Hi Pascal, Good point on the cert. Since you were successfully able to verify on your end, you could request the entire cert chain they are using. We also did the same because it was not clear what within the certificate was being utilized in the calculation for our client and we wanted to not have a mismatch in the trust store.
Chris On Thu, Jan 19, 2012 at 10:13 AM, Pascal Alma <[email protected]>wrote: > Hi Chris and Colm, > > Thanks for your replies. > > The reason I used this version specific version is that this one comes > with the Mule ESB we use. > > So best thing to do is to find out how the sender does its > canonicalization, etc. and make sure it matches the way I expect it > (although I already checked it before). > > So it is quite normal to obtain the certificate from the message header > and use that to validate the signing of the message? It cannot have to do > with the fact that they use some 'embedded' root certificate or a complete > chain when signing the message and I only have the 'upper' level > certificate with the public key? (I am not sure if I make sense in this > question so please let me know if you don't get it). > kind regards, > > Pascal > > > On 19 jan. 2012, at 15:57, Christopher Riley [via CXF] wrote: > > > Hi guys, > > > > I have had issues when the canonicalization algorithm was not set > properly > > on the sender side. This deals with how whitespaces are included/not > > included in the calculation. In our case we used soapUI to prove the > > security was setup properly and then shared the project with the client > so > > they could get their output to match (canonicalization, signature method > > etc.). This then decouples you from having to spend so much time > debugging. > > > > Chris > > > > > > > > On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <[hidden > email]>wrote: > > > > > The errors in the log indicate that the digest of the signed > > > references does not match the digests in the signature. Is anything > > > changing the SOAP Message between when the signature was created and > > > validated? > > > > > > Have you tried with a more recent version of CXF? > > > > > > Colm. > > > > > > On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <[hidden email]> > > > wrote: > > > > The issue is this: > > > > I receive a signed soap message with the X509 certificate in the > header > > > (in > > > > the BinarySecurityToken element). I have added this certificate to my > > > > keystore and try to validate the signature. However the message > won't be > > > > validated, I keep receiving: > > > > org.apache.xml.security.signature.Reference: Verification failed for > URI > > > > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030" > > > > > > > > I will add some more logging to the end of this post. Since I am > rather > > > new > > > > to this ws-security i was wondering if I am on the wrong path with > this. > > > Are > > > > there other issues that I have to be aware of? > > > > > > > > I must say that my set up works with messages and signatures created > by > > > > myself, it only fails with message I get from third party. > > > > > > > > Here is my CXF config: > > > > <cxf:proxy-service> > > > > <cxf:inInterceptors> > > > > <spring:bean > > > > class="org.apache.cxf.interceptor.LoggingInInterceptor" /> > > > > <spring:bean > > > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > > > > <spring:constructor-arg> > > > > <spring:map> > > > > <spring:entry key="action" > > > value="Signature" > > > > /> > > > > <spring:entry key="signaturePropFile" > > > > value="wssecurity.properties" /> > > > > <spring:entry > key="signatureKeyIdentifier" > > > > value="DirectReference" /> > > > > </spring:map> > > > > </spring:constructor-arg> > > > > </spring:bean> > > > > </cxf:inInterceptors> > > > > </cxf:proxy-service> > > > > > > > > In my property file I have: > > > > > > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > > > > org.apache.ws.security.crypto.merlin.keystore.type=JKS > > > > > > > > org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks > > > > org.apache.ws.security.crypto.merlin.keystore.password=myPassword > > > > > > > > Here is part of the logging I get: > > > > --------------- ----------------------- > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7 > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor > > > > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor > > > > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor > > > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor > org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001 > > > > DEBUG 2012-01-18 17:38:18,850 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > > > > interceptor > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76 > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: > WSS4JInInterceptor: > > > > enter handleMessage() > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.WSSecurityEngine: enter > processSecurityHeader() > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.WSSecurityEngine: Processing WS-Security > header > > > for > > > > '' actor. > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.processor.SignatureProcessor: Found signature > > > element > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.processor.SignatureProcessor: Verify XML > Signature > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("Signature", > > > "null") > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", > > > "null") > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: > setElement("SignatureMethod", > > > > "null") > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", > "null") > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.message.token.SecurityTokenReference: Token > > > reference > > > > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45 > > > > DEBUG 2012-01-18 17:38:18,866 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.signature.Manifest: verify 