This works perfectly, thanks very much! Cheers, Jamie
> -----Original Message----- > From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED] > Sent: 01 August 2007 06:30 > To: Apache AXIS C Developers List > Subject: Re: [Rampart/C] Generating incorrect digests? > > Hi Jamie, > It appears to me that the tcp log and the server log don't tally. > The tcp-log shows attribute in Timestamp as u:Id whilst the server-log > shows wsu:Id. > May be the server expects attribute to be with wsu: prefix. > Could you please try this... > 1. Open RAMPART/src/util/rampart_signature.c > 2. Change line(273) to > oxs_axiom_add_attribute(env, node_to_sign, RAMPART_WSU, > RAMPART_WSU_XMLNS,OXS_ATTR_ID, id); > See that I've changed prefix, from "u:" to "wsu:" > Let me know if this works with Axis1. If not we might have to dig > further into the problem :). > Cheers, > Kaushalye > > Jamie Lyon wrote: > > Replies inline: > > > > > >>> I've successfully got Rampart/C set up, and have the client signing > >>> messages, however the digests are failing to verify for all items > >>> apart from the Body. > >>> > >>> > >> You mean the digest of the body is verified but not for other parts? > >> > > > > It appears to be that way, yes. At least, the Axis1/Java isn't throwing > > any verification failed errors for the Body. > > > > > >>> It might also be of interest that even with just <sp:Body/> in the > >>> SignedParts, the timestamp is still signed, so I can't test to see > >>> > > if > > > >>> the message is accepted when only the Body is signed (is there a way > >>> to turn this off?). There is also the message "No Signed parts > >>> specified. Using the body." when only the body is specified. > >>> > >>> > >> The behavior is, if a Timestamp is present Rampart/C signs it as per > >> > > the > > > >> WS-Security Policy Specification(Section 7.2). > >> So if signing is enabled, and there is a Timestamp, Rampart/C signs > >> > > it. > > > > Okay, this is fine, I would want to sign it eventually anyway, I was > > just curious as to whether there was a way to disable it for testing > > purposes. > > > > > >>> An error that might be significant is: "OXS ERROR [x509.c:385 in > >>> openssl_x509_get_subject_key_identifier] oxs defualt error , The > >>> extenension index of NID_subject_key_identifier is not valid" > >>> (spelling mistakes in original error message). > >>> > >>> > >> Did you get this error in the client side? (Since you are using > >> Rampart/C client against WSS4J ) > >> > > > > Yes, that's from the client with Axis2/C|Rampart/C, it can be seen in > > the debug.log I included with the last message, just above the first > > c14n debug output, but it's also printed to the screen when running. > > > > > >> The reference belongs to the Timestamp element, in which the digest > >> verification fails. But the problem is how the Body signature was > >> verified? (please confirm this). > >> Have you tried to use Rampart/C for the verification of a message > >> > > signed > > > >> by WSS4J? > >> BTW, Rampart/C interop with Rampart/Java, which uses WSS4J. :) > >> > > > > I've attached the Axis logs for messages with and without a timestamp. > > It appears to me as though the one without the timestamp is being > > verified correctly, although it then of course returns to me a > > 'timestamp missing' error. > > > > Could the problem be that the c14n transforms are not working correctly? > > I'm currently trying to get axis/java to output the xml that it is > > producing a digest on, to make sure that they match. > > > > Thanks, > > Jamie > > > > ------------------------------------------------------------------------ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > http://kaushalye.blogspot.com/ > http://wso2.org/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
