You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Tor Ranfelt (Jira)" <ji...@apache.org> on 2021/08/25 17:05:00 UTC
[jira] [Created] (CXF-8586) Signatures created with CXF are
sometimes rejected by third party system
Tor Ranfelt created CXF-8586:
--------------------------------
Summary: Signatures created with CXF are sometimes rejected by third party system
Key: CXF-8586
URL: https://issues.apache.org/jira/browse/CXF-8586
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.4.4
Reporter: Tor Ranfelt
I make soap-requests to a system which sometimes will reject my requests due to "The signature verification failed". When this happens it goes on for a long while (maybe a whole day), and then suddenly it will work again. - The cause is probably in the other system, but just maybe there is something about CXF 3.4.4 that could cause this.
So between it working and not working the certificates haven't changed, and the only thing having changed about the body getting signatured is "<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>" - "TransaktionTid" means "transaction-time"
Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version 1.8.0.282) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
org.apache.cxf:cxf-rt-ws-security:3.3.7
org.apache.cxf:cxf-rt-transports-http:3.3.7
org.apache.cxf:cxf-rt-features-logging:3.3.7
When the issue appeared I was running with CXF 3.4.4 on Java 11 (version 11.0.11.0.9) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
org.apache.cxf:cxf-rt-ws-security:3.4.4
org.apache.cxf:cxf-rt-transports-http:3.4.4
org.apache.cxf:cxf-rt-features-logging:3.4.4
In order to run CXF on Java 11 I also needed the following dependencies (because they no longer are part of JRE):
javax.xml.ws:jaxws-api:2.3.1
javax.jws:javax.jws-api:1.1
com.sun.xml.messaging.saaj:saaj-impl:1.5.3
An example of a rejected request and the response informing me of the rejection (some information has been replaced with "MANUALLY-REMOVED"):
Request:
Address: MANUALLY-REMOVED
HttpMethod: POST
Content-Type: text/xml
ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
ServiceName: PersonKontrolOplysningHentService
PortName: PersonKontrolOplysningHentService
PortTypeName: PersonKontrolOplysningHentServicePortType
Headers: \{SOAPAction="", Accept=*/*}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
<wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
<wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
<wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
<ns4:PersonKontrolOplysningHent_I xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/" xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/" xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/" xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/" xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/" xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/" xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0" xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/" xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/" xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/" xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/" xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/" xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/" xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0" xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/" xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/" xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/" xmlns:ns8="urn:oio:skat:personskat:1.0.0" xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/">
<HovedOplysninger>
<TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
</HovedOplysninger>
<ns4:PersonAar>
<ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
<ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
</ns4:PersonAar>
</ns4:PersonKontrolOplysningHent_I>
</soap:Body>
</soap:Envelope>
Response:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><faultcode xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: The signature verification failed</faultstring><detail><ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>
Any thought about what might be the cause?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)