[jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513627#comment-15513627 ] Libois Claude edited comment on WSS-588 at 9/22/16 3:43 PM: Thanks for the quick answer ! deleted previous comment cause I have checked in the specs... To be honest I didn't do anything special to use IssuerSerial reference server side. Do you have any pointer to a wss4j property that would do the trick ? I think it's vital to not set the server certificate cause this certificate typically last one year while the CA last at least 5 years. I don't want that every client have to change their certificate every year ! was (Author: clibois): Thanks for the quick answer ! However I don't quite understand the need to provide the serial number as the complete certificate seems to be provided in the BinarySecurityToken field. Here is the complete soap header in case this could help: {code} http://schemas.xmlsoap.org/soap/envelope/;>http://www.w3.org/2005/08/addressing;>addresshttp://www.w3.org/2005/08/addressing; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_a7185c7f-a787-4c30-9f65-6df6bfa674f0">urn:uuid:e5e524c5-cb0e-44b8-8424-e1d4c5821a83http://www.w3.org/2005/08/addressing;>http://www.w3.org/2005/08/addressing/anonymoushttp://www.w3.org/2005/08/addressing; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_e27b74fd-8883-4aec-928d-79de0c485594">urn:uuid:df816004-5f3a-40a8-a6d9-d24a76169ab7http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; soap:mustUnderstand="1">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1; wsu:Id="X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc">MIICyjCCAsYwggIvoAMCAQICCQCsepjmnpL7fjANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCQkUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUNoYXJsZXJvaTERMA8GA1UECgwITGUgRm9yZW0xDjAMBgNVBAsMBWZvcmVtMRkwFwYDVQQDDBB0ZXN0c3NsQGZvcmVtLmJlMR8wHQYJKoZIhvcNAQkBFhB0ZXN0c3NsQGZvcmVtLmJlMB4XDTE2MDgwNDA3MjgwMFoXDTE3MDgwNDA3MjgwMFowQzELMAkGA1UEBhMCQkUxETAPBgNVBAoTCFJhbmRTdGFkMQ4wDAYDVQQLEwVGb3JlbTERMA8GA1UEAxMIUmFuZFN0YWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5iJr04XPZqQdxXQ4NiAcyJ4SZI725V8T732eH4vtMTI/lwUiIDE1L95/29ARkn8S+g/i59pCafcjvBt07RFJ0gE6QhM2bnn8B+Zeww3AmmeXgYFUH/BKFfhGOXFTfjY/ysDrrpoJkj4Vcz8BOFeB2O/ye2AHQ4/nnJb2DM5QfJAgMBAAGjbzBtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNd2Jw262Yf3lRFGucioaR+kM6KCMAsGA1UdDwQEAwIEsDARBglghkgBhvhCAQEEBAMCBaAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOBgQAXSOEwo3Pcz7B3145FO5H8Qbty3mnCkmtiezLrBx6rvPy9vBybsH+7+pBK3C8+g0a+S1BfsC8wHnTJxkke7ecW5SyE6O17YTZlBR2ZUpEHagqG47YBjryTkYKMDPB/bC91p9o7IRqT/2VlrbYK6g+79cENtKEPn378HZUoxbKHhQ==2016-09-22T11:11:39.066Z2016-09-22T11:16:39.066Zhttp://www.w3.org/2000/09/xmldsig#; Id="SIG-847e0393-6fb7-4d6c-84f1-a4837ee2e652">http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="wsse soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>LEF5he1V9D2KeqxE2Y0K1JsRbiS5jgiOZeJ53Hu6JEA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=""/>http://www.w3.org/2001/04/xmlenc#sha256"/>XpTNsgDOzAVM2nmQVb6FEuMg7926qWkoYFsg5WmVYLs=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>XOQ/ndLAKGBMIcbhH9ZZ/3zLHBZJWBbwyzXN/vFJ/cA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>S7+xWrZbeR5D/P2ZiRTVNq0SrbYIJaBG8xoOixa5Aow=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>Hlix91X5/g8c860b0BSQKZUqxQU6RnxvpNqHSTdmJMI=HJNcNc58V+8215eebdjY/iE3qewmgHy8uOiTokf6nSWxeKsE65JnfK77+bO8/ITnuBzQm4Vqli0WxiGP9x/5xkXxc4jdPsum84z80bXfirqtjyrm1zSwl/6Nlh1F1uHiVXwwVuFWMluPwVIScmY7rXY46RuqqpCAYgp4kqfFKEA=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="STR-c2b6e796-cba1-4dc4-af4c-4d3f60050b05">1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,XX12428414237952637822http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_47ba1428-0d7a-403d-aeed-e9a70f419345">http://ns.hr-xml.org/2006-02-28;>2016-09-22T13:11:38 {code} To be honest I didn't do
[jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513627#comment-15513627 ] Libois Claude edited comment on WSS-588 at 9/22/16 3:44 PM: Thanks for the quick answer ! deleted previous comment cause I have checked in the specs... To be honest I didn't do anything special to use IssuerSerial reference server side. Do you have any pointer to a wss4j property that would change this behaviour ? I think it's vital to not set the server certificate cause this certificate typically last one year while the CA last at least 5 years. I don't want that every client have to change their certificate every year ! was (Author: clibois): Thanks for the quick answer ! deleted previous comment cause I have checked in the specs... To be honest I didn't do anything special to use IssuerSerial reference server side. Do you have any pointer to a wss4j property that would do the trick ? I think it's vital to not set the server certificate cause this certificate typically last one year while the CA last at least 5 years. I don't want that every client have to change their certificate every year ! > Server-side signature validation on client fail with only certificate CA is > in the client truststore > > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security purpose >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error on client side: > {code} > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at
