Hi Chris and Colm,
Thanks for your replies.
The reason I used this version specific version is that this one comes with the
Mule ESB we use.
So best thing to do is to find out how the sender does its canonicalization,
etc. and make sure it matches the way I expect it (although I already checked
it before).
So it is quite normal to obtain the certificate from the message header and use
that to validate the signing of the message? It cannot have to do with the fact
that they use some 'embedded' root certificate or a complete chain when signing
the message and I only have the 'upper' level certificate with the public key?
(I am not sure if I make sense in this question so please let me know if you
don't get it).
kind regards,
Pascal
On 19 jan. 2012, at 15:57, Christopher Riley [via CXF] wrote:
> Hi guys,
>
> I have had issues when the canonicalization algorithm was not set properly
> on the sender side. This deals with how whitespaces are included/not
> included in the calculation. In our case we used soapUI to prove the
> security was setup properly and then shared the project with the client so
> they could get their output to match (canonicalization, signature method
> etc.). This then decouples you from having to spend so much time debugging.
>
> Chris
>
>
>
> On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <[hidden email]>wrote:
>
> > The errors in the log indicate that the digest of the signed
> > references does not match the digests in the signature. Is anything
> > changing the SOAP Message between when the signature was created and
> > validated?
> >
> > Have you tried with a more recent version of CXF?
> >
> > Colm.
> >
> > On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <[hidden email]>
> > wrote:
> > > The issue is this:
> > > I receive a signed soap message with the X509 certificate in the header
> > (in
> > > the BinarySecurityToken element). I have added this certificate to my
> > > keystore and try to validate the signature. However the message won't be
> > > validated, I keep receiving:
> > > org.apache.xml.security.signature.Reference: Verification failed for URI
> > > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
> > >
> > > I will add some more logging to the end of this post. Since I am rather
> > new
> > > to this ws-security i was wondering if I am on the wrong path with this.
> > Are
> > > there other issues that I have to be aware of?
> > >
> > > I must say that my set up works with messages and signatures created by
> > > myself, it only fails with message I get from third party.
> > >
> > > Here is my CXF config:
> > > <cxf:proxy-service>
> > > <cxf:inInterceptors>
> > > <spring:bean
> > > class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> > > <spring:bean
> > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > > <spring:constructor-arg>
> > > <spring:map>
> > > <spring:entry key="action"
> > value="Signature"
> > > />
> > > <spring:entry key="signaturePropFile"
> > > value="wssecurity.properties" />
> > > <spring:entry key="signatureKeyIdentifier"
> > > value="DirectReference" />
> > > </spring:map>
> > > </spring:constructor-arg>
> > > </spring:bean>
> > > </cxf:inInterceptors>
> > > </cxf:proxy-service>
> > >
> > > In my property file I have:
> > >
> > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> >
> > > org.apache.ws.security.crypto.merlin.keystore.type=JKS
> > >
> > org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> >
> > > org.apache.ws.security.crypto.merlin.keystore.password=myPassword
> > >
> > > Here is part of the logging I get:
> > > --------------- -----------------------
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
> > > enter handleMessage()
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.WSSecurityEngine: Processing WS-Security header
> > for
> > > '' actor.
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.processor.SignatureProcessor: Found signature
> > element
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Signature",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
> > > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.token.SecurityTokenReference: Token
> > reference
> > > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: verify 1 References
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: I am not requested to follow
> > > nested Manifests
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Reference",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Transforms",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.algorithms.JCEMapper: Request for URI
> > > http://www.w3.org/2000/09/xmldsig#sha1
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
> > > create a ResourceResolver and got 1
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: extra
> > resolvers to
> > > my existing 4 system-wide resolvers
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: check
> > resolvability
> > > by class org.apache.ws.security.message.EnvelopeIdResolver
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve,
> > look
> > > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
> > > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> > > comments:false/null
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Transform",
> > "null")
> > > WARN 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Reference: Verification failed for URI
> > > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: The Reference has Type
> > > WARN 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> > > org.apache.ws.security.WSSecurityException: The signature or decryption
> > was
> > > invalid
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> >
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> >
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> >
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> >
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> >
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> >
> > > at
> > >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> >
> > > at
> > >
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> >
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> >
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> >
> > > at
> > >
> > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> >
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> >
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> >
> > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> >
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> >
> > > at java.lang.Thread.run(Thread.java:662)
> > > WARN 2012-01-18 17:38:18,897
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> > > {http://support.cxf.module.mule.org/}ProxyService has thrown exception,
> > > unwinding now
> > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> > > invalid
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
> >
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
> >
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> >
> > > at
> > >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> >
> > > at
> > >
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> >
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> >
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> >
> > > at
> > >
> > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> >
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> >
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> >
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> >
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> >
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> >
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> >
> > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> >
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> >
> > > at java.lang.Thread.run(Thread.java:662)
> > > Caused by: org.apache.ws.security.WSSecurityException: The signature or
> > > decryption was invalid
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> >
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> >
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> >
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> >
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> >
> > > ... 26 more
> > >
> > > --
> > > View this message in context:
> > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> > > Sent from the cxf-user mailing list archive at Nabble.com.
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Chris Riley, Partner
> HKM Consulting LLC
> (o) 774.553.5314
> (m) 508.273.3102
> (f) 774.553.5316
>
>
> If you reply to this email, your message will be added to the discussion
> below:
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157872.html
> To unsubscribe from CXF 2.3.1: Message signature doesn't get validated, click
> here.
> NAML
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157918.html
Sent from the cxf-user mailing list archive at Nabble.com.
