Hi guys, I have had issues when the canonicalization algorithm was not set properly on the sender side. This deals with how whitespaces are included/not included in the calculation. In our case we used soapUI to prove the security was setup properly and then shared the project with the client so they could get their output to match (canonicalization, signature method etc.). This then decouples you from having to spend so much time debugging.
Chris On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <[email protected]>wrote: > The errors in the log indicate that the digest of the signed > references does not match the digests in the signature. Is anything > changing the SOAP Message between when the signature was created and > validated? > > Have you tried with a more recent version of CXF? > > Colm. > > On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <[email protected]> > wrote: > > The issue is this: > > I receive a signed soap message with the X509 certificate in the header > (in > > the BinarySecurityToken element). I have added this certificate to my > > keystore and try to validate the signature. However the message won't be > > validated, I keep receiving: > > org.apache.xml.security.signature.Reference: Verification failed for URI > > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030" > > > > I will add some more logging to the end of this post. Since I am rather > new > > to this ws-security i was wondering if I am on the wrong path with this. > Are > > there other issues that I have to be aware of? > > > > I must say that my set up works with messages and signatures created by > > myself, it only fails with message I get from third party. > > > > Here is my CXF config: > > <cxf:proxy-service> > > <cxf:inInterceptors> > > <spring:bean > > class="org.apache.cxf.interceptor.LoggingInInterceptor" /> > > <spring:bean > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > > <spring:constructor-arg> > > <spring:map> > > <spring:entry key="action" > value="Signature" > > /> > > <spring:entry key="signaturePropFile" > > value="wssecurity.properties" /> > > <spring:entry key="signatureKeyIdentifier" > > value="DirectReference" /> > > </spring:map> > > </spring:constructor-arg> > > </spring:bean> > > </cxf:inInterceptors> > > </cxf:proxy-service> > > > > In my property file I have: > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > > org.apache.ws.security.crypto.merlin.keystore.type=JKS > > > org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks > > org.apache.ws.security.crypto.merlin.keystore.password=myPassword > > > > Here is part of the logging I get: > > --------------- ----------------------- > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7 > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001 > > DEBUG 2012-01-18 17:38:18,850 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76 > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor: > > enter handleMessage() > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader() > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.WSSecurityEngine: Processing WS-Security header > for > > '' actor. > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.processor.SignatureProcessor: Found signature > element > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("Signature", > "null") > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", > "null") > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod", > > "null") > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null") > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.message.token.SecurityTokenReference: Token > reference > > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45 > > DEBUG 2012-01-18 17:38:18,866 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.signature.Manifest: verify 1 References > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.signature.Manifest: I am not requested to follow > > nested Manifests > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("Reference", > "null") > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("Transforms", > "null") > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.algorithms.JCEMapper: Request for URI > > http://www.w3.org/2000/09/xmldsig#sha1 > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to > > create a ResourceResolver and got 1 > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.resolver.ResourceResolver: extra > resolvers to > > my existing 4 system-wide resolvers > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.resolver.ResourceResolver: check > resolvability > > by class org.apache.ws.security.message.EnvelopeIdResolver > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, > look > > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve, > > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null > > comments:false/null > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.utils.ElementProxy: setElement("Transform", > "null") > > WARN 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.signature.Reference: Verification failed for URI > > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d" > > DEBUG 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.xml.security.signature.Manifest: The Reference has Type > > WARN 2012-01-18 17:38:18,881 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: > > org.apache.ws.security.WSSecurityException: The signature or decryption > was > > invalid > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215) > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > at > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > at > > > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296) > > at > > > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137) > > at > > > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50) > > at > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > at > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163) > > at org.mule.work.WorkerContext.run(WorkerContext.java:310) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:662) > > WARN 2012-01-18 17:38:18,897 > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for > > {http://support.cxf.module.mule.org/}ProxyService has thrown exception, > > unwinding now > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > > invalid > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654) > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275) > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > at > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > at > > > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296) > > at > > > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137) > > at > > > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50) > > at > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > at > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > at > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > at > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163) > > at > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258) > > at > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163) > > at org.mule.work.WorkerContext.run(WorkerContext.java:310) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:662) > > Caused by: org.apache.ws.security.WSSecurityException: The signature or > > decryption was invalid > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) > > at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215) > > ... 26 more > > > > -- > > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html > > Sent from the cxf-user mailing list archive at Nabble.com. > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Chris Riley, Partner HKM Consulting LLC (o) 774.553.5314 (m) 508.273.3102 (f) 774.553.5316
