[
https://issues.apache.org/jira/browse/CXF-8586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tor Ranfelt updated CXF-8586:
-----------------------------
Description:
I make soap-requests to a system which sometimes will reject my requests due to
"The signature verification failed". When this happens it goes on for a long
while (maybe a whole day), and then suddenly it will work again.
The system is used by many users and each request is made with a different
certificate. - Crypto-provider is set programatically.
Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version
1.8.0.282) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
org.apache.cxf:cxf-rt-ws-security:3.3.7
org.apache.cxf:cxf-rt-transports-http:3.3.7
org.apache.cxf:cxf-rt-features-logging:3.3.7
When the issue appeared I was running with CXF 3.4.4 on Java 11 (version
11.0.11.0.9) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
org.apache.cxf:cxf-rt-ws-security:3.4.4
org.apache.cxf:cxf-rt-transports-http:3.4.4
org.apache.cxf:cxf-rt-features-logging:3.4.4
In order to run CXF on Java 11 I also needed the following dependencies
(because they no longer are part of JRE):
javax.xml.ws:jaxws-api:2.3.1
javax.jws:javax.jws-api:1.1
com.sun.xml.messaging.saaj:saaj-impl:1.5.3
An example of a rejected request and the response informing me of the rejection
(some information has been replaced with "MANUALLY-REMOVED"):
Request:
Address: MANUALLY-REMOVED
HttpMethod: POST
Content-Type: text/xml
ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
ServiceName: PersonKontrolOplysningHentService
PortName: PersonKontrolOplysningHentService
PortTypeName: PersonKontrolOplysningHentServicePortType
Headers: {SOAPAction="", Accept=*/*}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
<wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
<wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
<wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
<ns4:PersonKontrolOplysningHent_I
xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/";
xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/";
xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/";
xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/";
xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/";
xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/";
xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0"
xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/";
xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/";
xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/";
xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/";
xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/";
xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/";
xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0"
xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/";
xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/";
xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/";
xmlns:ns8="urn:oio:skat:personskat:1.0.0"
xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/";>
<HovedOplysninger>
<TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
</HovedOplysninger>
<ns4:PersonAar>
<ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
<ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
</ns4:PersonAar>
</ns4:PersonKontrolOplysningHent_I>
</soap:Body>
</soap:Envelope>
Response:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><faultcode
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver:
security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: The signature verification
failed</faultstring><detail><ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/";>SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>
Any thought about what might be the cause?
was:
I make soap-requests to a system which sometimes will reject my requests due to
"The signature verification failed". When this happens it goes on for a long
while (maybe a whole day), and then suddenly it will work again. - The cause is
probably in the other system, but just maybe there is something about CXF 3.4.4
that could cause this.
So between it working and not working the certificates haven't changed, and the
only thing having changed about the body getting signatured is
"<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>" -
"TransaktionTid" means "transaction-time"
Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version
1.8.0.282) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
org.apache.cxf:cxf-rt-ws-security:3.3.7
org.apache.cxf:cxf-rt-transports-http:3.3.7
org.apache.cxf:cxf-rt-features-logging:3.3.7
When the issue appeared I was running with CXF 3.4.4 on Java 11 (version
11.0.11.0.9) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
org.apache.cxf:cxf-rt-ws-security:3.4.4
org.apache.cxf:cxf-rt-transports-http:3.4.4
org.apache.cxf:cxf-rt-features-logging:3.4.4
In order to run CXF on Java 11 I also needed the following dependencies
(because they no longer are part of JRE):
javax.xml.ws:jaxws-api:2.3.1
javax.jws:javax.jws-api:1.1
com.sun.xml.messaging.saaj:saaj-impl:1.5.3
An example of a rejected request and the response informing me of the rejection
(some information has been replaced with "MANUALLY-REMOVED"):
Request:
Address: MANUALLY-REMOVED
HttpMethod: POST
Content-Type: text/xml
ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
ServiceName: PersonKontrolOplysningHentService
PortName: PersonKontrolOplysningHentService
PortTypeName: PersonKontrolOplysningHentServicePortType
Headers: \{SOAPAction="", Accept=*/*}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
<wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
<wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
<wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
<ns4:PersonKontrolOplysningHent_I
xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/";
xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/";
xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/";
xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/";
xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/";
xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/";
xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0"
xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/";
xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/";
xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/";
xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/";
xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/";
xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/";
xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0"
xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/";
xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/";
xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/";
xmlns:ns8="urn:oio:skat:personskat:1.0.0"
xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/";>
<HovedOplysninger>
<TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
</HovedOplysninger>
<ns4:PersonAar>
<ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
<ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
</ns4:PersonAar>
</ns4:PersonKontrolOplysningHent_I>
</soap:Body>
</soap:Envelope>
Response:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><faultcode
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver:
security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: The signature verification
failed</faultstring><detail><ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/";>SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>
Any thought about what might be the cause?
> Signatures created with CXF are sometimes rejected by third party system
> ------------------------------------------------------------------------
>
> Key: CXF-8586
> URL: https://issues.apache.org/jira/browse/CXF-8586
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.4.4
> Reporter: Tor Ranfelt
> Priority: Critical
>
> I make soap-requests to a system which sometimes will reject my requests due
> to "The signature verification failed". When this happens it goes on for a
> long while (maybe a whole day), and then suddenly it will work again.
> The system is used by many users and each request is made with a different
> certificate. - Crypto-provider is set programatically.
>
> Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version
> 1.8.0.282) with the following CXF dependencies:
> org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
> org.apache.cxf:cxf-rt-ws-security:3.3.7
> org.apache.cxf:cxf-rt-transports-http:3.3.7
> org.apache.cxf:cxf-rt-features-logging:3.3.7
> When the issue appeared I was running with CXF 3.4.4 on Java 11 (version
> 11.0.11.0.9) with the following CXF dependencies:
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> In order to run CXF on Java 11 I also needed the following dependencies
> (because they no longer are part of JRE):
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
> An example of a rejected request and the response informing me of the
> rejection (some information has been replaced with "MANUALLY-REMOVED"):
> Request:
> Address: MANUALLY-REMOVED
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
> ServiceName: PersonKontrolOplysningHentService
> PortName: PersonKontrolOplysningHentService
> PortTypeName: PersonKontrolOplysningHentServicePortType
> Headers: {SOAPAction="", Accept=*/*}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> soap:mustUnderstand="1">
> <wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
> <wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
> <wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:BinarySecurityToken
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
> PrefixList="soap"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
> <wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
> <ns4:PersonKontrolOplysningHent_I
> xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/";
> xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/";
> xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/";
> xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/";
> xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/";
> xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/";
> xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0"
> xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/";
> xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/";
> xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/";
> xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/";
> xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/";
> xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/";
> xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0"
> xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/";
>
> xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/";
> xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/";
> xmlns:ns8="urn:oio:skat:personskat:1.0.0"
> xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/";>
> <HovedOplysninger>
>
> <TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
> <TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
> </HovedOplysninger>
> <ns4:PersonAar>
>
> <ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
> <ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
> </ns4:PersonAar>
> </ns4:PersonKontrolOplysningHent_I>
> </soap:Body>
> </soap:Envelope>
>
> Response:
> <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><faultcode
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver:
> security processing failed; nested exception is:
> org.apache.ws.security.WSSecurityException: The signature verification
> failed</faultstring><detail><ns1:hostname
> xmlns:ns1="http://xml.apache.org/axis/";>SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>
> Any thought about what might be the cause?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
