Hi Mike, Could you supply a test-case that I could take a look at?
Colm. On Mon, Dec 5, 2011 at 11:32 AM, Mike O'Connell <[email protected]> wrote: > Hi Colm, > > In AS4 the spec allows for a receipt to contain the ds:Reference > > (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously > > received for verification purposes. However I suspect that the signature > > validation process picks this reference up and fails when attempting to > > verify the ds:Reference (URI id-1) in the ds:Signature element. > > > The reference in the signature points to "#id-1", which is the Id of > the "Messaging" element. Why would the Reference with id > "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be > interfering with signature validation, as it's a different URI? > > > When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or > omit the ds:Reference element surrounding it the signature verification > works perfectly. See another request below with the ds:Reference URI > attribute removed from the receipt element. > > Thanks, > > Mike > > > > > > > Performing Security header verification > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > [DEBUG] SignatureProcessor - Found signature element > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > C=ZA,CN=localhost > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > C=ZA,CN=localhost (serial 1305901688879) > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > C=ZA,CN=localhost > [DEBUG] SignatureProcessor - Verify XML Signature > WSSResult - id: SIG-2 > WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n# > WSSResult - signature-value: [B@3c0b655a > WSSResult - principal: C=ZA, CN=localhost > WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8" > standalone="no"?> > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > <env:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > env:mustUnderstand="true"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-2"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh > KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3 > Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue> > <ds:KeyInfo Id="KI-827486330BFAA824D313230845533145"> > <wsse:SecurityTokenReference > wsu:Id="STR-827486330BFAA824D313230845533146"> > <ds:X509Data> > <ds:X509IssuerSerial> > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > <eb:Messaging > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="id-1"> > <eb:SignalMessage> > <eb:MessageInfo> > <eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp> > > <eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId> > > <eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId> > </eb:MessageInfo> > <eb:Receipt> > <ebbpsig:NonRepudiationInformation > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > <ebbpsig:MessagePartNRInformation> > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > env wsu"/> > </ds:Transform> > </ds:Transforms> > > <ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue> > </ds:Reference> > </ebbpsig:MessagePartNRInformation> > </ebbpsig:NonRepudiationInformation> > </eb:Receipt> > </eb:SignalMessage> > </eb:Messaging> > </env:Header> > <env:Body/> > </env:Envelope> > > > > > > > > On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <[email protected]> wrote: > > Hi Colm, > > > Wss4j - 1.6.3 > > Metro - 2.1.1 > > bcprov - jre6 145 > > > Apologies, Copy&Paste error: > > > In AS4 the spec allows for a receipt to contain the ds:Reference > > (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously > > received for verification purposes. However I suspect that the signature > > validation process picks this reference up and fails when attempting to > > verify the ds:Reference (URI id-1) in the ds:Signature element. > > > Can someone confirm that its either omitting the ds:Reference > > (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the > > verification or that its attempting to verify that ds:Reference > > (URI AS4-1340DA8B82E-C7F0C@000000000_1). > > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > > <env:Header> > > <wsse:Security > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > env:mustUnderstand="true"> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > Id="SIG-2"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > </ds:CanonicalizationMethod> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI="#id-1"> > > <ds:Transforms> > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > > <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW > > 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 > > izdd/BjfOThcmNXyU0k=</ds:SignatureValue> > > <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> > > <wsse:SecurityTokenReference > > wsu:Id="STR-6C1B8765799420834813230790910796"> > > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > > </ds:X509Data> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > </wsse:Security> > > <eb:Messaging > > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="id-1"> > > <eb:SignalMessage> > > <eb:MessageInfo> > > <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> > > > <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> > > > <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> > > </eb:MessageInfo> > > <eb:Receipt> > > <ebbpsig:NonRepudiationInformation > > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > > <ebbpsig:MessagePartNRInformation> > > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> > > <ds:Transforms> > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > > env wsu"/> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> > > </ds:Reference> > > </ebbpsig:MessagePartNRInformation> > > </ebbpsig:NonRepudiationInformation> > > </eb:Receipt> > > </eb:SignalMessage> > > </eb:Messaging> > > </env:Header> > > <env:Body/> > > </env:Envelope> > > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > > [DEBUG] SignatureProcessor - Found signature element > > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > > C=ZA,CN=localhost > > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > > C=ZA,CN=localhost (serial 1305901688879) > > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > > C=ZA,CN=localhost > > [DEBUG] SignatureProcessor - Verify XML Signature > > [DEBUG] SignatureProcessor - XML Signature verification has failed > > [DEBUG] SignatureProcessor - Signature Validation check: true > > [DEBUG] SignatureProcessor - Reference #id-1 check: false > > Security Error: : The signature or decryption was invalid > > > > On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote: > > > Hi Mike, > > > Firstly, what version of WSS4J are you using? > > > Secondly, I don't understand your explanation, e.g. where is "id-5" in > > the message you posted? Is the signature referring to another message > > that was previously received? > > > Colm. > > > On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <[email protected]> wrote: > > > Hi All > > > > I'm having some signature verification issues when receiving a signed > > > message (using the AS4 specification). > > > > In AS4 the spec allows for a receipt to contain the ds:Reference > > > (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously > > > received for verification purposes. However I suspect that the signature > > > validation process picks this reference up and fails when attempting to > > > verify the ds:Reference (URI id-5) in the ds:Signature element. > > > > Can someone confirm that its either omitting the ds:Reference > > > (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the > > > verification or that its attempting to verify that ds:Reference > > > (URI AS4-1340D972B85-751B2@000000000_1). > > > > I've tried digging though the source, but can't find where the reference > > > list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature > > > implementation is as per: > > > > XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context); > > > > Please see logs (and message) below... > > > > Thanks, > > > > Mike > > > > > > > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > > > <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> > > > <env:Header> > > > <wsse:Security > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > env:mustUnderstand="true"> > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > > Id="SIG-2"> > > > <ds:SignedInfo> > > > <ds:CanonicalizationMethod > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > > <ec:InclusiveNamespaces > > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > > </ds:CanonicalizationMethod> > > > <ds:SignatureMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > <ds:Reference URI="#id-1"> > > > <ds:Transforms> > > > <ds:Transform > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > > <ec:InclusiveNamespaces > > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> > > > </ds:Transform> > > > </ds:Transforms> > > > <ds:DigestMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> > > > </ds:Reference> > > > </ds:SignedInfo> > > > > <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW > > > 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 > > > izdd/BjfOThcmNXyU0k=</ds:SignatureValue> > > > <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> > > > <wsse:SecurityTokenReference > > > wsu:Id="STR-6C1B8765799420834813230790910796"> > > > <ds:X509Data> > > > <ds:X509IssuerSerial> > > > <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> > > > <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> > > > </ds:X509IssuerSerial> > > > </ds:X509Data> > > > </wsse:SecurityTokenReference> > > > </ds:KeyInfo> > > > </ds:Signature> > > > </wsse:Security> > > > <eb:Messaging > > > xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > wsu:Id="id-1"> > > > <eb:SignalMessage> > > > <eb:MessageInfo> > > > <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> > > > > <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> > > > > <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> > > > </eb:MessageInfo> > > > <eb:Receipt> > > > <ebbpsig:NonRepudiationInformation > > > xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> > > > <ebbpsig:MessagePartNRInformation> > > > <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > > URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> > > > <ds:Transforms> > > > <ds:Transform > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > > <ec:InclusiveNamespaces > > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig > > > env wsu"/> > > > </ds:Transform> > > > </ds:Transforms> > > > <ds:DigestMethod > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> > > > </ds:Reference> > > > </ebbpsig:MessagePartNRInformation> > > > </ebbpsig:NonRepudiationInformation> > > > </eb:Receipt> > > > </eb:SignalMessage> > > > </eb:Messaging> > > > </env:Header> > > > <env:Body/> > > > </env:Envelope> > > > > Performing Security header verification > > > [DEBUG] WSSecurityEngine - enter processSecurityHeader() > > > [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. > > > [DEBUG] SignatureProcessor - Found signature element > > > [DEBUG] SignatureTrustValidator - Transmitted certificate has subject > > > C=ZA,CN=localhost > > > [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer > > > C=ZA,CN=localhost (serial 1305901688879) > > > [DEBUG] SignatureTrustValidator - Direct trust for certificate with > > > C=ZA,CN=localhost > > > [DEBUG] SignatureProcessor - Verify XML Signature > > > [DEBUG] SignatureProcessor - XML Signature verification has failed > > > [DEBUG] SignatureProcessor - Signature Validation check: true > > > [DEBUG] SignatureProcessor - Reference #id-1 check: false > > > Security Error: : The signature or decryption was invalid > > > > > > -- > > Colm O hEigeartaigh > > > Talend Community Coder > > http://coders.talend.com > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
