[jira] [Commented] (WSS-618) Cannot create signature which includes KeyInfo

Mon, 13 Nov 2017 07:09:26 -0800 

    [ 
https://issues.apache.org/jira/browse/WSS-618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249695#comment-16249695
 ] 

Colm O hEigeartaigh commented on WSS-618:
-----------------------------------------

I don't think there is a workaround for this issue, it's not a requirement that 
I've seen before. The keyInfo Element is only added to the Signature after the 
references are checked. Perhaps you could experiment with the WSSecSignature 
code to see if KeyInfo is specified in the signing parts list, and if it is to 
marshal the KeyInfo to a DOM Element before the references are checked.

> Cannot create signature which includes KeyInfo
> ----------------------------------------------
>
>                 Key: WSS-618
>                 URL: https://issues.apache.org/jira/browse/WSS-618
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.2.0
>         Environment: Using 2.2.0 in Apache CXF with WSS4JStaxOutInterceptor.
>            Reporter: J.Cranendonk
>            Assignee: Colm O hEigeartaigh
>
> I am using WSS4j inside CXF, using the WSS4JStaxOutInterceptor, to generate a 
> XML Signature. This signature must include the KeyInfo (customer requires 
> Body and KeyInfo to be signed).
> My configuration includes:
> {noformat}
>         final Map< String, Object > outProps = new HashMap<>();
>         outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
>         // Crypto configuration left out
>         outProps.put(WSHandlerConstants.SIG_ALGO, 
> WSSConstants.NS_XMLDSIG_RSASHA256);
>         outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, 
> WSSConstants.NS_XENC_SHA256);
>         outProps.put(WSHandlerConstants.SIG_C14N_ALGO, 
> WSSConstants.NS_C14N_EXCL_OMIT_COMMENTS);
>         outProps.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
>         
>         // Using defaults, same as: 
> "{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Content}{http://www.w3.org/2000/09/xmldsig#}KeyInfo";
>         outProps.put(WSHandlerConstants.SIGNATURE_PARTS, "Body;{}{" + 
> WSSConstants.NS_DSIG + "}KeyInfo");      
>         jaxWsFactory.getOutInterceptors().add(new 
> WSS4JStaxOutInterceptor(outProps));
> {noformat}
> This results in an exception:
> {noformat}
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException: Part to 
> sign not found: {http://www.w3.org/2000/09/xmldsig#}KeyInfo
>       at 
> org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.verifySignatureParts(AbstractSignatureOutputProcessor.java:155)
>       at 
> org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.doFinalInternal(AbstractSignatureOutputProcessor.java:86)
>       at 
> org.apache.wss4j.stax.impl.processor.output.WSSSignatureOutputProcessor.processEvent(WSSSignatureOutputProcessor.java:138)
>       at 
> org.apache.xml.security.stax.ext.AbstractOutputProcessor.processNextEvent(AbstractOutputProcessor.java:133)
>       at 
> org.apache.xml.security.stax.impl.OutputProcessorChainImpl.processEvent(OutputProcessorChainImpl.java:212)
>       at 
> org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.chainProcessEvent(XMLSecurityStreamWriter.java:62)
>       ... 67 common frames omitted
> {noformat}
> If I change the SIGNATURE_PARTS to only "Body", things work as expected, and 
> a KeyInfo is included (but ofcourse not signed).
> I assume this is because of the order WSS4J does things, it first 
> creates/checks all the parts to be signed. And only after that creates the 
> KeyInfo structure.
> Debugging I can see that the following steps occur in this order:
> Checking the parts (and also creating the references or so, I think):
> {noformat}
> Thread [main] (Suspended (entry into method verifySignatureParts in 
> AbstractSignatureOutputProcessor))        
>       owns: PhaseInterceptorChain  (id=93)    
>       
> WSSSignatureOutputProcessor(AbstractSignatureOutputProcessor).verifySignatureParts(OutputProcessorChain)
>  line: 137      
>       
> WSSSignatureOutputProcessor(AbstractSignatureOutputProcessor).doFinalInternal(OutputProcessorChain)
>  line: 86    
>       WSSSignatureOutputProcessor.processEvent(XMLSecEvent, 
> OutputProcessorChain) line: 138   
>       
> WSSSignatureOutputProcessor(AbstractOutputProcessor).processNextEvent(XMLSecEvent,
>  OutputProcessorChain) line: 133      
>       OutputProcessorChainImpl.processEvent(XMLSecEvent) line: 212    
