AKROUR created CXF-6310:
---------------------------
Summary: Signature validation of body request fails but it works
fine for other request elements
Key: CXF-6310
URL: https://issues.apache.org/jira/browse/CXF-6310
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.7.14
Environment: WS server running on Windows x64
WS client on SAP NetWeaver
Reporter: AKROUR
When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the
following fault:
{noformat}
<faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
<faultstring>The signature or decryption was invalid</faultstring>
{noformat}
The WS service authenticate the user via an SAML Token that must have at least
a Signed Timestamp and a Signed Body request.
When I enable the debug logs, we can see that the signature of the Timestamp
element is successfully validated by CXF 2.7.14 but the signature of the Body
request fails (see following logs):
{noformat}
....
Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
isNodeSet() = true
Canonicalized SignedInfo:
<ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference
URI="#part-Body-21"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference
URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference
URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo>
Data to be
signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+
URIDereferencer class name:
org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
ApacheData = true
Pre-digested input:
<soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="part-Body-21"><n1:echoRequest
xmlns:n1="http://schema.echo.ws.highdeal.com/";>String
1</n1:echoRequest></soap-env:Body>
Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s=
Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw=
Reference[#part-Body-21] is valid: false
Couldn't validate the References
XML Signature verification has failed
Signature Validation check: true
Reference #part-Body-21 check: false
URIDereferencer class name:
org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
ApacheData = true
Pre-digested input:
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp>
Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI=
Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI=
Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true
URIDereferencer class name:
org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
STR: KeyIdentifier
Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E
Token reference ValueType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
after c14n: <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E"
IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z"
NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2015-03-20T14:25:19Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
last result:
<saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E"
IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z"
NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2015-03-20T14:25:19Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
Pre-digested input:
<saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E"
IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z"
NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2015-03-20T14:25:19Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
{noformat}
Note: The request has a namespace
{noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740"
{noformat}
The namespace is removed by the canonicalization of the XML. The received
request is:
{noformat}
<soap-env:Body wsu:Id="part-Body-21"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><n1:echoRequest
xmlns:n1="http://schema.echo.ws.highdeal.com/";
xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String
1</n1:echoRequest></soap-env:Body>
{noformat}
Unfortunately I cannot provide test cases but I can easily reproduce the issue
with CXF 2.7.15.
Do you have any idea of what could happen here?
Thank and Best Regards,
K.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
