Hi Colm, thanks for your blazingly fast response.
Thanks to your pointers on where to look, I think I have found the immediate cause of problem. getDocumentElement() contains all WS-Addressing headers, but all the elements except the "RelatesTo" don't contain the "id" attribute for some reason: "RelatesTo" attributes: [wsu:Id="id-137", xmlns:wsa=" http://www.w3.org/2005/08/addressing";, xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "] "Action" attributes: [xmlns:wsa="http://www.w3.org/2005/08/addressing";] "From" attributes: [xmlns:wsa="http://www.w3.org/2005/08/addressing";] etc. This explains why the elements can not be resolved. This of course begs the next question, why all the WS-Addressing headers except "RelatesTo" are gobbling up the "wsu:Id" attribute. The "RelatesTo" is also the only element that contains the "wsu" namespace as attribute. Incidentally, the "RelatesTo" header is the only WS-Addressing element I added to the message manually, because SoapUI wouldn't add it automatically. I wonder if it's related to this blog post describing a problem with custom id tags when the id already has a meaning in the schema: https://blogs.msdn.microsoft.com/shawnfa/2004/04/05/searching-for-custom-id-tags-with-signed-xml/ But I'm not aware of any id attribute in WS-Addressing headers. On Tue, Aug 21, 2018 at 12:23 PM Colm O hEigeartaigh <cohei...@apache.org> wrote: > Hi, > > Could you try putting a breakpoint in the DOMCallbackLookup here: > > > https://github.com/apache/wss4j/blob/eb907a956bb604d89bb56e5c960c7b9f6abd4e27/ws-security-dom/src/main/java/org/apache/wss4j/dom/callback/DOMCallbackLookup.java#L96 > > Firstly check that doc.getDocumentElement() contains all of the > WS-Addressing headers. Then if it does check to see why > XMLUtils.findElementById > doesn't find the correct Element. > > Colm. > > On Tue, Aug 21, 2018 at 11:01 AM, Elric Morgenstern <elric...@gmail.com> > wrote: > > > Hi guys, > > > > first of all, thanks for the great frameworks CXF and WSS4J! > > > > I have setup a web service with signature validation that I'm calling > from > > SoapUI, and when validating the signatures, WSS4J can not resolve the > > <Reference>'d elements in the signatures, with an exception: > > > > javax.xml.crypto.dsig.XMLSignatureException: > > javax.xml.crypto.URIReferenceException: > > org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot > > resolve element with ID id-132 > > > > What is being singed are all WS-Addressing headers and the message body. > > What is weird is that by debugging the code it seems that WSS4J always > > manages to resolve only the "RelatesTo" and the message body, but not any > > of the other WS-Addressing headers. > > > > I have set a breakpoint in the class > > org.apache.wss4j.dom.processor.SignatureProcessor:372: > > Code: > > // Test for replay attacks > > testMessageReplay(elem, > > xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo); > > > > setElementsOnContext(xmlSignature, > > (DOMValidateContext)context, > > data, wsDocInfo); > > boolean signatureOk = xmlSignature.validate(context); > > if (signatureOk) { > > return xmlSignature; > > } > > > > After calling "setElementsOnContext", the "context" object of type > > "DOMValidateContext" always only contains the "RelatesTo" and "Body" > > elements in the "idMap" HashMap: > > Contents of "idMap" in DOMValidateContext: > > > > {id-137=[wsa:RelatesTo: null], id-139=[soap:Body: null]} > > > > > > It's a complete mystery to me why WSS4J is not able to find the other > > referenced elements. All the elements are referenced in the same way, > using > > an id: > > <ds:Reference URI="#id-133"> > > > > I'm using CXF version 3.2.4 > > Tomcat 9.0.10 > > And I'm calling the web service using Soap UI 5.3.0 > > > > Below is a simplified version of the Soap message. > > Any help on what could be going wrong is greatly appreciated. > > > > <soap:Envelope xmlns:ns="http://blabla.test"; xmlns:ns1=" > http://blabla.xxx > > " > > xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > > <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";> > > <wsse:Security xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-secext-1.0.xsd" > > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > "> > > <wsse:BinarySecurityToken>...