Hi Mike, > In AS4 the spec allows for a receipt to contain the ds:Reference > (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously > received for verification purposes. However I suspect that the signature > validation process picks this reference up and fails when attempting to > verify the ds:Reference (URI id-1) in the ds:Signature element.
The reference in the signature points to "#id-1", which is the Id of the "Messaging" element. Why would the Reference with id "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be interfering with signature validation, as it's a different URI? You can get more information about what's going on if you use Java Util Logging, and set the logging level to FINEST. You should see what is being digested. Colm. On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <[email protected]> wrote: > Hi Colm, > > Wss4j - 1.6.3 > Metro - 2.1.1 > bcprov - jre6 145 > > Apologies, Copy&Paste error: > > In AS4 the spec allows for a receipt to contain the ds:Reference > (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously > received for verification purposes. However I suspect that the signature > validation process picks this reference up and fails when attempting to > verify the ds:Reference (URI id-1) in the ds:Signature element. > > Can someone confirm that its either omitting the ds:Reference > (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the > verification or that its attempting to verify that ds:Reference > (URI AS4-1340DA8B82E-C7F0C@000000000_1). > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > <env:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > env:mustUnderstand="true"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-2"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW > 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 > izdd/BjfOThcmNXyU0k=</ds:SignatureValue> > <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> > <wsse:SecurityTokenReference > wsu:Id="STR-6C1B8765799420834813230790910796"> > <ds:X509Data> > <ds:X509IssuerSerial> > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > <eb:Messaging > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="id-1"> > <eb:SignalMessage> > <eb:MessageInfo> > <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> > > <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> > > <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> > </eb:MessageInfo> > <eb:Receipt> > <ebbpsig:NonRepudiationInformation > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > <ebbpsig:MessagePartNRInformation> > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > env wsu"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> > </ds:Reference> > </ebbpsig:MessagePartNRInformation> > </ebbpsig:NonRepudiationInformation> > </eb:Receipt> > </eb:SignalMessage> > </eb:Messaging> > </env:Header> > <env:Body/> > </env:Envelope> > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > [DEBUG] SignatureProcessor - Found signature element > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > C=ZA,CN=localhost > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > C=ZA,CN=localhost (serial 1305901688879) > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > C=ZA,CN=localhost > [DEBUG] SignatureProcessor - Verify XML Signature > [DEBUG] SignatureProcessor - XML Signature verification has failed > [DEBUG] SignatureProcessor - Signature Validation check: true > [DEBUG] SignatureProcessor - Reference #id-1 check: false > Security Error: : The signature or decryption was invalid > > > On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote: > > Hi Mike, > > Firstly, what version of WSS4J are you using? > > Secondly, I don't understand your explanation, e.g. where is "id-5" in > the message you posted? Is the signature referring to another message > that was previously received? > > Colm. > > On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <[email protected]> wrote: > > Hi All > > > I'm having some signature verification issues when receiving a signed > > message (using the AS4 specification). > > > In AS4 the spec allows for a receipt to contain the ds:Reference > > (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously > > received for verification purposes. However I suspect that the signature > > validation process picks this reference up and fails when attempting to > > verify the ds:Reference (URI id-5) in the ds:Signature element. > > > Can someone confirm that its either omitting the ds:Reference > > (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the > > verification or that its attempting to verify that ds:Reference > > (URI AS4-1340D972B85-751B2@000000000_1). > > > I've tried digging though the source, but can't find where the reference > > list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature > > implementation is as per: > > > XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context); > > > Please see logs (and message) below... > > > Thanks, > > > Mike > > > > > > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > > <env:Header> > > <wsse:Security > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > env:mustUnderstand="true"> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > Id="SIG-2"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > </ds:CanonicalizationMethod> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#id-1"> > > <ds:Transforms> > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > > <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW > > 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 > > izdd/BjfOThcmNXyU0k=</ds:SignatureValue> > > <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> > > <wsse:SecurityTokenReference > > wsu:Id="STR-6C1B8765799420834813230790910796"> > > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > > </ds:X509Data> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > </wsse:Security> > > <eb:Messaging > > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="id-1"> > > <eb:SignalMessage> > > <eb:MessageInfo> > > <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> > > > <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> > > > <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> > > </eb:MessageInfo> > > <eb:Receipt> > > <ebbpsig:NonRepudiationInformation > > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > > <ebbpsig:MessagePartNRInformation> > > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> > > <ds:Transforms> > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > > env wsu"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> > > </ds:Reference> > > </ebbpsig:MessagePartNRInformation> > > </ebbpsig:NonRepudiationInformation> > > </eb:Receipt> > > </eb:SignalMessage> > > </eb:Messaging> > > </env:Header> > > <env:Body/> > > </env:Envelope> > > > Performing Security header verification > > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > > [DEBUG] SignatureProcessor - Found signature element > > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > > C=ZA,CN=localhost > > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > > C=ZA,CN=localhost (serial 1305901688879) > > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > > C=ZA,CN=localhost > > [DEBUG] SignatureProcessor - Verify XML Signature > > [DEBUG] SignatureProcessor - XML Signature verification has failed > > [DEBUG] SignatureProcessor - Signature Validation check: true > > [DEBUG] SignatureProcessor - Reference #id-1 check: false > > Security Error: : The signature or decryption was invalid > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
