Hi guys, first of all, thanks for the great frameworks CXF and WSS4J!
I have setup a web service with signature validation that I'm calling from SoapUI, and when validating the signatures, WSS4J can not resolve the <Reference>'d elements in the signatures, with an exception: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID id-132 What is being singed are all WS-Addressing headers and the message body. What is weird is that by debugging the code it seems that WSS4J always manages to resolve only the "RelatesTo" and the message body, but not any of the other WS-Addressing headers. I have set a breakpoint in the class org.apache.wss4j.dom.processor.SignatureProcessor:372: Code: // Test for replay attacks testMessageReplay(elem, xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo); setElementsOnContext(xmlSignature, (DOMValidateContext)context, data, wsDocInfo); boolean signatureOk = xmlSignature.validate(context); if (signatureOk) { return xmlSignature; } After calling "setElementsOnContext", the "context" object of type "DOMValidateContext" always only contains the "RelatesTo" and "Body" elements in the "idMap" HashMap: Contents of "idMap" in DOMValidateContext: {id-137=[wsa:RelatesTo: null], id-139=[soap:Body: null]} It's a complete mystery to me why WSS4J is not able to find the other referenced elements. All the elements are referenced in the same way, using an id: <ds:Reference URI="#id-133"> I'm using CXF version 3.2.4 Tomcat 9.0.10 And I'm calling the web service using Soap UI 5.3.0 Below is a simplified version of the Soap message. Any help on what could be going wrong is greatly appreciated. <soap:Envelope xmlns:ns="http://blabla.test" xmlns:ns1=" http://blabla.xxx" xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <wsse:BinarySecurityToken>...</wsse:BinarySecurityToken> <ds:Signature Id="SIG-140" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="wsa ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-132"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>igHah0Fsph3yT1AfqBPAQFwZoe21h7Xaw5/XN/EI/TM=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-133"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>BvwYUy3zLMTN6UHkNhuZG2iLlv8jT/zTuMDXaaj39uk=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-134"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>ds9Kq8RNZFb8O1Liud1TxxlEm4aMeoLpm3pO10Efw8A=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-135"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>OQW8p1GB6BlIr5sKp/vRRyZrwMTIK7tbTKU64JxkiM4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-136"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>UdwSWsTRFhFH3qgeCESL1RPy+5B/RpWkZXzHANiBBeA=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-137"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>QQgyhzpWNnFn97J2NpJcYAeoDtgFxVeHtCsgbu4UiZg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-138"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1 soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>5xuElno+hnvrP9kEEydeqnOr31CnwwaibbGULWt45oo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-139"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ns ns1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>LyjD1agKv+vE6BJHvRfQaVMwkUscqFFOhTgeljsdVxA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>....</ds:SignatureValue> <ds:KeyInfo Id="..."> <wsse:SecurityTokenReference wsu:Id="STR-7FFC76A4DC1B36D2C1153484111729556"> <wsse:Reference URI="#X509-7FFC76A4DC1B36D2C1153484111729554" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 "/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <xenc:EncryptedKey Id="..." xmlns:xenc=" http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 ">.....</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>....</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-131"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> <wsa:RelatesTo wsu:Id="id-137" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd ">relatesToBlablaTest</wsa:RelatesTo> <wsa:Action wsu:Id="id-132" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd ">http://test.action</wsa:Action> <wsa:ReplyTo wsu:Id="id-135" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <wsa:Address>https://localhost:8008/ReplyTo</wsa:Address> </wsa:ReplyTo> <wsa:From wsu:Id="id-133" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <wsa:Address>https://localhost:8008/From</wsa:Address> </wsa:From> <wsa:FaultTo wsu:Id="id-134" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <wsa:Address>https://localhost:8008/FaultTo</wsa:Address> </wsa:FaultTo> <wsa:MessageID wsu:Id="id-136" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd ">uuid:72fb1403-c8af-4d17-bd80-6a9a594c2980</wsa:MessageID> <wsa:To wsu:Id="id-138" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd ">https://localhost:8008/to</wsa:To> </soap:Header> <soap:Body wsu:Id="id-139" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <xenc:EncryptedData Id="ED-131" Type=" http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc=" http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsse11:TokenType=" http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11=" http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"> <wsse:Reference URI="#EK-7FFC76A4DC1B36D2C1153484111728653"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>.........</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body> </soap:Envelope>