Hi Andreas, Nothing obvious is jumping out at the me. Perhaps change the referencing mechanism in the security policy from ThumbprintSHA1 to something like IssuerSerial and see if that works instead?
Colm. On Mon, Nov 19, 2012 at 8:17 AM, andreas_triebel <[email protected]>wrote: > Hi Colm > > Thanks for the patch! I tried the 1.6.8-SNAPSHOT and it works now for the > request from Weblogic to CXF. > > The bad thing is that Weblogic now complains about the response received > from CXF. Probably this is now an issue on Weblogic and therefore not the > right place here, but at least I give the information for completeness. > > I already tried to resolve this issue on Weblogic by configuring a > CertificateRegistry as proposed in this blog > > http://fusionsecurity.blogspot.ch/2009/08/so-thats-what-weblogic-certificate.html > with no success. > > Error Stacktrace Weblogic: > ####<Nov 19, 2012 8:39:51 AM CET> <Error> <> <[ACTIVE] ExecuteThread: '0' > for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> > <35e64a9808ed1790:3007597b:13b179b1226:-8000-0000000000000004> > <1353310791212> <BEA-000000> <CertPathBuilder does not support building > cert > path from class weblogic.security.pk.X509ThumbprintSelector > java.security.InvalidAlgorithmParameterException: [Security:090596]The > WebLogicCertPathProvider was passed an unsupported CertPathSelector. > at > > weblogic.security.providers.pk.WebLogicCertPathProviderRuntimeImpl$JDKCertPathBuilder.engineBuild(WebLogicCertPathProviderRuntimeImpl.java:689) > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) > at > > com.bea.common.security.internal.legacy.service.CertPathBuilderImpl$CertPathBuilderProviderImpl.build(CertPathBuilderImpl.java:67) > at > > com.bea.common.security.internal.service.CertPathBuilderServiceImpl.build(CertPathBuilderServiceImpl.java:86) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > > com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57) > at $Proxy59.build(Unknown Source) > at > > weblogic.security.service.WLSCertPathBuilderServiceWrapper.build(WLSCertPathBuilderServiceWrapper.java:62) > at > weblogic.security.service.CertPathManager.build(CertPathManager.java:195) > at > > weblogic.security.service.CertPathManager$JDKCertPathBuilder.engineBuild(CertPathManager.java:265) > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) > at > weblogic.xml.crypto.utils.CertUtils.buildCertPath(CertUtils.java:159) > at > weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:124) > at > weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:108) > at > > weblogic.xml.crypto.wss11.internal.bst.BSTHandler.lookupCertificate(BSTHandler.java:79) > at > > weblogic.xml.crypto.wss11.internal.bst.BSTHandler.getTokenByKeyId(BSTHandler.java:59) > at > > weblogic.xml.crypto.wss.BinarySecurityTokenHandler.getSecurityToken(BinarySecurityTokenHandler.java:80) > at > > weblogic.xml.crypto.common.keyinfo.KeyResolver.setupKeyProviderFromContext(KeyResolver.java:344) > at > > weblogic.xml.crypto.common.keyinfo.KeyResolver.getKeyFromSTR(KeyResolver.java:295) > at > weblogic.xml.crypto.common.keyinfo.KeyResolver.select(KeyResolver.java:127) > at > > weblogic.xml.crypto.dsig.SignedInfoImpl.getVerifyKey(SignedInfoImpl.java:227) > at > > weblogic.xml.crypto.dsig.SignedInfoImpl.validateSignature(SignedInfoImpl.java:113) > at > > weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:265) > at > > weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:724) > at > > weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689) > at > > weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544) > at > > weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450) > at > weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:418) > at > > weblogic.xml.crypto.wss11.internal.WSS11Factory.unmarshalAndProcessSecurity(WSS11Factory.java:33) > at > > weblogic.wsee.security.wssp.handlers.WssClientHandler.processInbound(WssClientHandler.java:149) > at > > weblogic.wsee.security.wssp.handlers.WssClientHandler.processResponse(WssClientHandler.java:134) > at > > weblogic.wsee.security.wssp.handlers.WssHandler.handleResponse(WssHandler.java:206) > > I don't see much difference between a Weblogic generated response and a CXF > generated one, besides the fact that in Weblogic the STR inside the KeyInfo > is signed, in CXF it's not. But this should not be the problem I guess?! > > CXF SOAP response: > <soap:Envelope > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Header> > <wsse:Security > > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > soap:mustUnderstand="1"> > <wsu:Timestamp wsu:Id="TS-1"> > > <wsu:Created>2012-11-16T12:50:55.054Z</wsu:Created> > > <wsu:Expires>2012-11-16T12:55:55.054Z</wsu:Expires> > </wsu:Timestamp> > <wsse11:SignatureConfirmation > > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > > Value="WuJ58vqiRvVEO72+2YL421WdYt1J6C3skhl8ih7ky16sSIyfOOTPShzqSSq/Va9BQ1uwplnJfX7io8LM4gw0X5LEAzIeoy2dCeiHA4GY5KiO9K0Sh17gJhZoqR5l17oZrfnJUzXvDGUA5eupnl1BqZ1l0c0PJMslnSavwkcmVSA=" > wsu:Id="SC-2" /> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-3"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; > PrefixList="soap" > /> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <ds:Reference