Hi Colm, Wss4j - 1.6.3 Metro - 2.1.1 bcprov - jre6 145
Apologies, Copy&Paste error: In AS4 the spec allows for a receipt to contain the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously received for verification purposes. However I suspect that the signature validation process picks this reference up and fails when attempting to verify the ds:Reference (URI id-1) in the ds:Signature element. Can someone confirm that its either omitting the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the verification or that its attempting to verify that ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1). <?xml version="1.0" encoding="UTF-8" standalone="no"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; env:mustUnderstand="true"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-2"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-1"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 izdd/BjfOThcmNXyU0k=</ds:SignatureValue> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> <wsse:SecurityTokenReference wsu:Id="STR-6C1B8765799420834813230790910796"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-1"> <eb:SignalMessage> <eb:MessageInfo> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> </eb:MessageInfo> <eb:Receipt> <ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> <ebbpsig:MessagePartNRInformation> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig env wsu"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> </ds:Reference> </ebbpsig:MessagePartNRInformation> </ebbpsig:NonRepudiationInformation> </eb:Receipt> </eb:SignalMessage> </eb:Messaging> </env:Header> <env:Body/> </env:Envelope> [DEBUG] WSSecurityEngine - enter processSecurityHeader() [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. [DEBUG] SignatureProcessor - Found signature element [DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial 1305901688879) [DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost [DEBUG] SignatureProcessor - Verify XML Signature [DEBUG] SignatureProcessor - XML Signature verification has failed [DEBUG] SignatureProcessor - Signature Validation check: true [DEBUG] SignatureProcessor - Reference #id-1 check: false Security Error: : The signature or decryption was invalid On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote: > Hi Mike, > > Firstly, what version of WSS4J are you using? > > Secondly, I don't understand your explanation, e.g. where is "id-5" in > the message you posted? Is the signature referring to another message > that was previously received? > > Colm. > > On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <[email protected]> wrote: >> Hi All >> >> I'm having some signature verification issues when receiving a signed >> message (using the AS4 specification). >> >> In AS4 the spec allows for a receipt to contain the ds:Reference >> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously >> received for verification purposes. However I suspect that the signature >> validation process picks this reference up and fails when attempting to >> verify the ds:Reference (URI id-5) in the ds:Signature element. >> >> Can someone confirm that its either omitting the ds:Reference >> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the >> verification or that its attempting to verify that ds:Reference >> (URI AS4-1340D972B85-751B2@000000000_1). >> >> I've tried digging though the source, but can't find where the reference >> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature >> implementation is as per: >> >> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context); >> >> Please see logs (and message) below... >> >> Thanks, >> >> Mike >> >> >> >> >> >> <?xml version="1.0" encoding="UTF-8" standalone="no"?> >> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> >> <env:Header> >> <wsse:Security >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> env:mustUnderstand="true"> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-2"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> </ds:CanonicalizationMethod> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <ds:Reference URI="#id-1"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW >> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 >> izdd/BjfOThcmNXyU0k=</ds:SignatureValue> >> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> >> <wsse:SecurityTokenReference >> wsu:Id="STR-6C1B8765799420834813230790910796"> >> <ds:X509Data> >> <ds:X509IssuerSerial> >> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> >> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> >> </ds:X509IssuerSerial> >> </ds:X509Data> >> </wsse:SecurityTokenReference> >> </ds:KeyInfo> >> </ds:Signature> >> </wsse:Security> >> <eb:Messaging >> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> wsu:Id="id-1"> >> <eb:SignalMessage> >> <eb:MessageInfo> >> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> >> >> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> >> >> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> >> </eb:MessageInfo> >> <eb:Receipt> >> <ebbpsig:NonRepudiationInformation >> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> >> <ebbpsig:MessagePartNRInformation> >> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig >> env wsu"/> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> >> </ds:Reference> >> </ebbpsig:MessagePartNRInformation> >> </ebbpsig:NonRepudiationInformation> >> </eb:Receipt> >> </eb:SignalMessage> >> </eb:Messaging> >> </env:Header> >> <env:Body/> >> </env:Envelope> >> >> Performing Security header verification >> [DEBUG] WSSecurityEngine - enter processSecurityHeader() >> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. >> [DEBUG] SignatureProcessor - Found signature element >> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject >> C=ZA,CN=localhost >> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer >> C=ZA,CN=localhost (serial 1305901688879) >> [DEBUG] SignatureTrustValidator - Direct trust for certificate with >> C=ZA,CN=localhost >> [DEBUG] SignatureProcessor - Verify XML Signature >> [DEBUG] SignatureProcessor - XML Signature verification has failed >> [DEBUG] SignatureProcessor - Signature Validation check: true >> [DEBUG] SignatureProcessor - Reference #id-1 check: false >> Security Error: : The signature or decryption was invalid > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