[jira] [Commented] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513627#comment-15513627 ] Libois Claude commented on WSS-588: --- Thanks for the quick answer ! However I don't quite understand the need to provide the serial number as the complete certificate seems to be provided in the BinarySecurityToken field. Here is the complete soap header in case this could help: {code} http://schemas.xmlsoap.org/soap/envelope/;>http://www.w3.org/2005/08/addressing;>addresshttp://www.w3.org/2005/08/addressing; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_a7185c7f-a787-4c30-9f65-6df6bfa674f0">urn:uuid:e5e524c5-cb0e-44b8-8424-e1d4c5821a83http://www.w3.org/2005/08/addressing;>http://www.w3.org/2005/08/addressing/anonymoushttp://www.w3.org/2005/08/addressing; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_e27b74fd-8883-4aec-928d-79de0c485594">urn:uuid:df816004-5f3a-40a8-a6d9-d24a76169ab7http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; soap:mustUnderstand="1">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1; wsu:Id="X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc">MIICyjCCAsYwggIvoAMCAQICCQCsepjmnpL7fjANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCQkUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUNoYXJsZXJvaTERMA8GA1UECgwITGUgRm9yZW0xDjAMBgNVBAsMBWZvcmVtMRkwFwYDVQQDDBB0ZXN0c3NsQGZvcmVtLmJlMR8wHQYJKoZIhvcNAQkBFhB0ZXN0c3NsQGZvcmVtLmJlMB4XDTE2MDgwNDA3MjgwMFoXDTE3MDgwNDA3MjgwMFowQzELMAkGA1UEBhMCQkUxETAPBgNVBAoTCFJhbmRTdGFkMQ4wDAYDVQQLEwVGb3JlbTERMA8GA1UEAxMIUmFuZFN0YWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5iJr04XPZqQdxXQ4NiAcyJ4SZI725V8T732eH4vtMTI/lwUiIDE1L95/29ARkn8S+g/i59pCafcjvBt07RFJ0gE6QhM2bnn8B+Zeww3AmmeXgYFUH/BKFfhGOXFTfjY/ysDrrpoJkj4Vcz8BOFeB2O/ye2AHQ4/nnJb2DM5QfJAgMBAAGjbzBtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNd2Jw262Yf3lRFGucioaR+kM6KCMAsGA1UdDwQEAwIEsDARBglghkgBhvhCAQEEBAMCBaAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOBgQAXSOEwo3Pcz7B3145FO5H8Qbty3mnCkmtiezLrBx6rvPy9vBybsH+7+pBK3C8+g0a+S1BfsC8wHnTJxkke7ecW5SyE6O17YTZlBR2ZUpEHagqG47YBjryTkYKMDPB/bC91p9o7IRqT/2VlrbYK6g+79cENtKEPn378HZUoxbKHhQ==2016-09-22T11:11:39.066Z2016-09-22T11:16:39.066Zhttp://www.w3.org/2000/09/xmldsig#; Id="SIG-847e0393-6fb7-4d6c-84f1-a4837ee2e652">http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="wsse soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>LEF5he1V9D2KeqxE2Y0K1JsRbiS5jgiOZeJ53Hu6JEA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList=""/>http://www.w3.org/2001/04/xmlenc#sha256"/>XpTNsgDOzAVM2nmQVb6FEuMg7926qWkoYFsg5WmVYLs=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>XOQ/ndLAKGBMIcbhH9ZZ/3zLHBZJWBbwyzXN/vFJ/cA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>S7+xWrZbeR5D/P2ZiRTVNq0SrbYIJaBG8xoOixa5Aow=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>Hlix91X5/g8c860b0BSQKZUqxQU6RnxvpNqHSTdmJMI=HJNcNc58V+8215eebdjY/iE3qewmgHy8uOiTokf6nSWxeKsE65JnfK77+bO8/ITnuBzQm4Vqli0WxiGP9x/5xkXxc4jdPsum84z80bXfirqtjyrm1zSwl/6Nlh1F1uHiVXwwVuFWMluPwVIScmY7rXY46RuqqpCAYgp4kqfFKEA=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="STR-c2b6e796-cba1-4dc4-af4c-4d3f60050b05">1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,XX12428414237952637822http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="_47ba1428-0d7a-403d-aeed-e9a70f419345">http://ns.hr-xml.org/2006-02-28;>2016-09-22T13:11:38 {code} To be honest I didn't do anything special to use IssuerSerial reference. Moreover the issuer DN provided in the certificate should be enough to match the certificate in my TrustStore. > Server-side signature validation on client fail with only certificate CA is > in the client truststore > > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug >
[jira] [Updated] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Description: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error on client side: {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more {code} My client truststore is set so that I only have the signer CA. *I have noticed that if I set the signer certificate in the client truststore, it works !* I did a wireshark snoop and found that in the response part coming from the server: {code} 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 {code} The problem is that 12428414237952637822 isn't the CA(issuer) serial number but the signer serial number ! I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : {code} case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); {code} i'm wondering why in the last line we don't take the issuer serial number -> {code} java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();{code} I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: {code} if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {code} Hope I was clear enough. I have checked in the latest version of the WSSecSignature and I still see the same line... Best Regards, Claude was: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for
[jira] [Updated] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Summary: Server-side signature validation on client fail with only certificate CA is in the client truststore (was: Server Signature validation on client failed while using only CA in the client truststore) > Server-side signature validation on client fail with only certificate CA is > in the client truststore > > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security purpose >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error: > {code} > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ... 8 more > {code} > My client truststore is set so that I only have the signer CA. > *I have noticed that if I set the signer certificate in the client > truststore, it works !* > I did a wireshark snoop and found that in the response part: > {code} > 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 > {code} > The problem is that 12428414237952637822 isn't the CA serial number but the > signer serial number. > I have digged a little bit into the code I have found something that looks > weird to me in the WSSecSignature class
