:MessageID>uuid:d7a59b71-f5c8-4789-b9a9-5e27b08dbdad</wsa:
>>MessageID>
>>
>><wsa:RelatesTo>uuid:3de201e3-1b79-48c7-b195-0207ea3bad58</wsa:
>>RelatesTo>
>>
>><wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/
>>anonymous</wsa
>>:To>
>> <wsse:Security soap:mustUnderstand="1">
>> <wsu:Timestamp
>>wsu:Id="Timestamp-8ba94dc8-5688-4fb9-9d05-31ccb1ec9f94">
>> <wsu:Created>2005-06-29T11:31:55Z</wsu:Created>
>> <wsu:Expires>2005-06-29T11:36:55Z</wsu:Expires>
>> </wsu:Timestamp>
>> <wsse:BinarySecurityToken
>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
>>-wss-x509-toke
>>n-profile-1.0#X509v3"
>>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
>>401-wss-soap-m
>>essage-security-1.0#Base64Binary"
>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
>>-wss-wssecurit
>>y-utility-1.0.xsd"
>>wsu:Id="SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae">MI
>>IELzCCAxegAwIB
>>AgIKG07I7gAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtYbWx0b2
>>9scyBDQTAeFw0w
>>NDA4MTUxMzAxMDRaFw0wNTA4MTUxMzExMDRaMHYxCzAJBgNVBAYTAkRLMRUwEw
>>YDVQQHEwxDb3Bl
>>bmhhZ2VuIEsxJzAlBgNVBAoTHk5hdGlvbmFsIElUIGFuZCBUZWxlY29tIEFnZW
>>5jeTENMAsGA1UE
>>CxMETklUQTEYMBYGA1UEAxMPeG1sdG9vbHMub2lvLmRrMIGfMA0GCSqGSIb3DQ
>>EBAQUAA4GNADCB
>>iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+bOUUsj4xW
>>CtbJq2fkw/
>>iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+tOgt
>>Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+NqDhv9JRkmKn
>>Ho5UjOVoyv
>>Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+DgLb
>>bDSVQM2WK/zQLhXjxfn/yYsHDwIDAQABo4IBoTCCAZ0wDgYDVR0PAQH/BAQDAg
>>TwMEQGCSqGSIb3
>>DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDg
>>MCBzAKBggqhkiG
>>9w0DBzATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUK955SSfcZEG27E
>>fKy76R64hB4Jcw
>>HwYDVR0jBBgwFoAUI9iI5DYhchM3V6IfXb3cq8DiJZYwZQYDVR0fBF4wXDBaoF
>>igVoYpaHR0cDov
>>L2l0czI2L0NlcnRFbnJvbGwvWG1sdG9vbHMlMjBDQS5jcmyGKWZpbGU6Ly9cXG
>>l0czI2XENlcnRF
>>bnJvbGxcWG1sdG9vbHMgQ0EuY3JsMIGIBggrBgEFBQcBAQR8MHowOwYIKwYBBQ
>>UHMAKGL2h0dHA6
>>Ly9pdHMyNi9DZXJ0RW5yb2xsL2l0czI2X1htbHRvb2xzJTIwQ0EuY3J0MDsGCC
>>sGAQUFBzAChi9m
>>aWxlOi8vXFxpdHMyNlxDZXJ0RW5yb2xsXGl0czI2X1htbHRvb2xzIENBLmNydD
>>ANBgkqhkiG9w0B
>>AQUFAAOCAQEAkSKwxWUsGnkLe+ogRfFBoGwVvTSpJKR41Qjri5e0LKndG7BrU8
>>2ZmAsWreUa
>>AQUFAAOCAQEAkSKwxWUsGnkLe+PbVp
>>WrlrsRwoPHuwXrtm0LHRLrjKLSzkW9fxjMoKJejlKGwwNJHYi2XzumTtt7DSSw
>>VfR6zgJrY27xKj
>>1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+ss
>>6ajvdcRCW0
>>1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+k13L
>>H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+kDDK6
>>/Y+8UqfLTc
>>H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+gJiG
>>QUWuUq1JUAd/qCcdOujsefNAG0Uraj//2azQrtjA1sXx2V6tMw==</wsse:Bin
>>arySecurityTok
>>en>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <ds:CanonicalizationMethod
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>>xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
>> <SignatureMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>> <Reference
>>URI="#Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
>> <Transforms>
>> <Transform
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> </Transforms>
>> <DigestMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>
>><DigestValue>iDgY5vodA7dsKqrWWXJT0ynFJzI=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>><SignatureValue>TQ1okwAi9CQS5vNCSxR2p2vaRKjbYF2YYx3XtOA/lhm9yk
>>wxCQpNlOwio4U0
>>eE3ko1IwRmG8/ATqkTEZ8AKQVsg6w3xRqTcKjs2jQPj3Q8epOsXeie6OEuYeD1
>>wSbsPYoaP0jBAC
