You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "AKROUR (JIRA)" <ji...@apache.org> on 2015/03/20 16:09:38 UTC

[jira] [Created] (CXF-6310) Signature validation of body request fails but it works fine for other request elements

AKROUR created CXF-6310:
---------------------------

             Summary: Signature validation of body request fails but it works fine for other request elements
                 Key: CXF-6310
                 URL: https://issues.apache.org/jira/browse/CXF-6310
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.7.14
         Environment: WS server running on Windows x64
WS client on SAP NetWeaver
            Reporter: AKROUR


When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the following fault:
{noformat}
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode>
<faultstring>The signature or decryption was invalid</faultstring>
{noformat}
The WS service authenticate the user via an SAML Token that must have at least a Signed Timestamp and a Signed Body request.
When I enable the debug logs, we can see that the signature of the Timestamp element is successfully validated by CXF 2.7.14 but the signature of the Body request fails (see following logs):
{noformat}
 ....
 Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
 isNodeSet() = true
 Canonicalized SignedInfo:
 <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#part-Body-21"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"><wsse:TransformationParameters xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo>
 Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+
 URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
 Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
 Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
 ApacheData = true
 Pre-digested input:
 <soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="part-Body-21"><n1:echoRequest xmlns:n1="http://schema.echo.ws.highdeal.com/">String 1</n1:echoRequest></soap-env:Body>
 Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s=
 Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw=
 Reference[#part-Body-21] is valid: false
 Couldn't validate the References
 XML Signature verification has failed
 Signature Validation check: true
 Reference #part-Body-21 check: false
 URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
 Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
 Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
 ApacheData = true
 Pre-digested input:
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp>
 Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI=
 Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI=
 Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true
 URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
 Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
 STR: KeyIdentifier
 Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E
 Token reference ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
 after c14n: <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2015-03-20T14:25:19Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
 last result: 
 <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2015-03-20T14:25:19Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
 Pre-digested input:
 <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2015-03-20T14:25:19Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
 Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
 Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
 Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true

org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
	at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455)
	at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
{noformat}

Note: The request has a namespace 
{noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740"  
{noformat} 
The namespace is removed by the canonicalization of the XML. The received request is:
{noformat}
<soap-env:Body wsu:Id="part-Body-21" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><n1:echoRequest xmlns:n1="http://schema.echo.ws.highdeal.com/" xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String 1</n1:echoRequest></soap-env:Body>
{noformat}

Unfortunately I cannot provide test cases but I can easily reproduce the issue with CXF 2.7.15.

Do you have any idea of what could happen here?

Thank and Best Regards,
K.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)