Thanks for the replies. I did solve the issue. Firstly I wasn’t creating the document with Axis. This was causing parsing errors during validation. I added the following code as the example does and this solve that issue.
AxisClient tmpEngine = new AxisClient(new NullProvider()); MessageContext msgContext = new MessageContext(tmpEngine); Message msg = new Message(new ByteArrayInputStream(xmlDocument.getBytes())); msg.setMessageContext(msgContext); SOAPEnvelope unsignedEnvelope = msg.getSOAPEnvelope(); Document doc = unsignedEnvelope.getAsDocument(); Secondly I was trying to provide one keystore to hold two entities but that cannot work when both entries contain a private key. I split the keystore into sender and receiver and then passed them both on the right method of validate headers. Lastly I was creating a new key for each keystore (sign and decrypt), but the public key used to encrypt the temporary key needs to be the same on the decryption keystore (duh). Thanks again. From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Thursday, February 25, 2016 6:06 AM To: users@ws.apache.org Subject: Re: WS-Security digital signature validation It's impossible to say what the problem is without access to the signature validation logs. Turn on DEBUG logging and it should tell you what the problem is. All of WSS4J 1.5.x is deprecated and no longer supported by the way. Colm. On Thu, Feb 25, 2016 at 12:12 PM, Sam Amarteifio <s...@perspectivetechnologies.com<mailto:s...@perspectivetechnologies.com>> wrote: We are currently using the WSS4J (version 1.5.3) with Axis 1.4 for our WS-Security digital signature validation. We use the WSSecurityEngine.ProcessSecurityHeader method to validate the signature in the security header. The issue we are experiencing here is that the signature validation is successful for one form of security header (Header A. see below) and fails for another form of security header (Header B. see below). You will notice a difference in the construct of the ‘<wsse:Security’> and ‘<ds:Signature>’ elements in respect of their namespace definitions. Please could someone enlighten us if we are doing something wrong or do we need to upgrade to a particular version of the WSS4J WS-Security library, please note we are bound at the moment to Axis 1.4. Regards, Sam Header A. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<http://www.w3.org/2001/10/xml-exc-c14n>"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-38"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<http://www.w3.org/2001/10/xml-exc-c14n>"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>vIxJAh8EITqs1uZPiC1yrt4H2DU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>zcaDiNn0om913HKIryt1+S4EPWXHIKH8bsQTdGDKlUepfv5yMJTLPA9PNecyAAMDF3GuT096lR5WjB2IJQClOoCobbabofvjr7GbfHV8XQLRPiykGKd8+IuiKEKHqyxClUi5strXIOw5ppFnEHkfib2h2YJQzjSptmke7PsAixgh5mDkDranYHNUE3+zdRFeLyC0ZFCeyMD45+tkdnr6koV1di5Z+dJggo4EbWIUv20OUdPblZaw6B82uMondZ/iK/Em8qniMz3FPf583vySkBlb+kLecDPrB/DidYtyDnuFicxsD2pdJ9KsPApXr5dpsnoBITiw8ZubVFbE3uZl1g==</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference wsu:Id="Id-18fe8f24-d993-1004-81fe-8f8827f68a2b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US</ds:X509IssuerName> <ds:X509SerialNumber>604358</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </SOAP-ENV:Header> <soapenv:Body wsu:Id="id-38" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> ...... </soapenv:Body> </soapenv:Envelope> Header B. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>" xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#<http://www.w3.org/2001/04/xmlenc>"> <wsse:Security SOAP-ENV:mustUnderstand="1"> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<http://www.w3.org/2001/10/xml-exc-c14n>"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#MainBody"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<http://www.w3.org/2001/10/xml-exc-c14n>"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>20WF+Eg2mHpaHbvKWVasYdNoFsw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>J4ItDIaW2ak6R1UwdQEHMpQHpdjZVVqsx5mxTUjVoFwRNBPpbIua54mdaIZnJJpl06AdZ1i04Kl4yx4xkvd+IzDEWvAISu0CeCQDgmB+R2BfcHwtVtqBi04lGNyIdPZJVv2y9Y5VUywgtWvOLuwydXKVpy9uA5j47LDfEuI0YbrK6+I8d6bfD+aO0I6q7+yHU6iZOUchv920r3eVMGjNfihMag80qRBPzScIWnH3kWp2iOCCJi8Q/O5nTwUI8DwW7EJXvMPVPouDzzbxYekQuOEG+GdumXKcfmeOqCDd9cqflbyUbTOpB5fFVu2qmqVOsVStNzGNn15vH8SHuibXvA==</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference wsu:Id="Id-fb589ba8-d9bb-1004-8f49-10246a7582f9"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US</ds:X509IssuerName> <ds:X509SerialNumber>62129071348004622724048880787045315607</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </SOAP-ENV:Header> <soapenv:Body Id="MainBody" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> ........ </soapenv:Body> </soapenv:Envelope> -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