>>Wbdd1TR2OMiqjEENvIPGAw9jaTz0Ldp4uSU=</SignatureValue>
>> <KeyInfo>
>> <wsse:SecurityTokenReference>
>> <wsse:Reference
>>URI="#SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae"
>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
>>-wss-x509-toke
>>n-profile-1.0#X509v3" />
>> </wsse:SecurityTokenReference>
>> </KeyInfo>
>> </Signature>
>> </wsse:Security>
>> </soap:Header>
>> <soap:Body wsu:Id="Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
>> <PersonalCPRDataStructure
>>xmlns="http://rep.oio.dk/xkom.dk/xml/schemas/2004/08/01/">
>> <PersonName>
>> <PersonGivenName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">F
>>ornavn</Person
>>GivenName>
>> <PersonMiddleName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">M
>>ellemnavn</Per
>>sonMiddleName>
>> <PersonSurnameName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">E
>>fternavn</Pers
>>onSurnameName>
>> </PersonName>
>> </PersonalCPRDataStructure>
>> </soap:Body>
>> </soap:Envelope>
>>
>>
>>
>>
>>
>>----------------------------------------------------------------------
>>--
>>
>><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>>xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
>>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
>>security-secext-1.0.xsd"
>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
>>ecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Header><ws
>>a:Action>http://www.oio.dk/arkitektur/webservice/security/atedResponse
>></wsa:Action><wsa:MessageID>uuid:d8e8ba0d-e52e-4b0c-865a-dbd50628b548<
>>/wsa:MessageID><wsa:RelatesTo>uuid:90ac9dbc-3036-4679-8738-fafd6408a82
>>3</wsa:RelatesTo><wsa:To>http://schemas.xmlsoap.org/ws/2004/03/address
>>ing/role/anonymous</wsa:To><wsse:Security
>>soap:mustUnderstand="1"><wsu:Timestamp
>>wsu:Id="Timestamp-641538e6-f411-4611-a772-966ea5d546b9"><wsu:Created>2
>>005-07-02T12:56:02Z</wsu:Created><wsu:Expires>2005-07-02T13:01:02Z</ws
>>u:Expires></wsu:Timestamp><wsse:BinarySecurityToken
>>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
>>soap-message-security-1.0#Base64Binary"
>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
>>9-token-profile-1.0#X509v3"
>>wsu:Id="SecurityToken-70385b85-b296-4f89-81a9-dd289df11e52">MIICojCCAg
>>ugAwIBAgIBCDANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCREsxEzARBgNVBAgTCkNP
>>UEVOSEFHRU4xDTALBgNVBAcTBENJVFkxFDASBgNVBAoTC0Zha2UgU1NMIENBMRQwEgYDVQ
>>QLEwtJVCBESVZJU0lPTjEUMBIGA1UEAxMLRkFLRSBTU0wgQ0ExGjAYBgkqhkiG9w0BCQEW
>>C2JuaUBpdHN0LmRrMB4XDTA0MDkyOTA4MDkwMloXDTA3MDkyOTA4MDkwMlowgY4xCzAJBg
>>NVBAYTAkRLMRIwEAYDVQQIFAlCSVJLRVLDmEQxJDAiBgNVBAoTG0RFVCBDRU5UUkFMRSBQ
>>RVJTT05SRUdJU1RFUjEVMBMGA1UECxMMQ1BSIEtPTlRPUkVUMRMwEQYDVQQDEwp3d3cuY3
>>ByLmRrMRkwFwYJKoZIhvcNAQkBFgpjcHJAY3ByLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GN
>>ADCBiQKBgQC31NZppksvJ1ilKuBD6flx+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374
>>im2i7KsF6fZDnNdPTkolU3RxOQ+P8eSa/6qvNWutsdxVuPaB6rZwzy4gpNFP+7KvuIQZVV
>>xOA9NMqXv1VDzBb5hV/DAcAlnyos7IjtsmsoNTX1QwIDAQABow0wCzAJBgNVHRMEAjAAMA
>>0GCSqGSIb3DQEBBAUAA4GBAKR/kL3zvnWQr0V/zr0qNWQvUfhZBFMy03RuAJw3G51L/mhU
>>iXH8mMPjB9uozQ9FiAzZ9mQ/Ebt7tHUNE+fgPMWg/rO2wfmwvnp0Mp/FO/5DVS4hwun+3m
>>e6wNi5GBDmlKiOWFXWnHxKsKVEx5weAsebgeh1JijGtSGK0NZnrU8Z</wsse:BinarySec
>>urityToken><Signature
>>xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:Canonicaliz
>>ationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalizat
>>ionMethod><SignatureMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMeth
>>od><Reference