</wsse:BinarySecurityToken> > > <ds:Signature Id="SIG-140" xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="wsa ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:CanonicalizationMethod> > > <ds:SignatureMethod Algorithm=" > > http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#id-132"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>igHah0Fsph3yT1AfqBPAQFwZoe21h7Xaw5/XN/EI/TM=</ds: > > DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-133"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>BvwYUy3zLMTN6UHkNhuZG2iLlv8jT/zTuMDXaaj39uk=</ds: > > DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-134"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>ds9Kq8RNZFb8O1Liud1TxxlEm4aMeoLpm3pO10Efw8A=</ds: > > DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-135"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>OQW8p1GB6BlIr5sKp/vRRyZrwMTIK7tbTKU64JxkiM4=</ > > ds:DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-136"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>UdwSWsTRFhFH3qgeCESL1RPy+5B/RpWkZXzHANiBBeA=</ds: > > DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-137"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>QQgyhzpWNnFn97J2NpJcYAeoDtgFxVeHtCsgbu4UiZg=</ds: > > DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-138"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1 soap" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>5xuElno+hnvrP9kEEydeqnOr31CnwwaibbGULW > > t45oo=</ds:DigestValue> > > </ds:Reference> > > <ds:Reference URI="#id-139"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="ns ns1" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > <ds:DigestValue>LyjD1agKv+vE6BJHvRfQaVMwkUscqFFOhTgeljsd > > VxA=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue>....</ds:SignatureValue> > > <ds:KeyInfo Id="..."> > > <wsse:SecurityTokenReference > > wsu:Id="STR-7FFC76A4DC1B36D2C1153484111729556"> > > <wsse:Reference > > URI="#X509-7FFC76A4DC1B36D2C1153484111729554" ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > x509-token-profile-1.0#X509v3 > > "/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > <xenc:EncryptedKey Id="..." xmlns:xenc=" > > http://www.w3.org/2001/04/xmlenc#";> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference> > > <wsse:KeyIdentifier EncodingType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > soap-message-security-1.0#Base64Binary" > > ValueType=" > > http://docs.oasis-open.org/wss/oasis-wss-soap-message- > > security-1.1#ThumbprintSHA1 > > ">.....</wsse:KeyIdentifier> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>....</xenc:CipherValue> > > </xenc:CipherData> > > <xenc:ReferenceList> > > <xenc:DataReference URI="#ED-131"/> > > </xenc:ReferenceList> > > </xenc:EncryptedKey> > > </wsse:Security> > > <wsa:RelatesTo wsu:Id="id-137" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > ">relatesToBlablaTest</wsa:RelatesTo> > > <wsa:Action wsu:Id="id-132" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > ">http://test.action</wsa:Action> > > <wsa:ReplyTo wsu:Id="id-135" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > "> > > <wsa:Address>https://localhost:8008/ReplyTo</wsa:Address> > > </wsa:ReplyTo> > > <wsa:From wsu:Id="id-133" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > "> > > <wsa:Address>https://localhost:8008/From</wsa:Address> > > </wsa:From> > > <wsa:FaultTo wsu:Id="id-134" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > "> > > <wsa:Address>https://localhost:8008/FaultTo</wsa:Address> > > </wsa:FaultTo> > > <wsa:MessageID wsu:Id="id-136" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > ">uuid:72fb1403-c8af-4d17-bd80-6a9a594c2980</wsa:MessageID> > > <wsa:To wsu:Id="id-138" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > ">https://localhost:8008/to</wsa:To> > > </soap:Header> > > <soap:Body wsu:Id="id-139" xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > "> > > <xenc:EncryptedData Id="ED-131" Type=" > > http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc=" > > http://www.w3.org/2001/04/xmlenc#";> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference wsse11:TokenType=" > > http://docs.oasis-open.org/wss/oasis-wss-soap-message- > > security-1.1#EncryptedKey" > > xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-secext-1.0.xsd" > > xmlns:wsse11=" > > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";> > > <wsse:Reference URI="#EK-7FFC76A4DC1B36D2C1153484111728 > > 653"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>.........</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedData> > > </soap:Body> > > </soap:Envelope> > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
