[
https://issues.apache.org/jira/browse/WSS-609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Harris updated WSS-609:
------------------------------
Description:
I have a SOAP WebService I need to call to get a SAML token. I am using
javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
The WebService requires that I sign the envelope using Exclusive
Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
This side of things is fine and I've got the message constructed but when I
send it I am getting a message "An error occurred when verifying security for
the message." which the service provider is saying because it can't verify the
signature.
The problem I think is that it wants Canonicalization done including namespace
prefixes.
So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some
of the namespaces. Is this likely an issue? If not, any ideas what the issue
could be?
Here is my code:
{code:java}
static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey,
String password, byte[] salt, X509Certificate[] certChain) {
try {
WSSConfig.init();
//setSecurityHeader(soapMessage);
Merlin crypto = getCrypto(privateKey, password, salt, certChain);
Document unsignedDocument =
soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
secHeader.insertSecurityHeader();
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.setPrecisionInMilliSeconds(false);
timestamp.setTimeToLive(600);
timestamp.build(unsignedDocument, secHeader);
// Setup the signer
WSSecSignature signer = new WSSecSignature();
signer.setUserInfo("signingCert", password);
signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
signer.setDigestAlgo(WSConstants.SHA1);
signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
signer.setAddInclusivePrefixes(true);
signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
signer.getParts().add(new WSEncryptionPart("_5002"));
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before
Signing....");
signer.build(unsignedDocument, crypto, secHeader);
Utils.printDocument(unsignedDocument);
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After
Signing....");
} catch (WSSecurityException | SOAPException ex) {
Logger.getGlobal().log(Level.SEVERE, null, ex);
}
}
{code}
This is what I am generating which doesn't work:
{noformat}
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<env:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5002">https://host/service.svc
</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</Action>
<ReplyTo
xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:61acc133-863e-4fd5-bc06-55dbae17beed
</MessageID>
<wsse:Security env:mustUnderstand="true">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed
***</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="wsse
env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
<ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
<wsse:SecurityTokenReference
wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
<wsse:Reference
URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
<wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
<wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<env:Body>
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>***
Content Removed ***
</RequestSecurityToken>
</env:Body>
</env:Envelope>
{noformat}
This is an envelope that works:
{noformat}
<S:Envelope
xmlns:S="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5002">https://host/service.svc
</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</Action>
<ReplyTo
xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:c3b514af-d630-48aa-861e-77902a4ab16a
</MessageID>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
wsu:Id="_1">
<wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
<wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
</wsse:BinarySecurityToken>
<ds:Signature
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsu
wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://vanguard.business.gov.au/2009/02";
xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/";></RequestSecurityToken>
</S:Body>
</S:Envelope>
{noformat}
I notice that the Reference for the "To" element in mine is missing the "wsu"
namespace in the PrefixList
Working:
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
Mine:
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse env"/>
was:
I have a SOAP WebService I need to call to get a SAML token. I am using
javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
The WebService requires that I sign the envelope using Exclusive
Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
This side of things is fine and I've got the message constructed but when I
send it I am getting a message "An error occurred when verifying security for
the message." which the service provider is saying because it can't verify the
signature.
The problem I think is that it wants Canonicalization done including namespace
prefixes.
So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some
of the namespaces. Is this likely an issue? If not, any ideas what the issue
could be?
Here is my code:
static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey,
String password, byte[] salt, X509Certificate[] certChain) {
try {
WSSConfig.init();
//setSecurityHeader(soapMessage);
Merlin crypto = getCrypto(privateKey, password, salt, certChain);
Document unsignedDocument =
soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
secHeader.insertSecurityHeader();
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.setPrecisionInMilliSeconds(false);
timestamp.setTimeToLive(600);
timestamp.build(unsignedDocument, secHeader);
// Setup the signer
WSSecSignature signer = new WSSecSignature();
signer.setUserInfo("signingCert", password);
signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
signer.setDigestAlgo(WSConstants.SHA1);
signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
signer.setAddInclusivePrefixes(true);
signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
signer.getParts().add(new WSEncryptionPart("_5002"));
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before
Signing....");
signer.build(unsignedDocument, crypto, secHeader);
Utils.printDocument(unsignedDocument);
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After
Signing....");
} catch (WSSecurityException | SOAPException ex) {
Logger.getGlobal().log(Level.SEVERE, null, ex);
}
}
This is what I am generating which doesn't work:
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<env:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5002">https://host/service.svc
</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</Action>
<ReplyTo
xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:61acc133-863e-4fd5-bc06-55dbae17beed
</MessageID>
<wsse:Security env:mustUnderstand="true">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed
***</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="wsse
env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
<ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
<wsse:SecurityTokenReference
wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
<wsse:Reference
URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
<wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
<wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<env:Body>
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>***
Content Removed ***
</RequestSecurityToken>
</env:Body>
</env:Envelope>
This is an envelope that works:
<S:Envelope
xmlns:S="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5002">https://host/service.svc
</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</Action>
<ReplyTo
xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:c3b514af-d630-48aa-861e-77902a4ab16a
</MessageID>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
wsu:Id="_1">
<wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
<wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
</wsse:BinarySecurityToken>
<ds:Signature
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsu
wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://vanguard.business.gov.au/2009/02";
xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/";></RequestSecurityToken>
</S:Body>
</S:Envelope>
I notice that the Reference for the "To" element in mine is missing the "wsu"
namespace in the PrefixList
Working:
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
Mine:
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse env"/>
> WS-Security Canonicalization with InclusiveNamespace
> ----------------------------------------------------
>
> Key: WSS-609
> URL: https://issues.apache.org/jira/browse/WSS-609
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.1.9
> Environment: Windows, JDK 1.8
> Reporter: Andrew Harris
> Assignee: Colm O hEigeartaigh
>
> I have a SOAP WebService I need to call to get a SAML token. I am using
> javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
> The WebService requires that I sign the envelope using Exclusive
> Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
> This side of things is fine and I've got the message constructed but when I
> send it I am getting a message "An error occurred when verifying security for
> the message." which the service provider is saying because it can't verify
> the signature.