>>URI="#Id-eb849637-bd22-465e-891c-3b713e222c15"><Transforms><Transform
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Tran
>>sforms><DigestMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Dig
>>estValue>c9AQwWWvja1uazcmo1IHKVjTckY=</DigestValue></Reference></Signe
>>dInfo><SignatureValue>cS+9rwDkOV7WxyFqGffRaajQ8qibO+mgotVMNbEWZGPHFNQ2
>>oHnrz3fx6wcnDx/+0rvwaA31x9m6lFgR/Up1jiUZtipoyhgE6Ucs6VayjvS1YtaQ6fvWq8
>>o6TDPCYfQVofam1wJbZn51H/6R4GX2a/MnAp1U0z4BC9XUyMBu1Us=</SignatureValue
>>><KeyInfo><wsse:SecurityTokenReference><wsse:Reference
>>URI="#SecurityToken-70385b85-b296-4f89-81a9-dd289df11e52"
>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
>>9-token-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenRefer
>>ence></KeyInfo></Signature></wsse:Security><ds:Signature
>>xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>><ds:SignedInfo>
>><ds:CanonicalizationMethod
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalizat
>>ionMethod> <ds:SignatureMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureM
>>ethod> <ds:Reference URI="#Id-eb849637-bd22-465e-891c-3b713e222c15">
>><ds:DigestMethod
>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>><ds:DigestValue>zQG8m5qaGb0PLNarfq47qlQXwUk=</ds:DigestValue>
>></ds:Reference>
>></ds:SignedInfo>
>><ds:SignatureValue>
>>i+tlVaNNEyQI3v6ErjMWz8g/nsdFkwSM/aVprtsYPL6jwhmSH78LuQ0/63Ql7rkdMD/i2p
>>i+YUkqFy
>>SPmVAbDxfZ6DnAEPNlWf9xOPtOgjMWa02l86HpTHHKQgRTUs/POO/f1O1nxVS1HlyvTAmW
>>CkqkQC
>>gKPWEhrOX+8uva32SoM=
>></ds:SignatureValue>
>><ds:KeyInfo>
>><ds:X509Data>
>><ds:X509Certificate>
>>MIICojCCAgugAwIBAgIBCDANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCREsxEzARBg
>>NVBAgT
>>CkNPUEVOSEFHRU4xDTALBgNVBAcTBENJVFkxFDASBgNVBAoTC0Zha2UgU1NMIENBMRQwEg
>>YDVQQL
>>EwtJVCBESVZJU0lPTjEUMBIGA1UEAxMLRkFLRSBTU0wgQ0ExGjAYBgkqhkiG9w0BCQEWC2
>>JuaUBp
>>dHN0LmRrMB4XDTA0MDkyOTA4MDkwMloXDTA3MDkyOTA4MDkwMlowgY4xCzAJBgNVBAYTAk
>>RLMRIw
>>EAYDVQQIFAlCSVJLRVLDmEQxJDAiBgNVBAoTG0RFVCBDRU5UUkFMRSBQRVJTT05SRUdJU1
>>RFUjEV
>>MBMGA1UECxMMQ1BSIEtPTlRPUkVUMRMwEQYDVQQDEwp3d3cuY3ByLmRrMRkwFwYJKoZIhv
>>cNAQkB
>>FgpjcHJAY3ByLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC31NZppksvJ1ilKu
>>BD6flx
>>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+P8eSa
>>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+/6qvN
>>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+W
>>utsdxVuPaB6rZwzy4gpNFP+7KvuIQZVVxOA9NMqXv1VDzBb5hV/DAcAlnyos7IjtsmsoNT
>>utsdxVuPaB6rZwzy4gpNFP+X1QwID
>>AQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBAUAA4GBAKR/kL3zvnWQr0V/zr0qNW
>>QvUfhZ
>>BFMy03RuAJw3G51L/mhUiXH8mMPjB9uozQ9FiAzZ9mQ/Ebt7tHUNE+fgPMWg/rO2wfmwvn
>>p0Mp/F
>>O/5DVS4hwun+3me6wNi5GBDmlKiOWFXWnHxKsKVEx5weAsebgeh1JijGtSGK0NZnrU8Z
>></ds:X509Certificate>
>></ds:X509Data>
>></ds:KeyInfo>
>></ds:Signature></soap:Header><soap:Body
>>wsu:Id="Id-eb849637-bd22-465e-891c-3b713e222c15"><PersonalCPRDataStruc
>>ture
>>xmlns="http://rep.oio.dk/xkom.dk/xml/schemas/2004/08/01/"><PersonName>
>><PersonGivenName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Fornavn</
>>PersonGivenName><PersonMiddleName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Mellemnav
>>n</PersonMiddleName><PersonSurnameName
>>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Efternavn
>></PersonSurnameName></PersonName></PersonalCPRDataStructure></soap:Bod
>>y></soap:Envelope>
>>
Re: Problem checking signatures (from WSE 2.0 to wss4j) - found workaround
Posted by Davanum Srinivas <da...@gmail.com>.
thanks, am making this the default in the axis's wsdd.
