After much debugging with tcpmon, I've managed to track down what was going wrong. It seems there is a bug in the c14n in wss4j (or whatever component wss4j uses for c14n). I'll raise a JIRA with all the nitty gritty details.
To summarise what I found: An XML document with a default namespace fails to c14n properly, and then fails verification - for example: <Nominal xmlns="http://www.test.com/Test";> <name>Bert</name> <number>1234</number> </Nominal> However the same document with explicit namespace prefixes works fine: <myns:Nominal xmlns:myns="http://www.test.com/Test";> <myns:name>Bert</myns:name> <myns:number>1234</myns:number> </myns:Nominal> So my advice would be to avoid default namespaces, for the moment! Cheers, Chris. -----Original Message----- From: Chris Nappin [mailto:[EMAIL PROTECTED] Sent: 02 September 2005 10:50 To: Werner Dittmann Cc: [email protected] Subject: RE: signature verification failures Thanks for confirming my setup is correct. Unfortunately that then means I have a more difficult problem to resolve ;-( I've attached the client code and the various configuration files, the service doesn't have any security-specific code in it (yet). The SOAP request has been copied, pasted and reformatted from a few emails so ignore the line breaks. It looked like valid XML in tcpmon. Any ideas where the double "--" in the cert identifier comes from? Yes, I've read the package documentation many times. This document contains a few odd contradictions you might be able to clear up? In the "Combine UsernameToken and Encryption" section, it has the following setting: <parameter name="encryptionUser" value="16c73ab6-b892-458f-abf5-2f875f74882e" /> The description for this setting is as follows: encryptionUser - the name or identifier of the user who owns the public key to encrypt the data. Usually this is the name or alias name of the owner's certificate in a keystore. Is the name/alias for the public key really the long hex number mentioned in the parameter? -----Original Message----- From: Werner Dittmann [mailto:[EMAIL PROTECTED] Sent: 02 September 2005 09:53 To: Chris Nappin Cc: [email protected] Subject: Re: signature verification failures Chris, your setup seems to be correct. Looking at the error message it tells us, that the verfication for the SOAP Body failed. The computed digest value doe not match the stored digest value in the reference. Looking at the request you included in the mail I see very strange linebreaks in the middle of words. Because other lines are longer I don't think it is part of the e-mail formatting. Another strange thing is the duoble "--" in the cert identifier. Is there any chance that the SOAP request was modified during the transfer? At least this would explain the failure. btw, did you look at package.html in **/security/axis. Even if its outdated it gives you some hints how to do Signature etc. Regards, Werner Chris Nappin wrote: > Hi, > > I've been trying for some time now to get a simple working example of wss4j using signatures, but am struggling with the current sparse level of documentation. I can get UsernameToken working fine, but with Signatures I've only got as far as sending what I think is a valid SOAP request with a signature on it, but the server rejects it as it thinks the signature is invalid. > > I'll outline what I'm doing, I assume it's something simple I am doing something wrong? > > - I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP > > - I created a client key using keytool (i.e. a self-signed X509 v1 certificate using RSA), exported it as a certificate and imported it into the server's keystore > > - My client code uses the WSS4JHandler, with the following settings: > - action = Signature > - signaturePropFile = client-signature.properties (which references client.keystore) > - user = clientkey > - signatureKeyIdentifier = DirectReference > > - My server-config.wsdd uses the WSDoAllReceiver handler, with the following settings: > - action = Signature > - signaturePropFile = server-signature.properties (which references server.keystore) > > > (I would use signatureKeyIdentifier = IssuerSerial, as this is what most of the examples I've seen use, but I'm unsure where the long hex serial number comes from?) > > keytool -printcert on my client certificate gives: > > Owner: CN=clientkey > Issuer: CN=clientkey > Serial number: 43175c89 > Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005 Certificate fingerprints: > MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E > SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE > > The SOAP request is: > > POST /sidWS/services/SecureService HTTP/1.0 > Content-Type: text/xml; charset=utf-8 > Accept: application/soap+xml, application/dime, multipart/related, text/* > User-Agent: Axis/1.2.1 > Host: localhost:9080 > Cache-Control: no-cache > Pragma: no-cache > SOAPAction: "http://localhost:8080/sidWS/services/SecureService"; > Content-Length: 2885 > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curi > ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-m > essage-security-1.0#Base64Binary" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- toke > n-profile-1.0#X509v3" > wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA 1UEA > xMJY2xpZW50a2V5MB4XDTA1 > MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0G CSqG > SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR 86XK > x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sf cuvk > Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUA Piaz+A4GB > AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrs AHBm+whEn > EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVF dcBj > jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Canonicalizatio nMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMet hod> > <ds:Reference URI="#id-20214052"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKBya RvZZ > a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORys JC9Kco3ttafBUlytRhVe7Ac= > </ds:SignatureValue> > <ds:KeyInfo Id="KeyId-15308417"> > <wsse:SecurityTokenReference > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urit > y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference URI="#CertId--34480" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- toke > n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urit > y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal xmlns="http://www.test.com/Test"; xmlns:ns1="http://www.test.com/Test";> > <ns1:name>Bert</ns1:name> > <ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Enve lope> > > The server stack trace is: > > Verification failed for URI "#id-20214052" > org.apache.ws.security.WSSecurityException: The signature verification failed at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEng ine.java:644) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:334) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:259) > at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java: 183) > at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.j ava:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.j ava:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.j ava:327) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:252) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:173) > at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilte r.java:81) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:202) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:173) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:213) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:178) > at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipa lValve.java:39) > at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs sociationValve.java:153) > at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j ava:59) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :126) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :105) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:107) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 48) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85 6) > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:744) > at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:527) > at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorker Thread.java:112) > at java.lang.Thread.run(Thread.java:595) > > > Chris Nappin > Technical Architect > > ABM United Kingdom Limited > Telephone: +44 (0) 115 977 6999 > Facsimile: +44 (0) 115 977 6850 > Web: http://www.abm-uk.com > > ABM for Intelligent Solutions > > > > CONFIDENTIALITY & PRIVILEGE NOTICE > > This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > CONFIDENTIALITY & PRIVILEGE NOTICE This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately. CONFIDENTIALITY & PRIVILEGE NOTICE This e-mail is confidential to its intended recipient. It may also be privileged. Neither the confidentiality nor any privilege attaching to this e-mail is waived lost or destroyed by reason that it has been mistakenly transmitted to a person or entity other than its intended recipient. If you are not the intended recipient please notify us immediately by telephone or fax at the numbers provided above or e-mail by Reply To Author and return the printed e-mail to us by post at our expense. We believe, but do not warrant, that this e-mail and any attachments are virus-free, but you should check. We may monitor traffic data of both business and personal e-mails. We are not liable for any opinions expressed by the sender where this is a non-business e-mail. If you do not receive all the message, or if you have difficulty with the transmission, please telephone us immediately. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