1 References > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.signature.Manifest: I am not requested to > follow > > > > nested Manifests > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("Reference", > > > "null") > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("Transforms", > > > "null") > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.algorithms.JCEMapper: Request for URI > > > > http://www.w3.org/2000/09/xmldsig#sha1 > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked > to > > > > create a ResourceResolver and got 1 > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.resolver.ResourceResolver: extra > > > resolvers to > > > > my existing 4 system-wide resolvers > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.resolver.ResourceResolver: check > > > resolvability > > > > by class org.apache.ws.security.message.EnvelopeIdResolver > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.message.EnvelopeIdResolver: enter > engineResolve, > > > look > > > > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.ws.security.message.EnvelopeIdResolver: exit > engineResolve, > > > > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null > > > > comments:false/null > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.utils.ElementProxy: setElement("Transform", > > > "null") > > > > WARN 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.signature.Reference: Verification failed for > URI > > > > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d" > > > > DEBUG 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.xml.security.signature.Manifest: The Reference has Type > > > > WARN 2012-01-18 17:38:18,881 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: > > > > org.apache.ws.security.WSSecurityException: The signature or > decryption > > > was > > > > invalid > > > > at > > > > > > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529) > > > > at > > > > > > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97) > > > > at > > > > > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) > > > > at > > > > > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215) > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81) > > > > at > > > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > > > at > > > > > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > > > at > > > > > > > > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296) > > > > at > > > > > > > > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137) > > > > at > > > > > > > > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50) > > > > at > > > > > > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > > > at > > > > > > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163) > > > > at org.mule.work.WorkerContext.run(WorkerContext.java:310) > > > > at > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > > > at > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > > > at java.lang.Thread.run(Thread.java:662) > > > > WARN 2012-01-18 17:38:18,897 > > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > > > > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for > > > > {http://support.cxf.module.mule.org/}ProxyService has thrown > exception, > > > > unwinding now > > > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption > was > > > > invalid > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654) > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275) > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81) > > > > at > > > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > > > at > > > > > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > > > at > > > > > > > > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296) > > > > at > > > > > > > > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137) > > > > at > > > > > > > > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50) > > > > at > > > > > > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > > > at > > > > > > > > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56) > > > > at > > > > > > > > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66) > > > > at > > > > > > > > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163) > > > > at > > > > > > > > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258) > > > > at > > > > > > > > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163) > > > > at org.mule.work.WorkerContext.run(WorkerContext.java:310) > > > > at > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > > > at > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > > > at java.lang.Thread.run(Thread.java:662) > > > > Caused by: org.apache.ws.security.WSSecurityException: The signature > or > > > > decryption was invalid > > > > at > > > > > > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529) > > > > at > > > > > > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97) > > > > at > > > > > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) > > > > at > > > > > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) > > > > at > > > > > > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215) > > > > ... 26 more > > > > > > > > -- > > > > View this message in context: > > > > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html > > > > Sent from the cxf-user mailing list archive at Nabble.com. > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Chris Riley, Partner > > HKM Consulting LLC > > (o) 774.553.5314 > > (m) 508.273.3102 > > (f) 774.553.5316 > > > > > > If you reply to this email, your message will be added to the discussion > below: > > > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157872.html > > To unsubscribe from CXF 2.3.1: Message signature doesn't get validated, > click here. > > NAML > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157918.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Chris Riley, Partner HKM Consulting LLC (o) 774.553.5314 (m) 508.273.3102 (f) 774.553.5316