-- dims
On 7/8/05, Brian Nielsen <br...@sweetxml.org> wrote:
>
> David gave me the key to a workaround:
>
> <globalConfiguration>
> <parameter name="enableNamespacePrefixOptimization" value="false"/>
> ...
>
> Thank you for that.
>
> I have not had time to grasp what exactly goes wrong, but my first thought
> is that it's an error and not a feature to be enabled/disabled in
> wsdd-files. Naturally that depends on what the spec says and the need for
> interop ;-).
>
> /Brian
>
>
>
>
>
>
> -----Original Message-----
> From: David Del Vecchio [mailto:ddelvecc@virginia.edu]
> Sent: 5. juli 2005 05:55
> To: Brian Nielsen
> Subject: Re: Problem checking signatures (from WSE 2.0 to wss4j)
>
> So there is an issue with Axis modifying the message XML somewhat before
> WSS4J ever gets to process the signature
> (http://issues.apache.org/jira/browse/AXIS-1624). This frequently causes
> problems with WSE<->WSS4J interop. Anyway, you should be able to disable the
> Axis behavior that causes this problem by adding the following to your
> server-config.wsdd or client-config.wsdd.
>
> <globalConfiguration>
> <parameter name="enableNamespacePrefixOptimization" value="false"/>
> ...
>
> Of course the problem your seeing could also be caused by something else.
>
> David
>
> Brian Nielsen wrote:
>
> >Werner,
> >
> >Thanks for clearing that out, so okay, the problem is the
> >certificate/signature. I've tried to create a small program to do my
> >own verification, based on the xml-sec samples with some luck, but it
> >has not help me much. I took the response i got from WSE 2.0 and tried
> >to reproduce the signature, but that can't even get the digest right.
> >I've look at some of the code inside wss4j, but it's "steeeeep" uphill
> >for me. I've attached the result i get as an XML file, with both the
> wss-stuff and my "own"
> >signature element in the header. And my program sample are inserted below.
> >
> >Has anyone had the same problem?
> >
> >Does anyone have a clue to what could be wrong or something I should
> >try out?
> >
> >Thanks in advance - any ideas will be much appreciated since I've
> >allready spend quite some time on this, and have no intention of giving
> >up :-)
> >
> >Also, I've tried switching between JDK 1.4.2 and 5.0, with some weird
> >problems, should i stick with 1.4.2 or should the be no problems with
> >either?
> >
> >Best regards
> >Brian
> >
> >
> > org.apache.xml.security.Init.init();
> >
> > String keystoreType = "PKCS12";
> > String keystoreFile = "cpr.p12";
> > String keystorePass = "cpr";
> > String privateKeyAlias = "cpr server certificate";
> > String privateKeyPass = "cpr";
> > String certificateAlias = "cpr server certificate";
> > File signatureFile = new File(AXIS_SIGNATURE_FILENAME);
> >
> > KeyStore ks = KeyStore.getInstance(keystoreType);
> > FileInputStream fis = new FileInputStream(keystoreFile);
> >
> > ks.load(fis, keystorePass.toCharArray());
> >
> > PrivateKey privateKey = (PrivateKey)
> >ks.getKey(privateKeyAlias,
> > privateKeyPass.toCharArray());
> > DocumentBuilderFactory dbf =
> >DocumentBuilderFactory.newInstance();
> > dbf.setNamespaceAware(true);
> >
> > DocumentBuilder db = dbf.newDocumentBuilder();
> >
> > File soapFile = new File("dotNet-response.xml");
> > Document soapDocument = db.parse(soapFile);
> >
> > Element bodyElement = (Element)
> >soapDocument.getElementsByTagNameNS(
> > "http://schemas.xmlsoap.org/soap/envelope/",
> >"Body").item(0);
> > Element headerElement = (Element)
> >soapDocument.getElementsByTagNameNS(
> > "http://schemas.xmlsoap.org/soap/envelope/",
> >"Header").item(0);
> > // org.w3c.dom.Document doc = db.newDocument();
> >
> > String BaseURI = soapFile.toURL().toString();
> > XMLSignature sig = new XMLSignature(soapDocument, BaseURI,
> > XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
> >
> >Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
> >
> > headerElement.appendChild(sig.getElement());
> >
> > org.apache.ws.security.WSSConfig wssConf =
> >org.apache.ws.security.WSSConfig
> > .getDefaultWSConfig();
> > ResourceResolverSpi eir =
> >EnvelopeIdResolver.getInstance(wssConf);
> >
> > sig.addResourceResolver(eir);
> > sig.addDocument("#Id-eb849637-bd22-465e-891c-3b713e222c15");
> >
> > X509Certificate cert = (X509Certificate) ks
> > .getCertificate(certificateAlias);
> >
> > sig.addKeyInfo(cert);
> > // sig.addKeyInfo(cert.getPublicKey());
> > sig.sign(privateKey);
> >
> > FileOutputStream f = new FileOutputStream(signatureFile);
> >
> > XMLUtils.outputDOMc14nWithComments(soapDocument, f);
> >
> > f.close();
> > System.out.println("Wrote signature to " + f.toString());
> >
> > for (int i = 0; i <
> >sig.getSignedInfo().getSignedContentLength(); i++) {
> > System.out.println("--- Signed Content follows
> ---");
> > System.out.println(new String(sig.getSignedInfo()
> > .getSignedContentItem(i)));
> > }
> > }
> >
> >
> >
> >
> >-----Original Message-----
> >From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
> >Sent: 29. juni 2005 16:30
> >To: Brian Nielsen; fx-dev@ws.apache.org
> >Subject: AW: Problem checking signatures
> >
> >Brian,
> >
> >the message "Verification successful for URI" means that the computed
> >digest value over the referenced part of the messag is ok.