>       XMLSecurityStreamWriter.chainProcessEvent(XMLSecEvent) line: 62 
>       XMLSecurityStreamWriter.outputOpenStartElement() line: 83       
>       XMLSecurityStreamWriter.writeStartElement(String, String, String) line: 
> 116     
>       XMLStreamWriterOutput.beginStartTag(int, String) line: 103      
>       XMLStreamWriterOutput(XmlOutputAbstractImpl).beginStartTag(Name) line: 
> 87       
>       ForkXmlOutput.beginStartTag(Name) line: 65      
>       NamespaceContextImpl$Element.startElement(XmlOutput, Object) line: 481  
>       XMLSerializer.endNamespaceDecls(Object) line: 273       
>       XMLSerializer.childAsXsiType(Object, String, JaxBeanInfo, boolean) 
> line: 668    
>       SingleElementNodeProperty<BeanT,ValueT>.serializeBody(BeanT, 
> XMLSerializer, Object) line: 143   
>       ElementBeanInfoImpl$1.serializeBody(JAXBElement, XMLSerializer, Object) 
> line: 145       
>       ElementBeanInfoImpl$1.serializeBody(Object, XMLSerializer, Object) 
> line: 115    
>       ElementBeanInfoImpl.serializeBody(JAXBElement, XMLSerializer) line: 317 
>       ElementBeanInfoImpl.serializeRoot(JAXBElement, XMLSerializer) line: 324 
>       ElementBeanInfoImpl.serializeRoot(Object, XMLSerializer) line: 60       
>       XMLSerializer.childAsRoot(Object) line: 479     
>       MarshallerImpl.write(Object, XmlOutput, Runnable) line: 308     
>       MarshallerImpl.marshal(Object, XMLStreamWriter) line: 163       
>       JAXBEncoderDecoder.writeObject(Marshaller, Object, Object) line: 614    
>       JAXBEncoderDecoder.marshall(Marshaller, Object, MessagePartInfo, 
> Object) line: 243      
>       DataWriterImpl<T>.write(Object, MessagePartInfo, T) line: 232   
>       
> BareOutInterceptor(AbstractOutDatabindingInterceptor).writeParts(Message, 
> Exchange, BindingOperationInfo, MessageContentsList, List<MessagePartInfo>) 
> line: 137 
>       BareOutInterceptor.handleMessage(Message) line: 68      
>       PhaseInterceptorChain.doIntercept(Message) line: 308    
>       ClientImpl.doInvoke(ClientCallback, BindingOperationInfo, Object[], 
> Map<String,Object>, Exchange) line: 516     
> {noformat}
> Creating the KeyInfo structure:
> {noformat}
> Thread [main] (Suspended (entry into method 
> createKeyInfoStructureForSignature in WSSSignatureEndingOutputProcessor)) 
>       owns: PhaseInterceptorChain  (id=93)    
>       
> WSSSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(OutputProcessorChain,
>  OutboundSecurityToken, boolean) line: 91     
>       
> WSSSignatureEndingOutputProcessor(AbstractSignatureEndingOutputProcessor).processHeaderEvent(OutputProcessorChain)
>  line: 216    
>       
> WSSSignatureEndingOutputProcessor.processHeaderEvent(OutputProcessorChain) 
> line: 77     
>       
> WSSSignatureEndingOutputProcessor(AbstractBufferingOutputProcessor).flushBufferAndCallbackAfterHeader(OutputProcessorChain,
>  Deque<XMLSecEvent>) line: 66        
>       
> WSSSignatureEndingOutputProcessor.flushBufferAndCallbackAfterHeader(OutputProcessorChain,
>  Deque<XMLSecEvent>) line: 284 
>       
> WSSSignatureEndingOutputProcessor(AbstractBufferingOutputProcessor).doFinal(OutputProcessorChain)
>  line: 52      
>       OutputProcessorChainImpl.doFinal() line: 220    
>       XMLSecurityStreamWriter.close() line: 190       
>       
> WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessageInternal(Message)
>  line: 336        
>       
> WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessage(Message)
>  line: 322        
>       PhaseInterceptorChain.doIntercept(Message) line: 308    
>       ClientImpl.doInvoke(ClientCallback, BindingOperationInfo, Object[], 
> Map<String,Object>, Exchange) line: 516     
> {noformat}
> I thought mayby this would be a limitation of the Stax way of working 
> (streaming over DOM), but in a quick test the DOM based wss4j implementation 
> also gives a similar exception, not being able to find the part to sign:
> {noformat}
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Element to 
> encrypt/sign not found: http://www.w3.org/2000/09/xmldsig#, KeyInfo
>       at 
> org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:184)
>       ... 52 common frames omitted
> {noformat}
> Using OPTIONAL_SIGNATURE_PARTS instead of SIGNATURE_PARTS also doesn't solve 
> the issue, in that case the KeyInfo is simply not signed, again both for the 
> DOM as Stax version.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to