Signature verification failure with loose ds:Reference in payload.

[Mike O'Connell]

Hi All

I'm having some signature verification issues when receiving a signed message 
(using the AS4 specification).

In AS4 the spec allows for a receipt to contain the ds:Reference (URI 
AS4-1340D972B85-751B2@000000000_1) element of the message previously received 
for verification purposes. However I suspect that the signature validation 
process picks this reference up and fails when attempting to verify the 
ds:Reference (URI id-5) in the ds:Signature element. 

Can someone confirm that its either omitting the ds:Reference (URI 
AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the 
verification or that its attempting to verify that ds:Reference (URI 
AS4-1340D972B85-751B2@000000000_1).

I've tried digging though the source, but can't find where the reference list 
is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature 
implementation is as per: 

XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);

Please see logs (and message) below...

Thanks,

Mike





<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";>
  <env:Header>
    <wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 env:mustUnderstand="true">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
            <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        
<ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
          <wsse:SecurityTokenReference 
wsu:Id="STR-6C1B8765799420834813230790910796">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
                <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <eb:Messaging 
xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="id-1">
      <eb:SignalMessage>
        <eb:MessageInfo>
          <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
          
<eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
          <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
        </eb:MessageInfo>
        <eb:Receipt>
          <ebbpsig:NonRepudiationInformation 
xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";>
            <ebbpsig:MessagePartNRInformation>
              <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
                <ds:Transforms>
                  <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                    <ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig env 
wsu"/>
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
              </ds:Reference>
            </ebbpsig:MessagePartNRInformation>
          </ebbpsig:NonRepudiationInformation>
        </eb:Receipt>
      </eb:SignalMessage>
    </eb:Messaging>
  </env:Header>
  <env:Body/>
</env:Envelope>

 Performing Security header verification
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject 
C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer 
C=ZA,CN=localhost (serial 1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with 
C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
[DEBUG] SignatureProcessor - XML Signature verification has failed
[DEBUG] SignatureProcessor - Signature Validation check: true
[DEBUG] SignatureProcessor - Reference #id-1 check: false
Security Error: : The signature or decryption was invalid