> >
> >The SignatureValue is then computed over the part that is enclosed by
> >"<SignedInfo>" tags. If somehow this part of the message is modified
> >then the computation of the hash for this part fails. Even inserting a
> >blank or an additional linefeed causes failure - so _no_ modification
> >after Signature.
> >
> >AFAIK the SignatureValue is the hash over the SignedInfo encrypted with
> >the private key of the Signer, the check the signature decrypt with
> >public key, compute hash over SignedInfo (after checking the enclosed
> >DigestValues) and compare the results.
> >
> >Regards,
> >Werner
> >
> >
> >
> >>-----Ursprüngliche Nachricht-----
> >>Von: Brian Nielsen [mailto:brian@sweetxml.org]
> >>Gesendet: Mittwoch, 29. Juni 2005 14:30
> >>An: fx-dev@ws.apache.org
> >>Betreff: Problem checking signatures
> >>
> >>
> >>
> >>My scenario is signature/ecrypt request/response from wss4j to
> >>WSE2.0SP3.
> >>The request sign/encrypt goes fine, and for the reponse the decryption
> >>is also okay, but the signature fails. The strange thing is that i get
> >>the following on the console:
> >>
> >>Verification successful for URI
> >>"#Id-e1f13ac7-1af6-4f79-a76c-2489d05e3816"
> >>
> >>I can see that this message comes from the call to
> >>"sig.checkSignatureValue(certs[0]);" in WSSecurityEngine and that the
> >>return value is "false". [1] is a pretty print of the reponse, that
> >>I've confined to just signing to focus on the problem.
> >>
> >>Has anyone got an idea of what's happening and a solution? I know that
> >>there could be more information nessesary, so please write back if
> >>you've got any clues.
> >>
> >>Best regards
> >>Brian Nielsen
> >>
> >>
> >>[1]
> >><?xml version="1.0" encoding="utf-8"?>
> >> <soap:Envelope
> >>xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> >>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> >>xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
> >>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> >>1-wss-wssecuri
> >>ty-secext-1.0.xsd"
> >>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> >>-wss-wssecurit
> >>y-utility-1.0.xsd">
> >> <soap:Header>
> >>
> >><wsa:Action>http://www.oio.dk/arkitektur/webservice/security/a
> >>tedResponse</w
> >>sa:Action>
> >>
> >><wsa:MessageID>uuid:d7a59b71-f5c8-4789-b9a9-5e27b08dbdad</wsa:
> >>MessageID>
> >>
> >><wsa:RelatesTo>uuid:3de201e3-1b79-48c7-b195-0207ea3bad58</wsa:
> >>RelatesTo>
> >>
> >><wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/
> >>anonymous</wsa
> >>:To>
> >> <wsse:Security soap:mustUnderstand="1">
> >> <wsu:Timestamp
> >>wsu:Id="Timestamp-8ba94dc8-5688-4fb9-9d05-31ccb1ec9f94">
> >> <wsu:Created>2005-06-29T11:31:55Z</wsu:Created>
> >> <wsu:Expires>2005-06-29T11:36:55Z</wsu:Expires>
> >> </wsu:Timestamp>
> >> <wsse:BinarySecurityToken
> >>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> >>-wss-x509-toke
> >>n-profile-1.0#X509v3"
> >>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
> >>401-wss-soap-m
> >>essage-security-1.0#Base64Binary"
> >>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> >>-wss-wssecurit
> >>y-utility-1.0.xsd"
> >>wsu:Id="SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae">MI
> >>IELzCCAxegAwIB
> >>AgIKG07I7gAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtYbWx0b2
> >>9scyBDQTAeFw0w
