Re: Validation failing due to empty namespace in tag
Thank you Colm – another engineer actually found the culprit today. It was a bug with xmlsec (https://issues.apache.org/jira/browse/SANTUARIO-412), and after we upgraded the version of the library, it now works! -Al From: Colm O hEigeartaigh <cohei...@apache.org> Reply-To: "users@ws.apache.org" <users@ws.apache.org>, "cohei...@apache.org" <cohei...@apache.org> Date: Monday, March 5, 2018 at 4:53 AM To: "users@ws.apache.org" <users@ws.apache.org> Subject: Re: Validation failing due to empty namespace in tag I'm not sure why you are seeing empty namespaces. Could you create a unit test or some way of reproducing the problem that I can look at? Colm. On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey <aram...@vecna.com<mailto:aram...@vecna.com>> wrote: We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our integration tests to the service provider is now failing. A highlighted overview is given below: • In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) Body. Validation of (1) the Timestamp SHA1 digest against the expected value passes, but it fails for (2) the Body. WSS4J decrypts the Body successfully, but fails in the validation. • We made some changes with our WSS4J configuration based on the recommendations from the WSS4J Migration Guide (link: https://ws.apache.org/wss4j/migration/wss4j20.html). • When I manually removed an empty namespace in one of the tags, a manual check of the SHA1 digest appears to finally succeed. • WSS4J first decrypts the Body, then performs a canonical transformation prior to validation. An empty namespace in one of the tags seem to show up in our application when we use WSS4J 2.0.1 but it does not show up when using WSS4J 1.6. An illustrative example: the decoded Body is: http://ebs.health.ontario.ca/; xmlns:b="http://msa.ebs.health.ontario.ca/; xmlns:c="http://hcv.health.ontario.ca/; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.10The Health Number submitted does not exist on the ministry's systemFAILED_MOD10YX … and the Body after canonical transformation is: http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4">http://hcv.health.ontario.ca/;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.10The Health Number submitted does not exist on the ministry's systemFAILED_MOD10YX I had to manually change to the following: A manual check of the SHA1 digest tells me it would now pass validation. I am not sure why the empty namespace appears when using WSS4J 2.0.1 and not 1.6. Did I miss a configuration when updated them? -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: Validation failing due to empty namespace in tag
I'm not sure why you are seeing empty namespaces. Could you create a unit test or some way of reproducing the problem that I can look at? Colm. On Sun, Mar 4, 2018 at 9:46 AM, Al Ramseywrote: > We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our > integration tests to the service provider is now failing. A highlighted > overview is given below: > > • In the SignedInfo node, two references were hashed - (1) Timestamp, and > (2) Body. Validation of (1) the Timestamp SHA1 digest against the expected > value passes, but it fails for (2) the Body. WSS4J decrypts the Body > successfully, but fails in the validation. > • We made some changes with our WSS4J configuration based on the > recommendations from the WSS4J Migration Guide (link: > https://ws.apache.org/wss4j/migration/wss4j20.html). > • When I manually removed an empty namespace in one of the tags, a manual > check of the SHA1 digest appears to finally succeed. > • WSS4J first decrypts the Body, then performs a canonical transformation > prior to validation. An empty namespace in one of the tags seem to show up > in our application when we use WSS4J 2.0.1 but it does not show up when > using WSS4J 1.6. > > An illustrative example: the decoded Body is: > > http://ebs.health.ontario.ca/; xmlns:b=" > http://msa.ebs.health.ontario.ca/; xmlns:c="http://hcv.health.ontario.ca/; > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd">676345d6- > 3fc4-434c-96b3-012c73672b6a1286844022 healthNumber>Ask the cardholder to either visit the local > ServiceOntario office or call 1 800-268-1154.< > responseCode>10The Health Number > submitted does not exist on the ministry's system< > responseID>FAILED_MOD10YX versionCode> > > … and the Body after canonical transformation is: > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-42a8192d-3065- > 451d-bfeb-1156ae118da4">http://hcv.health. > ontario.ca/">676345d6- > 3fc4-434c-96b3-012c73672b6a1286844022 healthNumber>Ask the cardholder to either visit the local > ServiceOntario office or call 1 800-268-1154.< > responseCode>10The Health Number > submitted does not exist on the ministry's system< > responseID>FAILED_MOD10YX versionCode> > > I had to manually change > > > > to the following: > > > > A manual check of the SHA1 digest tells me it would now pass validation. > I am not sure why the empty namespace appears when using WSS4J 2.0.1 and > not 1.6. Did I miss a configuration when updated them? > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Validation failing due to empty namespace in tag
We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our integration tests to the service provider is now failing. A highlighted overview is given below: • In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) Body. Validation of (1) the Timestamp SHA1 digest against the expected value passes, but it fails for (2) the Body. WSS4J decrypts the Body successfully, but fails in the validation. • We made some changes with our WSS4J configuration based on the recommendations from the WSS4J Migration Guide (link: https://ws.apache.org/wss4j/migration/wss4j20.html). • When I manually removed an empty namespace in one of the tags, a manual check of the SHA1 digest appears to finally succeed. • WSS4J first decrypts the Body, then performs a canonical transformation prior to validation. An empty namespace in one of the tags seem to show up in our application when we use WSS4J 2.0.1 but it does not show up when using WSS4J 1.6. An illustrative example: the decoded Body is: http://ebs.health.ontario.ca/; xmlns:b="http://msa.ebs.health.ontario.ca/; xmlns:c="http://hcv.health.ontario.ca/; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154.10The Health Number submitted does not exist on the ministry's systemFAILED_MOD10YX … and the Body after canonical transformation is: http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4">http://hcv.health.ontario.ca/;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154.10The Health Number submitted does not exist on the ministry's systemFAILED_MOD10YX I had to manually change to the following: A manual check of the SHA1 digest tells me it would now pass validation. I am not sure why the empty namespace appears when using WSS4J 2.0.1 and not 1.6. Did I miss a configuration when updated them?