> The problem I think is that it wants Canonicalization done including
> namespace prefixes.
> So I have set setAddInclusivePrefixes(true) but the PrefixList is missing
> some of the namespaces. Is this likely an issue? If not, any ideas what the
> issue could be?
> Here is my code:
> {code:java}
> static void signSoapMessage(SOAPMessage soapMessage, PrivateKey
> privateKey, String password, byte[] salt, X509Certificate[] certChain) {
> try {
> WSSConfig.init();
> //setSecurityHeader(soapMessage);
> Merlin crypto = getCrypto(privateKey, password, salt, certChain);
>
> Document unsignedDocument =
> soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
> WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
> secHeader.insertSecurityHeader();
> WSSecTimestamp timestamp = new WSSecTimestamp();
> timestamp.setPrecisionInMilliSeconds(false);
> timestamp.setTimeToLive(600);
> timestamp.build(unsignedDocument, secHeader);
>
> // Setup the signer
> WSSecSignature signer = new WSSecSignature();
>
> signer.setUserInfo("signingCert", password);
> signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
> signer.setDigestAlgo(WSConstants.SHA1);
>
> signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
> signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
> signer.setAddInclusivePrefixes(true);
>
> signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
> signer.getParts().add(new WSEncryptionPart("_5002"));
>
> Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO,
> "Before Signing....");
> signer.build(unsignedDocument, crypto, secHeader);
> Utils.printDocument(unsignedDocument);
> Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO,
> "After Signing....");
>
> } catch (WSSecurityException | SOAPException ex) {
> Logger.getGlobal().log(Level.SEVERE, null, ex);
> }
> }
> {code}
> This is what I am generating which doesn't work:
> {noformat}
> <env:Envelope
> xmlns:env="http://www.w3.org/2003/05/soap-envelope";
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> xmlns:xs="http://www.w3.org/2001/XMLSchema";>
> <env:Header>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";
> wsu:Id="_5002">https://host/service.svc
> </To>
> <Action
>
> xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
> </Action>
> <ReplyTo
> xmlns="http://www.w3.org/2005/08/addressing";>
>
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <MessageID
>
> xmlns="http://www.w3.org/2005/08/addressing";>uuid:61acc133-863e-4fd5-bc06-55dbae17beed
> </MessageID>
> <wsse:Security env:mustUnderstand="true">
> <wsse:BinarySecurityToken
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed
> ***</wsse:BinarySecurityToken>
> <ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="env"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference
> URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="wsse
> env"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#_5002">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="env"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
> <wsse:SecurityTokenReference
> wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
> <wsse:Reference
> URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp
> wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
> <wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
> <wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </env:Header>
> <env:Body>
> <RequestSecurityToken
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>***
> Content Removed ***
> </RequestSecurityToken>
> </env:Body>
> </env:Envelope>
> {noformat}
> This is an envelope that works:
> {noformat}
> <S:Envelope
> xmlns:S="http://www.w3.org/2003/05/soap-envelope";
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <S:Header>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";
> wsu:Id="_5002">https://host/service.svc
> </To>
> <Action
>
> xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
> </Action>
> <ReplyTo
> xmlns="http://www.w3.org/2005/08/addressing";>
>
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <MessageID
>
> xmlns="http://www.w3.org/2005/08/addressing";>uuid:c3b514af-d630-48aa-861e-77902a4ab16a
> </MessageID>
> <wsse:Security S:mustUnderstand="true">
> <wsu:Timestamp
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
>
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
> wsu:Id="_1">
> <wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
> <wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:BinarySecurityToken
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
>
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
> </wsse:BinarySecurityToken>
> <ds:Signature
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
>
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/";
> Id="_2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <exc14n:InclusiveNamespaces PrefixList="wsse S" />
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#_1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <exc14n:InclusiveNamespaces
> PrefixList="wsu wsse S" />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#_5002">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <exc14n:InclusiveNamespaces
> PrefixList="S" />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </S:Header>
> <S:Body>
> <RequestSecurityToken
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
> xmlns:ns2="http://vanguard.business.gov.au/2009/02";
>
> xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/";></RequestSecurityToken>
> </S:Body>
> </S:Envelope>
> {noformat}
> I notice that the Reference for the "To" element in mine is missing the "wsu"
> namespace in the PrefixList
> Working:
> <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
> Mine:
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse env"/>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
