[jira] [Commented] (CXF-6310) Signature validation of body request fails but it works fine for other request elements

Mon, 23 Mar 2015 08:59:25 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14376099#comment-14376099
 ] 

Colm O hEigeartaigh commented on CXF-6310:
------------------------------------------


Here is a simple unit test (in Apache Santuario) that I adopted using the SOAP 
Body in your request:

=====

package org.apache.xml.security.test.dom.c14n.implementations;

import java.io.ByteArrayInputStream;

import javax.xml.parsers.DocumentBuilder;

import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.MessageDigestAlgorithm;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.utils.Base64;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;

/**
 */
public class UnusedNamespacePrefixTest extends org.junit.Assert {
    public static String input = ""
        + "<soap-env:Body wsu:Id=\"part-Body-21\""
        + " xmlns:soap-env=\"http://schemas.xmlsoap.org/soap/envelope/\"";
        + " 
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";>"
        + "<n1:echoRequest xmlns:n1=\"http://schema.echo.ws.highdeal.com/\"";
        + " 
xmlns:prx=\"urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740\">String 
1</n1:echoRequest>"
        + "</soap-env:Body>"
        ;
    
    static {
        Init.init();
    }

    @org.junit.Test
    public void testUnusedNamespacePrefix() throws Exception {
        DocumentBuilder documentBuilder = XMLUtils.createDocumentBuilder(true);

        documentBuilder.setErrorHandler(new 
org.apache.xml.security.utils.IgnoreAllErrorHandler());
        byte inputBytes[] = input.getBytes();
        Document doc =
            documentBuilder.parse(new ByteArrayInputStream(inputBytes));
        
        Canonicalizer c14n =
            
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
            // 
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);

        byte[] output = c14n.canonicalizeSubtree(doc.getDocumentElement());

        System.out.println(new String(output, "UTF-8"));
        
        MessageDigestAlgorithm mda = MessageDigestAlgorithm.getInstance(doc, 
MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1);
        String base64codedValue = Base64.encode(mda.digest(output));
        System.out.println("Digest: " + base64codedValue);
    }

}
=====

It outputs:

<soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="part-Body-21"><n1:echoRequest 
xmlns:n1="http://schema.echo.ws.highdeal.com/";>String 
1</n1:echoRequest></soap-env:Body>
Digest: y4TKcp+2RCjVy/+c8j+NJERECDw=

Note that the unused prefix is gone + that this is the same digest that the 
signature validation code is reporting when verifying the SOAP Body.

Colm.

> Signature validation of body request fails but it works fine for other 
> request elements
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-6310
>                 URL: https://issues.apache.org/jira/browse/CXF-6310
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.14
>         Environment: WS server running on Windows x64
> WS client on SAP NetWeaver
>            Reporter: AKROUR
>
> When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the 
> following fault:
> {noformat}
> <faultcode 
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
> <faultstring>The signature or decryption was invalid</faultstring>
> {noformat}
> The WS service authenticate the user via an SAML Token that must have at 
> least a Signed Timestamp and a Signed Body request.
> When I enable the debug logs, we can see that the signature of the Timestamp 
> element is successfully validated by CXF 2.7.14 but the signature of the Body 
> request fails (see following logs):
> {noformat}
>  ....
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  isNodeSet() = true
>  Canonicalized SignedInfo:
>  <ds:SignedInfo 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference
>  URI="#part-Body-21"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
>  
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:CanonicalizationMethod
>  
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo>
>  Data to be 
> signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"; 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="part-Body-21"><n1:echoRequest 
> xmlns:n1="http://schema.echo.ws.highdeal.com/";>String 
> 1</n1:echoRequest></soap-env:Body>
>  Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s=
>  Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw=
>  Reference[#part-Body-21] is valid: false
>  Couldn't validate the References
>  XML Signature verification has failed
>  Signature Validation check: true
>  Reference #part-Body-21 check: false
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp>
>  Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  STR: KeyIdentifier
>  Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E
>  Token reference ValueType: 
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>  after c14n: <saml:Assertion 
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  last result: 
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Pre-digested input:
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true
> org.apache.ws.security.WSSecurityException: The signature or decryption was 
> invalid
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
> {noformat}
> Note: The request has a namespace 
> {noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740" 
>  
> {noformat} 
> The namespace is removed by the canonicalization of the XML. The received 
> request is:
> {noformat}
> <soap-env:Body wsu:Id="part-Body-21" 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><n1:echoRequest
>  xmlns:n1="http://schema.echo.ws.highdeal.com/"; 
> xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String 
> 1</n1:echoRequest></soap-env:Body>
> {noformat}
> Unfortunately I cannot provide test cases but I can easily reproduce the 
> issue with CXF 2.7.15.
> Do you have any idea of what could happen here?
> Thank and Best Regards,
> K.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to