We are currently using the WSS4J (version 1.5.3) with Axis 1.4 for our
WS-Security digital signature validation.
We use the WSSecurityEngine.ProcessSecurityHeader method to validate the
signature in the security header.
The issue we are experiencing here is that the signature validation is
successful for one form of security header (Header A. see below) and fails for
another form of security header (Header B. see below). You will notice a
difference in the construct of the ‘<wsse:Security’> and ‘<ds:Signature>’
elements in respect of their namespace definitions.
Please could someone enlighten us if we are doing something wrong or do we need
to upgrade to a particular version of the WSS4J WS-Security library, please
note we are bound at the moment to Axis 1.4.
Regards,
Sam
Header A.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security SOAP-ENV:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-38">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vIxJAh8EITqs1uZPiC1yrt4H2DU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>zcaDiNn0om913HKIryt1+S4EPWXHIKH8bsQTdGDKlUepfv5yMJTLPA9PNecyAAMDF3GuT096lR5WjB2IJQClOoCobbabofvjr7GbfHV8XQLRPiykGKd8+IuiKEKHqyxClUi5strXIOw5ppFnEHkfib2h2YJQzjSptmke7PsAixgh5mDkDranYHNUE3+zdRFeLyC0ZFCeyMD45+tkdnr6koV1di5Z+dJggo4EbWIUv20OUdPblZaw6B82uMondZ/iK/Em8qniMz3FPf583vySkBlb+kLecDPrB/DidYtyDnuFicxsD2pdJ9KsPApXr5dpsnoBITiw8ZubVFbE3uZl1g==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsu:Id="Id-18fe8f24-d993-1004-81fe-8f8827f68a2b"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=GeoTrust
DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>604358</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soapenv:Body wsu:Id="id-38"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
......
</soapenv:Body>
</soapenv:Envelope>
Header B.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<wsse:Security SOAP-ENV:mustUnderstand="1">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#MainBody">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>20WF+Eg2mHpaHbvKWVasYdNoFsw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>J4ItDIaW2ak6R1UwdQEHMpQHpdjZVVqsx5mxTUjVoFwRNBPpbIua54mdaIZnJJpl06AdZ1i04Kl4yx4xkvd+IzDEWvAISu0CeCQDgmB+R2BfcHwtVtqBi04lGNyIdPZJVv2y9Y5VUywgtWvOLuwydXKVpy9uA5j47LDfEuI0YbrK6+I8d6bfD+aO0I6q7+yHU6iZOUchv920r3eVMGjNfihMag80qRBPzScIWnH3kWp2iOCCJi8Q/O5nTwUI8DwW7EJXvMPVPouDzzbxYekQuOEG+GdumXKcfmeOqCDd9cqflbyUbTOpB5fFVu2qmqVOsVStNzGNn15vH8SHuibXvA==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsu:Id="Id-fb589ba8-d9bb-1004-8f49-10246a7582f9">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=VeriSign
Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa
(c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>62129071348004622724048880787045315607</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soapenv:Body Id="MainBody"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
........
</soapenv:Body>
</soapenv:Envelope>
