Hi Mike, Firstly, what version of WSS4J are you using?
Secondly, I don't understand your explanation, e.g. where is "id-5" in the message you posted? Is the signature referring to another message that was previously received? Colm. On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <[email protected]> wrote: > Hi All > > I'm having some signature verification issues when receiving a signed > message (using the AS4 specification). > > In AS4 the spec allows for a receipt to contain the ds:Reference > (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously > received for verification purposes. However I suspect that the signature > validation process picks this reference up and fails when attempting to > verify the ds:Reference (URI id-5) in the ds:Signature element. > > Can someone confirm that its either omitting the ds:Reference > (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the > verification or that its attempting to verify that ds:Reference > (URI AS4-1340D972B85-751B2@000000000_1). > > I've tried digging though the source, but can't find where the reference > list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature > implementation is as per: > > XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context); > > Please see logs (and message) below... > > Thanks, > > Mike > > > > > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > <env:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > env:mustUnderstand="true"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-2"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW > 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 > izdd/BjfOThcmNXyU0k=</ds:SignatureValue> > <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> > <wsse:SecurityTokenReference > wsu:Id="STR-6C1B8765799420834813230790910796"> > <ds:X509Data> > <ds:X509IssuerSerial> > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > <eb:Messaging > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="id-1"> > <eb:SignalMessage> > <eb:MessageInfo> > <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> > > <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> > > <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> > </eb:MessageInfo> > <eb:Receipt> > <ebbpsig:NonRepudiationInformation > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > <ebbpsig:MessagePartNRInformation> > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > env wsu"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> > </ds:Reference> > </ebbpsig:MessagePartNRInformation> > </ebbpsig:NonRepudiationInformation> > </eb:Receipt> > </eb:SignalMessage> > </eb:Messaging> > </env:Header> > <env:Body/> > </env:Envelope> > > Performing Security header verification > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > [DEBUG] SignatureProcessor - Found signature element > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > C=ZA,CN=localhost > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > C=ZA,CN=localhost (serial 1305901688879) > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > C=ZA,CN=localhost > [DEBUG] SignatureProcessor - Verify XML Signature > [DEBUG] SignatureProcessor - XML Signature verification has failed > [DEBUG] SignatureProcessor - Signature Validation check: true > [DEBUG] SignatureProcessor - Reference #id-1 check: false > Security Error: : The signature or decryption was invalid -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
