Hi, Could you try putting a breakpoint in the DOMCallbackLookup here:
https://github.com/apache/wss4j/blob/eb907a956bb604d89bb56e5c960c7b9f6abd4e27/ws-security-dom/src/main/java/org/apache/wss4j/dom/callback/DOMCallbackLookup.java#L96 Firstly check that doc.getDocumentElement() contains all of the WS-Addressing headers. Then if it does check to see why XMLUtils.findElementById doesn't find the correct Element. Colm. On Tue, Aug 21, 2018 at 11:01 AM, Elric Morgenstern <elric...@gmail.com> wrote: > Hi guys, > > first of all, thanks for the great frameworks CXF and WSS4J! > > I have setup a web service with signature validation that I'm calling from > SoapUI, and when validating the signatures, WSS4J can not resolve the > <Reference>'d elements in the signatures, with an exception: > > javax.xml.crypto.dsig.XMLSignatureException: > javax.xml.crypto.URIReferenceException: > org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot > resolve element with ID id-132 > > What is being singed are all WS-Addressing headers and the message body. > What is weird is that by debugging the code it seems that WSS4J always > manages to resolve only the "RelatesTo" and the message body, but not any > of the other WS-Addressing headers. > > I have set a breakpoint in the class > org.apache.wss4j.dom.processor.SignatureProcessor:372: > Code: > // Test for replay attacks > testMessageReplay(elem, > xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo); > > setElementsOnContext(xmlSignature, > (DOMValidateContext)context, > data, wsDocInfo); > boolean signatureOk = xmlSignature.validate(context); > if (signatureOk) { > return xmlSignature; > } > > After calling "setElementsOnContext", the "context" object of type > "DOMValidateContext" always only contains the "RelatesTo" and "Body" > elements in the "idMap" HashMap: > Contents of "idMap" in DOMValidateContext: > > {id-137=[wsa:RelatesTo: null], id-139=[soap:Body: null]} > > > It's a complete mystery to me why WSS4J is not able to find the other > referenced elements. All the elements are referenced in the same way, using > an id: > <ds:Reference URI="#id-133"> > > I'm using CXF version 3.2.4 > Tomcat 9.0.10 > And I'm calling the web service using Soap UI 5.3.0 > > Below is a simplified version of the Soap message. > Any help on what could be going wrong is greatly appreciated. > > <soap:Envelope xmlns:ns="http://blabla.test" xmlns:ns1=" http://blabla.xxx > " > xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> > <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-secext-1.0.xsd" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > "> > <wsse:BinarySecurityToken>...</wsse:BinarySecurityToken> > <ds:Signature Id="SIG-140" xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="wsa ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-132"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>igHah0Fsph3yT1AfqBPAQFwZoe21h7Xaw5/XN/EI/TM=</ds: > DigestValue> > </ds:Reference> > <ds:Reference URI="#id-133"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>BvwYUy3zLMTN6UHkNhuZG2iLlv8jT/zTuMDXaaj39uk=</ds: > DigestValue> > </ds:Reference> > <ds:Reference URI="#id-134"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>ds9Kq8RNZFb8O1Liud1TxxlEm4aMeoLpm3pO10Efw8A=</ds: > DigestValue> > </ds:Reference> > <ds:Reference URI="#id-135"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>OQW8p1GB6BlIr5sKp/vRRyZrwMTIK7tbTKU64JxkiM4=</ > ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#id-136"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>UdwSWsTRFhFH3qgeCESL1RPy+5B/RpWkZXzHANiBBeA=</ds: > DigestValue> > </ds:Reference> > <ds:Reference URI="#id-137"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>QQgyhzpWNnFn97J2NpJcYAeoDtgFxVeHtCsgbu4UiZg=</ds: > DigestValue> > </ds:Reference> > <ds:Reference URI="#id-138"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>5xuElno+hnvrP9kEEydeqnOr31CnwwaibbGULW > t45oo=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#id-139"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces PrefixList="ns ns1" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>LyjD1agKv+vE6BJHvRfQaVMwkUscqFFOhTgeljsd > VxA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>....</ds:SignatureValue> > <ds:KeyInfo Id="..."> > <wsse:SecurityTokenReference > wsu:Id="STR-7FFC76A4DC1B36D2C1153484111729556"> > <wsse:Reference > URI="#X509-7FFC76A4DC1B36D2C1153484111729554" ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > x509-token-profile-1.0#X509v3 > "/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > <xenc:EncryptedKey Id="..." xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#"> > <xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > soap-message-security-1.0#Base64Binary" > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message- > security-1.1#ThumbprintSHA1 > ">.....</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>....</xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference URI="#ED-131"/> > </xenc:ReferenceList> > </xenc:EncryptedKey> > </wsse:Security> > <wsa:RelatesTo wsu:Id="id-137" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > ">relatesToBlablaTest</wsa:RelatesTo> > <wsa:Action wsu:Id="id-132" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > ">http://test.action</wsa:Action> > <wsa:ReplyTo wsu:Id="id-135" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > "> > <wsa:Address>https://localhost:8008/ReplyTo</wsa:Address> > </wsa:ReplyTo> > <wsa:From wsu:Id="id-133" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > "> > <wsa:Address>https://localhost:8008/From</wsa:Address> > </wsa:From> > <wsa:FaultTo wsu:Id="id-134" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > "> > <wsa:Address>https://localhost:8008/FaultTo</wsa:Address> > </wsa:FaultTo> > <wsa:MessageID wsu:Id="id-136" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > ">uuid:72fb1403-c8af-4d17-bd80-6a9a594c2980</wsa:MessageID> > <wsa:To wsu:Id="id-138" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > ">https://localhost:8008/to</wsa:To> > </soap:Header> > <soap:Body wsu:Id="id-139" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-utility-1.0.xsd > "> > <xenc:EncryptedData Id="ED-131" Type=" > http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#"> > <xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > <wsse:SecurityTokenReference wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message- > security-1.1#EncryptedKey" > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-secext-1.0.xsd" > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"> > <wsse:Reference URI="#EK-7FFC76A4DC1B36D2C1153484111728 > 653"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>.........</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </soap:Body> > </soap:Envelope> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com