Hi Colm, I found the problem, I was importing the ds:Reference node using the following Java code:
newNode.getOwnerDocument().adoptNode(oldNode.cloneNode(true)); However this doesn't create an appropriate copy (?) and is not included correctly in the SOAP envelope document so then is not included in the signed message. By creating a new node including the cloned children the signature then works and is verified correctly. Thanks and Apologies, Mike On 05 Dec 2011, at 2:20 PM, Colm O hEigeartaigh wrote: > Hi Mike, > > Could you supply a test-case that I could take a look at? > > Colm. > > On Mon, Dec 5, 2011 at 11:32 AM, Mike O'Connell <[email protected]> wrote: >> Hi Colm, >> >> In AS4 the spec allows for a receipt to contain the ds:Reference >> >> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously >> >> received for verification purposes. However I suspect that the signature >> >> validation process picks this reference up and fails when attempting to >> >> verify the ds:Reference (URI id-1) in the ds:Signature element. >> >> >> The reference in the signature points to "#id-1", which is the Id of >> the "Messaging" element. Why would the Reference with id >> "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be >> interfering with signature validation, as it's a different URI? >> >> >> When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or >> omit the ds:Reference element surrounding it the signature verification >> works perfectly. See another request below with the ds:Reference URI >> attribute removed from the receipt element. >> >> Thanks, >> >> Mike >> >> >> >> >> >> >> Performing Security header verification >> [DEBUG] WSSecurityEngine - enter processSecurityHeader() >> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. >> [DEBUG] SignatureProcessor - Found signature element >> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject >> C=ZA,CN=localhost >> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer >> C=ZA,CN=localhost (serial 1305901688879) >> [DEBUG] SignatureTrustValidator - Direct trust for certificate with >> C=ZA,CN=localhost >> [DEBUG] SignatureProcessor - Verify XML Signature >> WSSResult - id: SIG-2 >> WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n# >> WSSResult - signature-value: [B@3c0b655a >> WSSResult - principal: C=ZA, CN=localhost >> WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8" >> standalone="no"?> >> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> >> <env:Header> >> <wsse:Security >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> env:mustUnderstand="true"> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-2"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> </ds:CanonicalizationMethod> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <ds:Reference URI="#id-1"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >> <ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh >> KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3 >> Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue> >> <ds:KeyInfo Id="KI-827486330BFAA824D313230845533145"> >> <wsse:SecurityTokenReference >> wsu:Id="STR-827486330BFAA824D313230845533146"> >> <ds:X509Data> >> <ds:X509IssuerSerial> >> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> >> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> >> </ds:X509IssuerSerial> >> </ds:X509Data> >> </wsse:SecurityTokenReference> >> </ds:KeyInfo> >> </ds:Signature> >> </wsse:Security> >> <eb:Messaging >> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> wsu:Id="id-1"> >> <eb:SignalMessage> >> <eb:MessageInfo> >> <eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp> >> >> <eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId> >> >> <eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId> >> </eb:MessageInfo> >> <eb:Receipt> >> <ebbpsig:NonRepudiationInformation >> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> >> <ebbpsig:MessagePartNRInformation> >> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig >> env wsu"/> >> </ds:Transform> >> </ds:Transforms> >> >> <ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue> >> </ds:Reference> >> </ebbpsig:MessagePartNRInformation> >> </ebbpsig:NonRepudiationInformation> >> </eb:Receipt> >> </eb:SignalMessage> >> </eb:Messaging> >> </env:Header> >> <env:Body/> >> </env:Envelope> >> >> >> >> >> >> >> >> On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <[email protected]> wrote: >> >> Hi Colm, >> >> >> Wss4j - 1.6.3 >> >> Metro - 2.1.1 >> >> bcprov - jre6 145 >> >> >> Apologies, Copy&Paste error: >> >> >> In AS4 the spec allows for a receipt to contain the ds:Reference >> >> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously >> >> received for verification purposes. However I suspect that the signature >> >> validation process picks this reference up and fails when attempting to >> >> verify the ds:Reference (URI id-1) in the ds:Signature element. >> >> >> Can someone confirm that its either omitting the ds:Reference >> >> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the >> >> verification or that its attempting to verify that ds:Reference >> >> (URI AS4-1340DA8B82E-C7F0C@000000000_1). >> >> >> <?xml version="1.0" encoding="UTF-8" standalone="no"?