The issue is this:
I receive a signed soap message with the X509 certificate in the header (in
the BinarySecurityToken element). I have added this certificate to my
keystore and try to validate the signature. However the message won't be
validated, I keep receiving:
org.apache.xml.security.signature.Reference: Verification failed for URI
"#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
I will add some more logging to the end of this post. Since I am rather new
to this ws-security i was wondering if I am on the wrong path with this. Are
there other issues that I have to be aware of?
I must say that my set up works with messages and signatures created by
myself, it only fails with message I get from third party.
Here is my CXF config:
<cxf:proxy-service>
<cxf:inInterceptors>
<spring:bean
class="org.apache.cxf.interceptor.LoggingInInterceptor" />
<spring:bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<spring:constructor-arg>
<spring:map>
<spring:entry key="action" value="Signature"
/>
<spring:entry key="signaturePropFile"
value="wssecurity.properties" />
<spring:entry key="signatureKeyIdentifier"
value="DirectReference" />
</spring:map>
</spring:constructor-arg>
</spring:bean>
</cxf:inInterceptors>
</cxf:proxy-service>
In my property file I have:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=myPassword
Here is part of the logging I get:
---------------�-----------------------
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
enter handleMessage()
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.WSSecurityEngine: Processing WS-Security header for
'' actor.
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.processor.SignatureProcessor: Found signature element
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Signature", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
"null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.token.SecurityTokenReference: Token reference
uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: verify 1 References
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: I am not requested to follow
nested Manifests
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Reference", "null")
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Transforms", "null")
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.algorithms.JCEMapper: Request for URI
http://www.w3.org/2000/09/xmldsig#sha1
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
create a ResourceResolver and got 1
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: extra resolvers to
my existing 4 system-wide resolvers
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: check resolvability
by class org.apache.ws.security.message.EnvelopeIdResolver
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, look
for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
comments:false/null
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Transform", "null")
WARN 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Reference: Verification failed for URI
"#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: The Reference has Type
WARN 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
at
org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
at
org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
WARN 2012-01-18 17:38:18,897
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
{http://support.cxf.module.mule.org/}ProxyService has thrown exception,
unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
at
org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
at
org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
... 26 more
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
Sent from the cxf-user mailing list archive at Nabble.com.