> >>NDA4MTUxMzAxMDRaFw0wNTA4MTUxMzExMDRaMHYxCzAJBgNVBAYTAkRLMRUwEw
> >>YDVQQHEwxDb3Bl
> >>bmhhZ2VuIEsxJzAlBgNVBAoTHk5hdGlvbmFsIElUIGFuZCBUZWxlY29tIEFnZW
> >>5jeTENMAsGA1UE
> >>CxMETklUQTEYMBYGA1UEAxMPeG1sdG9vbHMub2lvLmRrMIGfMA0GCSqGSIb3DQ
> >>EBAQUAA4GNADCB
> >>iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+bOUUsj4xW
> >>CtbJq2fkw/
> >>iQKBgQCqypgPb9QasSHVapTIO5tKj9B1QyQBJqDLzCq8+j1yipiG+tOgt
> >>Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+NqDhv9JRkmKn
> >>Ho5UjOVoyv
> >>Cb25W0Qkd7nq8IfLcYplYlrIeniZY03nyvm2S5dXiwDC0hMME+DgLb
> >>bDSVQM2WK/zQLhXjxfn/yYsHDwIDAQABo4IBoTCCAZ0wDgYDVR0PAQH/BAQDAg
> >>TwMEQGCSqGSIb3
> >>DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDg
> >>MCBzAKBggqhkiG
> >>9w0DBzATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUK955SSfcZEG27E
> >>fKy76R64hB4Jcw
> >>HwYDVR0jBBgwFoAUI9iI5DYhchM3V6IfXb3cq8DiJZYwZQYDVR0fBF4wXDBaoF
> >>igVoYpaHR0cDov
> >>L2l0czI2L0NlcnRFbnJvbGwvWG1sdG9vbHMlMjBDQS5jcmyGKWZpbGU6Ly9cXG
> >>l0czI2XENlcnRF
> >>bnJvbGxcWG1sdG9vbHMgQ0EuY3JsMIGIBggrBgEFBQcBAQR8MHowOwYIKwYBBQ
> >>UHMAKGL2h0dHA6
> >>Ly9pdHMyNi9DZXJ0RW5yb2xsL2l0czI2X1htbHRvb2xzJTIwQ0EuY3J0MDsGCC
> >>sGAQUFBzAChi9m
> >>aWxlOi8vXFxpdHMyNlxDZXJ0RW5yb2xsXGl0czI2X1htbHRvb2xzIENBLmNydD
> >>ANBgkqhkiG9w0B
> >>AQUFAAOCAQEAkSKwxWUsGnkLe+ogRfFBoGwVvTSpJKR41Qjri5e0LKndG7BrU8
> >>2ZmAsWreUa
> >>AQUFAAOCAQEAkSKwxWUsGnkLe+PbVp
> >>WrlrsRwoPHuwXrtm0LHRLrjKLSzkW9fxjMoKJejlKGwwNJHYi2XzumTtt7DSSw
> >>VfR6zgJrY27xKj
> >>1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+ss
> >>6ajvdcRCW0
> >>1gs8Qm2GefZW0xIWefNZ82l0f86gaHogVVSF05v3QL5X6tnAphS0EI5PFWG+k13L
> >>H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+kDDK6
> >>/Y+8UqfLTc
> >>H9DCF5mweaHIQ5pjxCfdbMieFiDR0RF5wXPAJIAjkIkPPYF6Rewf7XPI+gJiG
> >>QUWuUq1JUAd/qCcdOujsefNAG0Uraj//2azQrtjA1sXx2V6tMw==</wsse:Bin
> >>arySecurityTok
> >>en>
> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> >> <SignedInfo>
> >> <ds:CanonicalizationMethod
> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> >>xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
> >> <SignatureMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> >> <Reference
> >>URI="#Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
> >> <Transforms>
> >> <Transform
> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> >> </Transforms>
> >> <DigestMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> >>
> >><DigestValue>iDgY5vodA7dsKqrWWXJT0ynFJzI=</DigestValue>
> >> </Reference>
> >> </SignedInfo>
> >>
> >><SignatureValue>TQ1okwAi9CQS5vNCSxR2p2vaRKjbYF2YYx3XtOA/lhm9yk
> >>wxCQpNlOwio4U0
> >>eE3ko1IwRmG8/ATqkTEZ8AKQVsg6w3xRqTcKjs2jQPj3Q8epOsXeie6OEuYeD1
> >>wSbsPYoaP0jBAC
> >>Wbdd1TR2OMiqjEENvIPGAw9jaTz0Ldp4uSU=</SignatureValue>
> >> <KeyInfo>
> >> <wsse:SecurityTokenReference>
> >> <wsse:Reference
> >>URI="#SecurityToken-0170d0e7-53ad-4bf4-8176-5598acd0a7ae"
> >>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> >>-wss-x509-toke
> >>n-profile-1.0#X509v3" />
> >> </wsse:SecurityTokenReference>
> >> </KeyInfo>
> >> </Signature>
> >> </wsse:Security>
> >> </soap:Header>
> >> <soap:Body wsu:Id="Id-4130cb51-eb27-4f46-aa92-c7db3e906e4c">
> >> <PersonalCPRDataStructure
> >>xmlns="http://rep.oio.dk/xkom.dk/xml/schemas/2004/08/01/">
> >> <PersonName>
> >> <PersonGivenName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">F
