Hi guys,
first of all, thanks for the great frameworks CXF and WSS4J!
I have setup a web service with signature validation that I'm calling from
SoapUI, and when validating the signatures, WSS4J can not resolve the
<Reference>'d elements in the signatures, with an exception:
javax.xml.crypto.dsig.XMLSignatureException:
javax.xml.crypto.URIReferenceException:
org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot
resolve element with ID id-132
What is being singed are all WS-Addressing headers and the message body.
What is weird is that by debugging the code it seems that WSS4J always
manages to resolve only the "RelatesTo" and the message body, but not any
of the other WS-Addressing headers.
I have set a breakpoint in the class
org.apache.wss4j.dom.processor.SignatureProcessor:372:
Code:
// Test for replay attacks
testMessageReplay(elem,
xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo);
setElementsOnContext(xmlSignature, (DOMValidateContext)context,
data, wsDocInfo);
boolean signatureOk = xmlSignature.validate(context);
if (signatureOk) {
return xmlSignature;
}
After calling "setElementsOnContext", the "context" object of type
"DOMValidateContext" always only contains the "RelatesTo" and "Body"
elements in the "idMap" HashMap:
Contents of "idMap" in DOMValidateContext:
{id-137=[wsa:RelatesTo: null], id-139=[soap:Body: null]}
It's a complete mystery to me why WSS4J is not able to find the other
referenced elements. All the elements are referenced in the same way, using
an id:
<ds:Reference URI="#id-133">
I'm using CXF version 3.2.4
Tomcat 9.0.10
And I'm calling the web service using Soap UI 5.3.0
Below is a simplified version of the Soap message.
Any help on what could be going wrong is greatly appreciated.
<soap:Envelope xmlns:ns="http://blabla.test"; xmlns:ns1=" http://blabla.xxx";
xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsse:BinarySecurityToken>...</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-140" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="wsa ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-132">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>igHah0Fsph3yT1AfqBPAQFwZoe21h7Xaw5/XN/EI/TM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-133">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>BvwYUy3zLMTN6UHkNhuZG2iLlv8jT/zTuMDXaaj39uk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-134">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ds9Kq8RNZFb8O1Liud1TxxlEm4aMeoLpm3pO10Efw8A=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-135">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OQW8p1GB6BlIr5sKp/vRRyZrwMTIK7tbTKU64JxkiM4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-136">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>UdwSWsTRFhFH3qgeCESL1RPy+5B/RpWkZXzHANiBBeA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-137">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QQgyhzpWNnFn97J2NpJcYAeoDtgFxVeHtCsgbu4UiZg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-138">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1 soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5xuElno+hnvrP9kEEydeqnOr31CnwwaibbGULWt45oo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-139">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns ns1"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>LyjD1agKv+vE6BJHvRfQaVMwkUscqFFOhTgeljsdVxA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>....</ds:SignatureValue>
<ds:KeyInfo Id="...">
<wsse:SecurityTokenReference
wsu:Id="STR-7FFC76A4DC1B36D2C1153484111729556">
<wsse:Reference
URI="#X509-7FFC76A4DC1B36D2C1153484111729554" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<xenc:EncryptedKey Id="..." xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
">.....</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>....</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-131"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
<wsa:RelatesTo wsu:Id="id-137" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">relatesToBlablaTest</wsa:RelatesTo>
<wsa:Action wsu:Id="id-132" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">http://test.action</wsa:Action>
<wsa:ReplyTo wsu:Id="id-135" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsa:Address>https://localhost:8008/ReplyTo</wsa:Address>
</wsa:ReplyTo>
<wsa:From wsu:Id="id-133" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsa:Address>https://localhost:8008/From</wsa:Address>
</wsa:From>
<wsa:FaultTo wsu:Id="id-134" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsa:Address>https://localhost:8008/FaultTo</wsa:Address>
</wsa:FaultTo>
<wsa:MessageID wsu:Id="id-136" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">uuid:72fb1403-c8af-4d17-bd80-6a9a594c2980</wsa:MessageID>
<wsa:To wsu:Id="id-138" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">https://localhost:8008/to</wsa:To>
</soap:Header>
<soap:Body wsu:Id="id-139" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<xenc:EncryptedData Id="ED-131" Type="
http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
<wsse:Reference URI="#EK-7FFC76A4DC1B36D2C1153484111728653"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