> >> >> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> >> >> <env:Header> >> >> <wsse:Security >> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> >> env:mustUnderstand="true"> >> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> >> Id="SIG-2"> >> >> <ds:SignedInfo> >> >> <ds:CanonicalizationMethod >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> <ec:InclusiveNamespaces >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> >> </ds:CanonicalizationMethod> >> >> <ds:SignatureMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> >> <ds:Reference URI="#id-1"> >> >> <ds:Transforms> >> >> <ds:Transform >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> <ec:InclusiveNamespaces >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> >> </ds:Transform> >> >> </ds:Transforms> >> >> <ds:DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> >> >> </ds:Reference> >> >> </ds:SignedInfo> >> >> >> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW >> >> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 >> >> izdd/BjfOThcmNXyU0k=</ds:SignatureValue> >> >> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> >> >> <wsse:SecurityTokenReference >> >> wsu:Id="STR-6C1B8765799420834813230790910796"> >> >> <ds:X509Data> >> >> <ds:X509IssuerSerial> >> >> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> >> >> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> >> >> </ds:X509IssuerSerial> >> >> </ds:X509Data> >> >> </wsse:SecurityTokenReference> >> >> </ds:KeyInfo> >> >> </ds:Signature> >> >> </wsse:Security> >> >> <eb:Messaging >> >> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> >> wsu:Id="id-1"> >> >> <eb:SignalMessage> >> >> <eb:MessageInfo> >> >> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> >> >> >> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> >> >> >> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> >> >> </eb:MessageInfo> >> >> <eb:Receipt> >> >> <ebbpsig:NonRepudiationInformation >> >> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> >> >> <ebbpsig:MessagePartNRInformation> >> >> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> >> URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> >> >> <ds:Transforms> >> >> <ds:Transform >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> <ec:InclusiveNamespaces >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig >> >> env wsu"/> >> >> </ds:Transform> >> >> </ds:Transforms> >> >> <ds:DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> >> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> >> >> </ds:Reference> >> >> </ebbpsig:MessagePartNRInformation> >> >> </ebbpsig:NonRepudiationInformation> >> >> </eb:Receipt> >> >> </eb:SignalMessage> >> >> </eb:Messaging> >> >> </env:Header> >> >> <env:Body/> >> >> </env:Envelope> >> >> [DEBUG] WSSecurityEngine - enter processSecurityHeader() >> >> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. >> >> [DEBUG] SignatureProcessor - Found signature element >> >> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject >> >> C=ZA,CN=localhost >> >> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer >> >> C=ZA,CN=localhost (serial 1305901688879) >> >> [DEBUG] SignatureTrustValidator - Direct trust for certificate with >> >> C=ZA,CN=localhost >> >> [DEBUG] SignatureProcessor - Verify XML Signature >> >> [DEBUG] SignatureProcessor - XML Signature verification has failed >> >> [DEBUG] SignatureProcessor - Signature Validation check: true >> >> [DEBUG] SignatureProcessor - Reference #id-1 check: false >> >> Security Error: : The signature or decryption was invalid >> >> >> >> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote: >> >> >> Hi Mike, >> >> >> Firstly, what version of WSS4J are you using? >> >> >> Secondly, I don't understand your explanation, e.g. where is "id-5" in >> >> the message you posted? Is the signature referring to another message >> >> that was previously received? >> >> >> Colm. >> >> >> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <[email protected]> wrote: >> >> >> Hi All >> >> >> >> I'm having some signature verification issues when receiving a signed >> >> >> message (using the AS4 specification). >> >> >> >> In AS4 the spec allows for a receipt to contain the ds:Reference >> >> >> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously >> >> >> received for verification purposes. However I suspect that the signature >> >> >> validation process picks this reference up and fails when attempting to >> >> >> verify the ds:Reference (URI id-5) in the ds:Signature element. >> >> >> >> Can someone confirm that its either omitting the ds:Reference >> >> >> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the >> >> >> verification or that its attempting to verify that ds:Reference >> >> >> (URI AS4-1340D972B85-751B2@000000000_1). >> >> >> >> I've tried digging though the source, but can't find where the reference >> >> >> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature >> >> >> implementation is as per: >> >> >> >> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context); >> >> >> >> Please see logs (and message) below... >> >> >> >> Thanks, >> >> >> >> Mike >> >> >> >> >> >> >> >> <?xml version="1.0" encoding="UTF-8" standalone="no"?