DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43685>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43685 Summary: Problem verifying signatures generated by BEA Aqualogic Product: Security Version: Java 1.4.1 Platform: Other OS/Version: All Status: NEW Severity: major Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] I'm having trouble verifying a signature generated by BEA Aqualogic - it looks like the SHA-1 hash generated when verifying is not the same as specified in the signature. Here is the security header, I'll attach the entire signed XML file too. Here, both the timestamp and the body SHA-1 hash does not match, but the binary securitytoken is ok. <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- secext-1.0.xsd"> <wsse:BinarySecurityToken wsu:Id="bst_eYXO4naFUHt1oMiY" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token- profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security- 1.0#Base64Binary">MIIE7TCCBFagAwIBAgIEQDZd9zANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEw JESzEMMAoGA1UEChMDVERDMSIwIAYDVQQDExlUREMgT0NFUyBTeXN0ZW10ZXN0IENBIElJMB4XDTA1MT AzMTA4MjgxOVoXDTA3MTAzMTA4NTgxOVowczELMAkGA1UEBhMCREsxIDAeBgNVBAoTF1REQyBBL1MgLy 8gQ1ZSOjE0NzczOTA4MUIwGQYDVQQDExJUREMgQS9TIC0gUElEIFRFU1QwJQYDVQQFEx5DVlI6MTQ3Nz M5MDgtVUlEOjEwODM4Mzg5MTQzOTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKlUxEE8Miw22X nNdMBJpkZjcvBQWBboL8N/bjKrmHyUC68PIr+OTDtlq0QcIxYwWp7iHvd/FEQBjWc09KBTpVPy23rEM3 n/0EXoBFeq0zFOrZt3eAwhY4RA4ipaW9bBjnzuhTXEQ/VJfROIcbcjORqBrJbDVpjv8Z7zzmLrQGE3Ag MBAAGjggLAMIICvDAOBgNVHQ8BAf8EBAMCA7gwKwYDVR0QBCQwIoAPMjAwNTEwMzEwODI4MTlagQ8yMD A3MTAzMTA4NTgxOVowRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vdGVzdC5vY3NwLm NlcnRpZmlrYXQuZGsvb2NzcC9zdGF0dXMwggEDBgNVHSAEgfswgfgwgfUGCSkBAQEBAQEBAzCB5zAvBg grBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRrL3JlcG9zaXRvcnkwgbMGCCsGAQUFBwICMI GmMAoWA1REQzADAgEBGoGXVERDIFRlc3QgQ2VydGlmaWthdGVyIGZyYSBkZW5uZSBDQSB1ZHN0ZWRlcy B1bmRlciBPSUQgMS4xLjEuMS4xLjEuMS4xLjEuMy4gVERDIFRlc3QgQ2VydGlmaWNhdGVzIGZyb20gdG hpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjEuMS4xLjEuMS4xLjEuMS4zLjAXBglghkgBhvhCAQ 0EChYIb3JnYW5XZWIwFgYDVR0RBA8wDYELcGJ1dUB0ZGMuZGswgZYGA1UdHwSBjjCBizCBiKCBhaCBgq RQME4xCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxIjAgBgNVBAMTGVREQyBPQ0VTIFN5c3RlbXRlc3 QgQ0EgSUkxDTALBgNVBAMTBENSTDOGLmh0dHA6Ly90ZXN0LmNybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2 Nlc3BjMy5jcmwwHwYDVR0jBBgwFoAUHJgJRxpMOLkQxQQpW/H0ToBqzH4wHQYDVR0OBBYEFOtlUEQqrO K/XSqgOmGhs/lT4XelMAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhv cNAQEFBQADgYEAUaMFA/2wqk8PzeNW8wHCMqDyx5G4onfRiH1lTw5v0yOC2MNgAnIN87LHrsYRx2gobU emjajrbjA+jDC8k2sxHkFyj2vqwXqEys7coScQeeIz5J4V5pFz9YhgXrb8xAdI7YexWSAqAttz5mde7n vHNsQ2vpWDLmjGsynNaP7avFg=</wsse:BinarySecurityToken> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI="#Timestamp_NINwvG8AFBVIRLEX"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>j6FEasOTde+K4VAIyT1AnJjj/38=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#Id-650323651"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>edC2luHbb+q5TSLk1XcVeiDVNb4=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#bst_eYXO4naFUHt1oMiY"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>gVM6kHVLvllHfM1wx0pXLy5fOJg=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>CV3lBSJ/KI8yj3ZgQdg/XLGvOhEDGYs2qu7qOn2L8e4e2t8Va9R dZBvnZsuNpOC5b4Vkl6UQWc6HvNMrp+EjB6/PgD7D74R3CcJhpSQpLwiiwyzgOnX+AGsjh+NabWJZw8F x8SP3tQ+TqSsF0OCy+UzJ+I9bKDaWghjUMG61xkE=</dsig:SignatureValue> <dsig:KeyInfo> <wsse:SecurityTokenReference wsu:Id="str_eKIZMaztAU9dy8pc"> <wsse:Reference URI="#bst_eYXO4naFUHt1oMiY" ValueType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature> <wsu:Timestamp wsu:Id="Timestamp_NINwvG8AFBVIRLEX"> <wsu:Created>2007-10-10T10:23:32Z</wsu:Created> <wsu:Expires>2007-10-10T10:24:32Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> What looks odd to me, is the InclusiveNamespaces PrefixList which is empty - I do not know if this is the problem or not. Can anyone help figure out what is going on ? I am working at a project for a customer where this is a critical problem and I would really appreciate if anyone can help me identify if it is a problem in XML-Security or in BEA's Aqualogic. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
