sorry wss4j can verify all elements but not final signature value. it
processes all elements in the correct order. I am trying to verify
username token signature with
http://www.w3.org/2000/09/xmldsig#hmac-sha1 algorithm. I can verify what
i send to biztalk but not from biztalk. In the attachment there is a
sample soap message. Can anyone try to verify this?
--
gurkan
Dittmann, Werner wrote:
>Gürkan,
>
>to me it seems a problem of BizTalk and/or the .Net WSE
>implementation. According to the OASIS WSS specification,
>chapter 5:
>
><quote>
>As elements are added to a <wsse:Security> header block,
>they SHOULD be prepended to the existing elements. As such,
>the <wsse:Security> header block represents the signing and
>encryption steps the message producer took to create the message.
>This prepending rule ensures that the receiving application can
>process sub-elements in the order they appear in the
><wsse:Security> header block, because there will be no forward
>dependency among the sub-elements. Note that this specification
>does not impose any specific order of processing the
>sub-elements. The receiving application can use whatever order
>is required.
></quote>
>
>This means, if the receiver sees an encryption sub-element
>before a Signature sub-element if processes encryption first.
>The ordering of elements is the _only_ information about the
>processing sequence. How could the receiver otherweise
>determine that it should first check Signature, then decrypt?
>
>Maybe you may crosscheck with the MS folks to clarfiy that?
>Are there known problems with BizTalk / .Net WSE? In general
>we tested interop with .Net WSE.
>
>Regards,
>Werner
>
>
>
>>-----Ursprüngliche Nachricht-----
>>Von: Gürkan Vural [mailto:[EMAIL PROTECTED]
>>Gesendet: Freitag, 8. Juli 2005 07:59
>>An: Granqvist, Hans
>>Cc: [email protected]
>>Betreff: Re: order of sign and encr in .NET
>>
>>
>>Granqvist, Hans wrote:
>>
>>
>>
>>>>... biztalk outputs
>>>>DataReference above Signature element and this causes
>>>>decryption before signature and sign validation fails because
>>>>decryption changes the value of body element.
>>>>
>>>>
>>>>
>>>>
>>>Is it you or biztalk that implies processing order from
>>>the element order?
>>>
>>>Hans
>>>
>>>
>>>
>>>
>>Whatever order I send data to Biztalk it processes correctly.
>>Because my
>>java client (wss4j) puts the headers of last operation above
>>the others.
>>However Biztalk always sends DataReference above Signature element and
>>my java client (wss4j) first processes the encrypted body so signature
>>validation fails.
>>
>>--
>>gurkan
>>
>>==========================================================-
>>Bu e-posta sadece yukarida isimleri belirtilen kisiler
>>arasinda özel haberlesme amacini tasimaktadir. Size
>>yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz
>>ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
>>Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir
>>hukuksal sorumlulugu kabul etmez.
>>
>>This e-mail communication is intended for the private use of
>>the people named above. If you received this message in
>>error, please immediately notify the sender and delete it
>>from your system. The Central Bank of The Republic of Turkey
>>does not accept legal responsibility for the contents of this message.
>>
>>
>>
==========================================================-
Bu e-posta sadece yukarida isimleri belirtilen kisiler arasinda özel haberlesme
amacini tasimaktadir. Size yanlislikla ulasmissa lütfen gönderen kisiyi
bilgilendiriniz ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir hukuksal sorumlulugu
kabul etmez.
This e-mail communication is intended for the private use of the people named
above. If you received this message in error, please immediately notify the
sender and delete it from your system. The Central Bank of The Republic of
Turkey does not accept legal responsibility for the contents of this message.
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsa:Action wsu:Id="Id-13c9566f-4c71-4160-a5c2-be77515c6149">http://tempuri.org/Deneme_1_BizTalk_Orchestration1_WSE_Inport/Operation_1Response</wsa:Action><wsa:MessageID wsu:Id="Id-4472fd77-175e-4540-a070-4e6f26e38e3c">uuid:eec0cf0e-31b5-45ea-82ad-fd72dc1da3a1</wsa:MessageID><wsa:RelatesTo wsu:Id="Id-6892d36d-d521-42a7-b50d-994c85a07e27">uuid:dec73720-eefb-11d9-b7e1-c6df55a71a3e</wsa:RelatesTo><wsa:To wsu:Id="Id-fc788a7e-3133-4873-99e2-02b83db27304">http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To><wsse:Security soap:mustUnderstand="1"><wsu:Timestamp wsu:Id="Timestamp-dd0088d2-68bf-4f97-9