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Environment: Servicemix server using cxf+wss4j for WS-Security purpose was:Servicemix server using cxf+wss4j for WS-Security > Server Signature validation on client failed while using only CA in the > client truststore > - > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security purpose >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error: > {code} > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ... 8 more > {code} > My client truststore is set so that I only have the signer CA. > *I have noticed that if I set the signer certificate in the client > truststore, it works !* > I did a wireshark snoop and found that in the response part: > {code} > 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 > {code} > The problem is that 12428414237952637822 isn't the CA serial number but the > signer serial number. > I have digged a little bit into the code I have found something that looks > weird to me in the WSSecSignature class : > {code} > case WSConstants.ISSUER_SERIAL: > String issuer =
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Priority: Major (was: Blocker) > Server Signature validation on client failed while using only CA in the > client truststore > - > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error: > {code} > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ... 8 more > {code} > My client truststore is set so that I only have the signer CA. > *I have noticed that if I set the signer certificate in the client > truststore, it works !* > I did a wireshark snoop and found that in the response part: > {code} > 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 > {code} > The problem is that 12428414237952637822 isn't the CA serial number but the > signer serial number. > I have digged a little bit into the code I have found something that looks > weird to me in the WSSecSignature class : > {code} > case WSConstants.ISSUER_SERIAL: > String issuer = certs[0].getIssuerX500Principal().getName(); > java.math.BigInteger serialNumber = >
[jira] [Issue Comment Deleted] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Comment: was deleted (was: Couldn't find how to enhanced presentation with bold, code tag, so sorry if the text is a bit raw) > Server Signature validation on client failed while using only CA in the > client truststore > - > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh >Priority: Blocker > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error: > {code} > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ... 8 more > {code} > My client truststore is set so that I only have the signer CA. > *I have noticed that if I set the signer certificate in the client > truststore, it works !* > I did a wireshark snoop and found that in the response part: > {code} > 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 > {code} > The problem is that 12428414237952637822 isn't the CA serial number but the > signer serial number. > I have digged a little bit into the code I have found something that looks > weird to me in the WSSecSignature class : > {code} > case WSConstants.ISSUER_SERIAL: > String issuer
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Description: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more {code} My client truststore is set so that I only have the signer CA. *I have noticed that if I set the signer certificate in the client truststore, it works !* I did a wireshark snoop and found that in the response part: {code} 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 {code} The problem is that 12428414237952637822 isn't the CA serial number but the signer serial number. I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : {code} case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); {code} i'm wondering why in the last line we don't take the issuer serial number -> {code} java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();{code} I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: {code} if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {code} Hope I was clear enough. I have checked in the latest version of the WSSecSignature and I still see the same line... Best Regards, Claude was: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Description: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more {code} My client truststore is set so that I only have the signer CA. *I have noticed that if I set the signer certificate in the truststore, it works !* I did a wireshark snoop and found that in the response part: {code} 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 {code} The problem is that 12428414237952637822 isn't the CA serial number but the signer serial number. I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : {code} case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); {code} i'm wondering why in the last line we don't take the issuer serial number -> {code} java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();{code} I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: {code} if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {code} Hope I was clear enough. I have checked in the latest version of the WSSecSignature and I still see the same line... Best Regards, Claude was: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error:
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Description: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more {code} My client truststore is set so that I only have the signer CA. I have noticed that if I set the signer certificate in the truststore, it works ! I did a wireshark snoop and found that in the response part: 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 The problem is that 12428414237952637822 isn't the CA serial number but the signer serial number. I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); i'm wondering why in the last line we don't take the issuer serial number -> java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber(); I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) Hope I was clear enough. I have checked in the latest version of the WSSecSignature and I still see the same line... Best Regards, Claude was: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: Exception in thread "main"
[jira] [Updated] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Libois Claude updated WSS-588: -- Description: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more {code} My client truststore is set so that I only have the signer CA. I have noticed that if I set the signer certificate in the truststore, it works ! I did a wireshark snoop and found that in the response part: {code} 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 {code} The problem is that 12428414237952637822 isn't the CA serial number but the signer serial number. I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : {code} case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); {code} i'm wondering why in the last line we don't take the issuer serial number -> {code} java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();{code} I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: {code} if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {code} Hope I was clear enough. I have checked in the latest version of the WSSecSignature and I still see the same line... Best Regards, Claude was: I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: {code}
[jira] [Commented] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
[ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513503#comment-15513503 ] Libois Claude commented on WSS-588: --- Couldn't find how to enhanced presentation with bold, code tag, so sorry if the text is a bit raw > Server Signature validation on client failed while using only CA in the > client truststore > - > > Key: WSS-588 > URL: https://issues.apache.org/jira/browse/WSS-588 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core >Affects Versions: 2.0.4 > Environment: Servicemix server using cxf+wss4j for WS-Security >Reporter: Libois Claude >Assignee: Colm O hEigeartaigh >Priority: Blocker > Labels: easyfix > > I have a webservices which is secured by WS-Security+Policy. > I currently use Signature only for server response. > However I keep having the same error: > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The > signature or decryption was invalid > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > at com.sun.proxy.$Proxy34.submit(Unknown Source) > at > client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) > at > client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) > ... 8 more > My client truststore is set so that I only have the signer CA. > I have noticed that if I set the signer certificate in the truststore, it > works ! > I did a wireshark snoop and found that in the response part: > 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 > The problem is that 12428414237952637822 isn't the CA serial number but the > signer serial number. > I have digged a little bit into the code I have found something that looks > weird to me in the WSSecSignature class : > case WSConstants.ISSUER_SERIAL: > String issuer =
[jira] [Created] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
Libois Claude created WSS-588: - Summary: Server Signature validation on client failed while using only CA in the client truststore Key: WSS-588 URL: https://issues.apache.org/jira/browse/WSS-588 Project: WSS4J Issue Type: Bug Components: WSS4J Core Affects Versions: 2.0.4 Environment: Servicemix server using cxf+wss4j for WS-Security Reporter: Libois Claude Assignee: Colm O hEigeartaigh Priority: Blocker I have a webservices which is secured by WS-Security+Policy. I currently use Signature only for server response. However I keep having the same error: Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption was invalid at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy34.submit(Unknown Source) at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93) at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138) ... 8 more My client truststore is set so that I only have the signer CA. I have noticed that if I set the signer certificate in the truststore, it works ! I did a wireshark snoop and found that in the response part: 1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=X12428414237952637822 The problem is that 12428414237952637822 isn't the CA serial number but the signer serial number. I have digged a little bit into the code I have found something that looks weird to me in the WSSecSignature class : case WSConstants.ISSUER_SERIAL: String issuer = certs[0].getIssuerX500Principal().getName(); java.math.BigInteger serialNumber = certs[0].getSerialNumber(); i'm wondering why in the last line we don't take the issuer serial number -> java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber(); I can't see how this can work since the client compare the serial number provided with the serial number of the CA in the Merlin class: if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) Hope