> >>ornavn</Person
> >>GivenName>
> >> <PersonMiddleName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">M
> >>ellemnavn</Per
> >>sonMiddleName>
> >> <PersonSurnameName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">E
> >>fternavn</Pers
> >>onSurnameName>
> >> </PersonName>
> >> </PersonalCPRDataStructure>
> >> </soap:Body>
> >> </soap:Envelope>
> >>
> >>
> >>
> >>
> >>
> >>----------------------------------------------------------------------
> >>--
> >>
> >><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> >>xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
> >>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> >>security-secext-1.0.xsd"
> >>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> >>ecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> >>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Header><ws
> >>a:Action>http://www.oio.dk/arkitektur/webservice/security/atedResponse
> >></wsa:Action><wsa:MessageID>uuid:d8e8ba0d-e52e-4b0c-865a-dbd50628b548<
> >>/wsa:MessageID><wsa:RelatesTo>uuid:90ac9dbc-3036-4679-8738-fafd6408a82
> >>3</wsa:RelatesTo><wsa:To>http://schemas.xmlsoap.org/ws/2004/03/address
> >>ing/role/anonymous</wsa:To><wsse:Security
> >>soap:mustUnderstand="1"><wsu:Timestamp
> >>wsu:Id="Timestamp-641538e6-f411-4611-a772-966ea5d546b9"><wsu:Created>2
> >>005-07-02T12:56:02Z</wsu:Created><wsu:Expires>2005-07-02T13:01:02Z</ws
> >>u:Expires></wsu:Timestamp><wsse:BinarySecurityToken
> >>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> >>soap-message-security-1.0#Base64Binary"
> >>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> >>9-token-profile-1.0#X509v3"
> >>wsu:Id="SecurityToken-70385b85-b296-4f89-81a9-dd289df11e52">MIICojCCAg
> >>ugAwIBAgIBCDANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCREsxEzARBgNVBAgTCkNP
> >>UEVOSEFHRU4xDTALBgNVBAcTBENJVFkxFDASBgNVBAoTC0Zha2UgU1NMIENBMRQwEgYDVQ
> >>QLEwtJVCBESVZJU0lPTjEUMBIGA1UEAxMLRkFLRSBTU0wgQ0ExGjAYBgkqhkiG9w0BCQEW
> >>C2JuaUBpdHN0LmRrMB4XDTA0MDkyOTA4MDkwMloXDTA3MDkyOTA4MDkwMlowgY4xCzAJBg
> >>NVBAYTAkRLMRIwEAYDVQQIFAlCSVJLRVLDmEQxJDAiBgNVBAoTG0RFVCBDRU5UUkFMRSBQ
> >>RVJTT05SRUdJU1RFUjEVMBMGA1UECxMMQ1BSIEtPTlRPUkVUMRMwEQYDVQQDEwp3d3cuY3
> >>ByLmRrMRkwFwYJKoZIhvcNAQkBFgpjcHJAY3ByLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GN
> >>ADCBiQKBgQC31NZppksvJ1ilKuBD6flx+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374
> >>im2i7KsF6fZDnNdPTkolU3RxOQ+P8eSa/6qvNWutsdxVuPaB6rZwzy4gpNFP+7KvuIQZVV
> >>xOA9NMqXv1VDzBb5hV/DAcAlnyos7IjtsmsoNTX1QwIDAQABow0wCzAJBgNVHRMEAjAAMA
> >>0GCSqGSIb3DQEBBAUAA4GBAKR/kL3zvnWQr0V/zr0qNWQvUfhZBFMy03RuAJw3G51L/mhU
> >>iXH8mMPjB9uozQ9FiAzZ9mQ/Ebt7tHUNE+fgPMWg/rO2wfmwvnp0Mp/FO/5DVS4hwun+3m
> >>e6wNi5GBDmlKiOWFXWnHxKsKVEx5weAsebgeh1JijGtSGK0NZnrU8Z</wsse:BinarySec
> >>urityToken><Signature
> >>xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:Canonicaliz
> >>ationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalizat
> >>ionMethod><SignatureMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMeth
> >>od><Reference
> >>URI="#Id-eb849637-bd22-465e-891c-3b713e222c15"><Transforms><Transform
> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Tran
> >>sforms><DigestMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Dig
> >>estValue>c9AQwWWvja1uazcmo1IHKVjTckY=</DigestValue></Reference></Signe