URI="#TS-1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse > soap" /> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>OgsxMMNFLQsz/9IsfVQs/oLuc+8=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#SC-2"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse > soap" /> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>oG+UlTKMXY7/IbQpRxvPYySh60Y=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#Id-3417205"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="" /> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>rS4jFUikjRJY+jt6IKSIX7GXNWE=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > > <ds:SignatureValue>nX8nGcTY7Olu0UBX1S6KbKsGlP8exYu4FdSYCDCPWNm+pUH2PG7B8JJ2yJYFlL919nJUtOnndWYX7s3/eDTTQtR0hPWc6FNs0+yGr7yH6pSWlsbCf+a7n++FG8O+NKe6d2IyvJ4epLvgVVYaoj1RWYcPx31iAvTw6d7S16jZ184= > </ds:SignatureValue> > <ds:KeyInfo > Id="KI-A18E11179961A8826E13530702550772"> > <wsse:SecurityTokenReference > wsu:Id="STR-A18E11179961A8826E13530702550773"> > <wsse:KeyIdentifier > > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 > ">R0VTd2CEaTTD3qJ/lAomm31HARQ=</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > </soap:Header> > <soap:Body > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Id-3417205"> > <ns2:doitResponse xmlns:ns2="http://ws.ssotest/";> > <return>doit() called.</return> > </ns2:doitResponse> > </soap:Body> > </soap:Envelope> > > Weblogic SOAP response for comparison: > <?xml version='1.0' encoding='UTF-8'?> > <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";> > <S:Header> > <wsse:Security > > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > S:mustUnderstand="1"> > <wsse11:SignatureConfirmation > > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > > Value="BX/qFA56YzPI4Ybtmiqqk2BBqQHDA9FZ+fNwCXC++Tfb8PAQWTwjp8WRVyeCw5f1vMT9ABi8p2bUkdi/Z2T/cQ4D2hf3Y6SbZVu2v08yh8QZFSRubGqKGFqhV0Z6MSjdrj64nu7JMDKWe4OwSUZf58khfx6Kij7j+Eo2Jqq8k4Y=" > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="sigconf_Y1dLkZE12R3lo84g" /> > <dsig:Signature xmlns:dsig=" > http://www.w3.org/2000/09/xmldsig#";> > <dsig:SignedInfo> > <dsig:CanonicalizationMethod > Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <dsig:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <dsig:Reference > URI="#Timestamp_fyeHCdDCF1Q1mEQT"> > <dsig:Transforms> > <dsig:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > /> > </dsig:Transforms> > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > > <dsig:DigestValue>U6EZCrkoZVK51ldTBm01yjGvTqo=</dsig:DigestValue> > </dsig:Reference> > <dsig:Reference > URI="#Body_dak1e6clIuiK32Q8"> > <dsig:Transforms> > <dsig:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > /> > </dsig:Transforms> > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > > <dsig:DigestValue>GpX21h7vU1Sv/5fAltIB7AC9JLk=</dsig:DigestValue> > </dsig:Reference> > <dsig:Reference > URI="#sigconf_Y1dLkZE12R3lo84g"> > <dsig:Transforms> > <dsig:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > /> > </dsig:Transforms> > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > > <dsig:DigestValue>H/1u/9+eXPty0gZry3P6kC9lVjE=</dsig:DigestValue> > </dsig:Reference> > <dsig:Reference > URI="#str_dEoDQOLRAT5qy2ha"> > <dsig:Transforms> > <dsig:Transform > > Algorithm=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform > "> > > <wsse:TransformationParameters> > > <dsig:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > > </wsse:TransformationParameters> > </dsig:Transform> > </dsig:Transforms> > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > > <dsig:DigestValue>QwS0Bh2Dck6G5rCKyyGwLzCivGM=</dsig:DigestValue> > </dsig:Reference> > </dsig:SignedInfo> > > > <dsig:SignatureValue>KsGzFjk9DEF56FfVQt9LnTHu7IWYrMu338Y8ntQWVXkIUp/+aUq2tAHWdG0uRyGwgyptkvyU2sAiHszLcHUXUSjt1MtIzHRNooEPsEzJCeeLDlrwhZ/zRglRMcLveI5rdWZYJmTRKo8zGyuCHesHqUWslWQBrbBW8rlIt0ZSwtg=</dsig:SignatureValue> > <dsig:KeyInfo> > <wsse:SecurityTokenReference > > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > wsse11:TokenType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > " > > wsu:Id="str_dEoDQOLRAT5qy2ha"> > <wsse:KeyIdentifier > > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 > ">SSp+oSTFJ/0AMjafPrgRAJyDZRg=</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </dsig:KeyInfo> > </dsig:Signature> > <wsu:Timestamp > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Timestamp_fyeHCdDCF1Q1mEQT"> > > <wsu:Created>2012-11-16T15:13:20Z</wsu:Created> > > <wsu:Expires>2012-11-16T15:14:20Z</wsu:Expires> > </wsu:Timestamp> > </wsse:Security> > </S:Header> > <S:Body > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Body_dak1e6clIuiK32Q8"> > <ns0:doitResponse xmlns:ns0="http://ws.ssotest/";> > <return>triebela called web service > 'SAML2TestService.doit' > successfully.</return> > </ns0:doitResponse> > </S:Body> > </S:Envelope> > > -Andreas > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487p5718688.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