> >> >> >> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";> >> >> >> <env:Header> >> >> >> <wsse:Security >> >> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >> >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> >> >> env:mustUnderstand="true"> >> >> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> >> >> Id="SIG-2"> >> >> >> <ds:SignedInfo> >> >> >> <ds:CanonicalizationMethod >> >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> >> <ec:InclusiveNamespaces >> >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> >> >> </ds:CanonicalizationMethod> >> >> >> <ds:SignatureMethod >> >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> >> >> <ds:Reference URI="#id-1"> >> >> >> <ds:Transforms> >> >> >> <ds:Transform >> >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> >> <ec:InclusiveNamespaces >> >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="env"/> >> >> >> </ds:Transform> >> >> >> </ds:Transforms> >> >> >> <ds:DigestMethod >> >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> >> <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue> >> >> >> </ds:Reference> >> >> >> </ds:SignedInfo> >> >> >> >> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW >> >> >> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7 >> >> >> izdd/BjfOThcmNXyU0k=</ds:SignatureValue> >> >> >> <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795"> >> >> >> <wsse:SecurityTokenReference >> >> >> wsu:Id="STR-6C1B8765799420834813230790910796"> >> >> >> <ds:X509Data> >> >> >> <ds:X509IssuerSerial> >> >> >> <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName> >> >> >> <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber> >> >> >> </ds:X509IssuerSerial> >> >> >> </ds:X509Data> >> >> >> </wsse:SecurityTokenReference> >> >> >> </ds:KeyInfo> >> >> >> </ds:Signature> >> >> >> </wsse:Security> >> >> >> <eb:Messaging >> >> >> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; >> >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> >> >> wsu:Id="id-1"> >> >> >> <eb:SignalMessage> >> >> >> <eb:MessageInfo> >> >> >> <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp> >> >> >> >> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId> >> >> >> >> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId> >> >> >> </eb:MessageInfo> >> >> >> <eb:Receipt> >> >> >> <ebbpsig:NonRepudiationInformation >> >> >> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0";> >> >> >> <ebbpsig:MessagePartNRInformation> >> >> >> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> >> >> URI="#AS4-1340DA8B82E-C7F0C@000000000_1"> >> >> >> <ds:Transforms> >> >> >> <ds:Transform >> >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> >> >> <ec:InclusiveNamespaces >> >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds ebbpsig >> >> >> env wsu"/> >> >> >> </ds:Transform> >> >> >> </ds:Transforms> >> >> >> <ds:DigestMethod >> >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> >> >> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue> >> >> >> </ds:Reference> >> >> >> </ebbpsig:MessagePartNRInformation> >> >> >> </ebbpsig:NonRepudiationInformation> >> >> >> </eb:Receipt> >> >> >> </eb:SignalMessage> >> >> >> </eb:Messaging> >> >> >> </env:Header> >> >> >> <env:Body/> >> >> >> </env:Envelope> >> >> >> >> Performing Security header verification >> >> >> [DEBUG] WSSecurityEngine - enter processSecurityHeader() >> >> >> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor. >> >> >> [DEBUG] SignatureProcessor - Found signature element >> >> >> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject >> >> >> C=ZA,CN=localhost >> >> >> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer >> >> >> C=ZA,CN=localhost (serial 1305901688879) >> >> >> [DEBUG] SignatureTrustValidator - Direct trust for certificate with >> >> >> C=ZA,CN=localhost >> >> >> [DEBUG] SignatureProcessor - Verify XML Signature >> >> >> [DEBUG] SignatureProcessor - XML Signature verification has failed >> >> >> [DEBUG] SignatureProcessor - Signature Validation check: true >> >> >> [DEBUG] SignatureProcessor - Reference #id-1 check: false >> >> >> Security Error: : The signature or decryption was invalid >> >> >> >> >> >> -- >> >> Colm O hEigeartaigh >> >> >> Talend Community Coder >> >> http://coders.talend.com >> >> >> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