> >>dInfo><SignatureValue>cS+9rwDkOV7WxyFqGffRaajQ8qibO+mgotVMNbEWZGPHFNQ2
> >>oHnrz3fx6wcnDx/+0rvwaA31x9m6lFgR/Up1jiUZtipoyhgE6Ucs6VayjvS1YtaQ6fvWq8
> >>o6TDPCYfQVofam1wJbZn51H/6R4GX2a/MnAp1U0z4BC9XUyMBu1Us=</SignatureValue
> >>><KeyInfo><wsse:SecurityTokenReference><wsse:Reference
> >>URI="#SecurityToken-70385b85-b296-4f89-81a9-dd289df11e52"
> >>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> >>9-token-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenRefer
> >>ence></KeyInfo></Signature></wsse:Security><ds:Signature
> >>xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >><ds:SignedInfo>
> >><ds:CanonicalizationMethod
> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canonicalizat
> >>ionMethod> <ds:SignatureMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureM
> >>ethod> <ds:Reference URI="#Id-eb849637-bd22-465e-891c-3b713e222c15">
> >><ds:DigestMethod
> >>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> >><ds:DigestValue>zQG8m5qaGb0PLNarfq47qlQXwUk=</ds:DigestValue>
> >></ds:Reference>
> >></ds:SignedInfo>
> >><ds:SignatureValue>
> >>i+tlVaNNEyQI3v6ErjMWz8g/nsdFkwSM/aVprtsYPL6jwhmSH78LuQ0/63Ql7rkdMD/i2p
> >>i+YUkqFy
> >>SPmVAbDxfZ6DnAEPNlWf9xOPtOgjMWa02l86HpTHHKQgRTUs/POO/f1O1nxVS1HlyvTAmW
> >>CkqkQC
> >>gKPWEhrOX+8uva32SoM=
> >></ds:SignatureValue>
> >><ds:KeyInfo>
> >><ds:X509Data>
> >><ds:X509Certificate>
> >>MIICojCCAgugAwIBAgIBCDANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCREsxEzARBg
> >>NVBAgT
> >>CkNPUEVOSEFHRU4xDTALBgNVBAcTBENJVFkxFDASBgNVBAoTC0Zha2UgU1NMIENBMRQwEg
> >>YDVQQL
> >>EwtJVCBESVZJU0lPTjEUMBIGA1UEAxMLRkFLRSBTU0wgQ0ExGjAYBgkqhkiG9w0BCQEWC2
> >>JuaUBp
> >>dHN0LmRrMB4XDTA0MDkyOTA4MDkwMloXDTA3MDkyOTA4MDkwMlowgY4xCzAJBgNVBAYTAk
> >>RLMRIw
> >>EAYDVQQIFAlCSVJLRVLDmEQxJDAiBgNVBAoTG0RFVCBDRU5UUkFMRSBQRVJTT05SRUdJU1
> >>RFUjEV
> >>MBMGA1UECxMMQ1BSIEtPTlRPUkVUMRMwEQYDVQQDEwp3d3cuY3ByLmRrMRkwFwYJKoZIhv
> >>cNAQkB
> >>FgpjcHJAY3ByLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC31NZppksvJ1ilKu
> >>BD6flx
> >>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+P8eSa
> >>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+/6qvN
> >>+HOjDGr8XsOsHDnyaJ+ovGJMCbSlvP2Shdo374im2i7KsF6fZDnNdPTkolU3RxOQ+W
> >>utsdxVuPaB6rZwzy4gpNFP+7KvuIQZVVxOA9NMqXv1VDzBb5hV/DAcAlnyos7IjtsmsoNT
> >>utsdxVuPaB6rZwzy4gpNFP+X1QwID
> >>AQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBAUAA4GBAKR/kL3zvnWQr0V/zr0qNW
> >>QvUfhZ
> >>BFMy03RuAJw3G51L/mhUiXH8mMPjB9uozQ9FiAzZ9mQ/Ebt7tHUNE+fgPMWg/rO2wfmwvn
> >>p0Mp/F
> >>O/5DVS4hwun+3me6wNi5GBDmlKiOWFXWnHxKsKVEx5weAsebgeh1JijGtSGK0NZnrU8Z
> >></ds:X509Certificate>
> >></ds:X509Data>
> >></ds:KeyInfo>
> >></ds:Signature></soap:Header><soap:Body
> >>wsu:Id="Id-eb849637-bd22-465e-891c-3b713e222c15"><PersonalCPRDataStruc
> >>ture
> >>xmlns="http://rep.oio.dk/xkom.dk/xml/schemas/2004/08/01/"><PersonName>
> >><PersonGivenName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Fornavn</
> >>PersonGivenName><PersonMiddleName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Mellemnav
> >>n</PersonMiddleName><PersonSurnameName
> >>xmlns="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/">Efternavn
> >></PersonSurnameName></PersonName></PersonalCPRDataStructure></soap:Bod
> >>y></soap:Envelope>
> >>
>
>
>
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/