696-231a13397ee1"><wsu:Created>2005-07-07T15:26:57Z</wsu:Created><wsu:Expires>2005-07-07T15:31:57Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="SecurityToken-197f53a0-e31c-4c30-ae8c-c23c645735f0"><wsse:Username>deneme</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>deneme</wsse:Password><wsse:Nonce>9+uBU31EJxjhbX5bbAaIIA==</wsse:Nonce><wsu:Created>2005-07-07T15:26:57Z</wsu:Created></wsse:UsernameToken><wsse:UsernameToken wsu:Id="SecurityToken-d538e545-8331-49b2-9ccf-7d488e2c9bf5"><wsse:Username>deneme</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>deneme</wsse:Password><wsse:Nonce>V2PeoHGZbiMv+Jf1vyU/5g==</wsse:Nonce><wsu:Created>2005-07-07T15:26:57Z</wsu:Created></wsse:UsernameToken><xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference URI="#EncryptedContent-c78
f3b4f-ce01-47bc-b8a0-aaa61ad945ca"/></xenc:ReferenceList><xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference URI="#EncryptedContent-1a530bfc-2a33-49bf-92a3-c2aab5b98e8f"/></xenc:ReferenceList><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><Reference URI="#Id-13c9566f-4c71-4160-a5c2-be77515c6149"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>i8x8I4Y3Sk1XDYw1fn4Ija472os=</DigestValue></Reference><Reference URI="#Id-4472fd77-175e-4540-a070-4e6f26e38e3c"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><Diges
tValue>PGrPBHmd9RfAn9eSC0LDEPJDLcs=</DigestValue></Reference><Reference URI="#Id-6892d36d-d521-42a7-b50d-994c85a07e27"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>pKETgWYl0epqM1Gwxtp1uBXij4Y=</DigestValue></Reference><Reference URI="#Id-fc788a7e-3133-4873-99e2-02b83db27304"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>m7ZQWwpQP2EPoy/ffliy1T54LZ8=</DigestValue></Reference><Reference URI="#Timestamp-dd0088d2-68bf-4f97-9696-231a13397ee1"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>xFQsWE1LTw4N7YcGsSWEAA9cQ5w=</DigestValue></Reference><Reference URI="#Id-b0375be9-e36a-487b-b930-94b5953c230b"><Transforms><Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>cCXDle0jHa1fMKlL3w/HBi9GhIQ=</DigestValue></Reference></SignedInfo><SignatureValue>ENgG0+fYaRm+IdnpNsFlB9RpFSs=</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-197f53a0-e31c-4c30-ae8c-c23c645735f0" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soap:Header><soap:Body wsu:Id="Id-b0375be9-e36a-487b-b930-94b5953c230b"><xenc:EncryptedData Id="EncryptedContent-c78f3b4f-ce01-47bc-b8a0-aaa61ad945ca" Type="http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference><wsse:Reference U
RI="#SecurityToken-197f53a0-e31c-4c30-ae8c-c23c645735f0" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/></wsse:SecurityTokenReference></KeyInfo><xenc:CipherData><xenc:CipherValue>O1BeIJVa0mAvcus+w2+NasUA7csVelG93WBkJKk5OuN6u9ia7Twy5qo60szAYST90bFA1NKzRKz7e6J9Hkv5uQxSzavoPqAafjlrWKNZj9jJrrGiHDLW+NxrlqF0hXi4rcZ+szerT1CvomZ7UNynrkxjpnf/mEn37FdwliyfDx+Ogg733ry2kDSIXaAPvDtd/7s3HO33LY6PeI82TbcP2PgBF74G5yXILtzRI67qqHGLDsqhmV6yE05bRN7LxJc/bBYl+C2kp0VW1rv/YLMK1IIH1vFmlcrjyA5Visw4fnNKxsoJP+TTYFraI0GYCJsH2DKYCClDMmYW6ZIOhv1Dgs5XMl3llcybYrUtzQEKaNla57JspG9iGVllsPspdf/2AM9PyQtF8yl10r3S2j6rZZC3OCoy/xGW0Yah6Iq2arnBLOd0WSe144Qk4HV8vs2CU3oQXErzSBoyB2efuVLVkOEdDvvwwtE9RrbwfUrWMzmlBBPO/I82LPHigLmUrRR2WFjju8SrbV17KTa17jTUjHBbsdAU95t/Ev7xWK6xlS/MnV83QYcedOwCdVuS1Zulg8So+/b9oky5AWC9rWb87Yr3hzGGf/R+8obxhPWZhlsprFd23ClJ5gJ0Ob2tzR3+iceC1tV3VFdzhPeuTCYIJJShaZdzb1YpeyLl3V0TPauucfJ67N+7AKE/Qx3sHIpBfxozWaEDomcRFtSwYriESjw3I/LXkMcJdN5yPGvSoAZ
AQF1Ul0cg/rh0qcXV/e8O/V7HPY6btGWHCqv3XLVU4fpFV365Pal6Lwc6H5A+spM1XbKb/6tXO/FfK4iPnxiuBGFCUFFAbHOyx0FZchUxZrKv9jlK8xW/r8piwtCXBDnJfoO9B+PRXOxyjPD8rVxxQGIeC3ss7+XfDuZ+Lso36aEmKM9RaA0drsFOiSF2oxR1aEPbfqNhhUSAKzoc9XXwoHNZKB0WrCYx4c1MqN0BzhJyU/wIXkQxuAO7KXbWno+45Y9XmXMwuMnqpRHKFSl3lpbG+QJETiOJCObGP9vpN44hFgQfT+nqfcYjtdWUd4P7VHrlnv4Lvvbexcn7G1AZiY5XHXEzYr5GEEjrxElRUuTjwB0XqNlj5dySBWnQcO1SP61OsM/2JoZTLLHnvLU/Q6mJtBlM+uN3rCMXreYuGFolu72Ht3G1chQKyzRIRrCJHXcWRK9DPA0YdjCHwa00AK0jdgyF1/kEhq+kOrAgOQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
