hi werner, i don't think that the problem is due to 'pretty printing'. the timestamp tag for example:
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="XWSSGID-1126712330472-1335315878"> <wsu:Created>2005-09-14T15:38:50Z</wsu:Created> <wsu:Expires>2005-09-14T15:43:50Z</wsu:Expires> </wsu:Timestamp> there are no newlines, tabs or blanks in the attribute values or in the data. moreover, signature verification is successful doing it with jwsdp. perhaps it's a problem with the canonicalization method implementation? gruss, yves >-- Originalnachricht -- >Date: Thu, 15 Sep 2005 10:24:39 +0200 >From: Werner Dittmann <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >CC: [email protected] >Subject: Re: AW: Re: interop with sun jwsdp-1.6 > > >Yves, > >according to the trace and the SOAP request all looks ok. But somehow >the Body was modified after the Signature was added. This very often >is due to "pretty printing" the XML SOAP request after it got signed. >"Prettey Printing": adding some newline and/or blanks/tabs to make >the XML data mor readable. Do you know if that happens somehow on >the JWSDP side? > >Regards, >Werner > > >[EMAIL PROTECTED] wrote: >> hi werner, >> sorry, the log and the soap message in my previous mail did not correspond. >> here is the correct log: >> >> - Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin] >> - enter processSecurityHeader() >> - Processing WS-Security header for '' actor. >> - Unknown Element: BinarySecurityToken >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> - Found signature element >> - Verify XML Signature >> - setElement("ds:Signature", "null") >> - setElement("ds:SignedInfo", "null") >> - setElement("ds:SignatureMethod", "null") >> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "class >org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" >> - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 >> - Created SignatureDSA using SHA1withRSA >> - setElement("ds:KeyInfo", "null") >> - Token reference uri: #XWSSGID-1126712329621513364021 >> - verify 2 References >> - I am not requested to follow nested Manifests >> - setElement("ds:Reference", "null") >> - Request for URI http://www.w3.org/2000/09/xmldsig#sha1 >> - I was asked to create a ResourceResolver and got 1 >> - extra resolvers to my existing 4 system-wide resolvers >> - check resolvability by class >> org.apache.ws.security.message.EnvelopeIdResolver >> - enter engineResolve, look for: #XWSSGID-1126712330472-1335315878 >> - Tag: wsu:Timestamp, 'null' >> - Attr: wsu:Id, 'XWSSGID-1126712330472-1335315878' >> - Attr: xmlns, '' >> - Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >> - Attr: xmlns:wsse, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >> - Attr: xmlns:wsu, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >> - Tag: #text, ' >> ' >> - Tag: wsu:Created, 'null' >> - Attr: xmlns, '' >> - Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >> - Attr: xmlns:wsse, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >> - Attr: xmlns:wsu, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >> - Tag: #text, '2005-09-14T15:38:50Z' >> - Tag: #text, ' >> ' >> - Tag: wsu:Expires, 'null' >> - Attr: xmlns, '' >> - Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >> - Attr: xmlns:wsse, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >> - Attr: xmlns:wsu, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >> - Tag: #text, '2005-09-14T15:43:50Z' >> - Tag: #text, ' >> ' >> - engineResolve= 24 >> - exit engineResolve, result: XMLSignatureInput/NodeSet/21 nodes/null >> - Verification failed for URI "#XWSSGID-1126712330472-1335315878" >> - The Reference has Type >> - setElement("ds:Reference", "null") >> - Request for URI http://www.w3.org/2000/09/xmldsig#sha1 >> - I was asked to create a ResourceResolver and got 1 >> - extra resolvers to my existing 4 system-wide resolvers >> - check resolvability by class >> org.apache.ws.security.message.EnvelopeIdResolver >> - enter engineResolve, look for: #XWSSGID-1126712330478-1126252258 >> - Tag: SOAP-ENV:Body, 'null' >> - Attr: wsu:Id, 'XWSSGID-1126712330478-1126252258' >> - Attr: xmlns, '' >> - Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >> - Attr: xmlns:wsu, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >> - Tag: #text, ' >> ' >> - Tag: tru:StockSymbol, 'null' >> - Attr: xmlns, '' >> - Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >> - Attr: xmlns:tru, 'http://fabrikam123.com/payloads' >> - Attr: xmlns:wsu, >> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >> - Tag: #text, 'QQQ' >> - Tag: #text, ' >> ' >> - engineResolve= 6 >> - exit engineResolve, result: XMLSignatureInput/NodeSet/13 nodes/null >> - Verification failed for URI "#XWSSGID-1126712330478-1126252258" >> - The Reference has Type >> org.apache.ws.security.WSSecurityException: The signature verification >failed >> at >> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:627) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:320) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:198) >> >> thanks, yves >> >> >>>-- Originalnachricht -- >>>Date: Thu, 15 Sep 2005 08:42:26 +0200 >>>From: Werner Dittmann <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>CC: [email protected] >>>Subject: Re: interop with sun jwsdp-1.6 >>> >>> >>>Yves, >>> >>>the attached SOAP request is not the same as that is shown below :-) >>>(Timestamps differ) >>> >>>Looking at the debug output and the attached SOAP I can see a >>>difference: >>>the debug output shows an additonal #text after the timestamps, >>>this additional text cannot be seen in the attached SOAP request. >>> >>>How did you get the SOAP request? Can you try to get it via tcpmon >>>somehow so that we can see what goes over the wire? It looks like >>>the good old "pretty printing" problem where the requests are >>>modified after adding the Signature. >>> >>>Regards, >>>Werner >>> >>> >>>[EMAIL PROTECTED] wrote: >>> >>>>hello, >>>>has anybody tried interop with sun jwsdp-1.6? >>>>i cannot use wss4j to verify a message signed with jwsdp...? is this a >>> >>>known >>> >>>>issue? >>>> >>>>the problem is, that the digests when resolving the references are not >>> >>>equal: >>> >>>>- Token reference uri: #XWSSGID-1126515797640161369913 >>>>- verify 2 References >>>>- I am not requested to follow nested Manifests >>>>- setElement("ds:Reference", "null") >>>>- Request for URI http://www.w3.org/2000/09/xmldsig#sha1 >>>>- I was asked to create a ResourceResolver and got 1 >>>>- extra resolvers to my existing 4 system-wide resolvers >>>>- check resolvability by class >>>>org.apache.ws.security.message.EnvelopeIdResolver >>>>- enter engineResolve, look for: #XWSSGID-11265158021251414682510 >>>>- Tag: wsu:Timestamp, 'null' >>>>- Attr: wsu:Id, 'XWSSGID-11265158021251414682510' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:enc, 'http://schemas.xmlsoap.org/soap/encoding/' >>>>- Attr: xmlns:env, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:ns0, 'http://ztable.ejpd.ch/types' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Attr: xmlns:xsd, 'http://www.w3.org/2001/XMLSchema' >>>>- Attr: xmlns:xsi, 'http://www.w3.org/2001/XMLSchema-instance' >>>>- Tag: #text, ' >>>> ' >>>>- Tag: wsu:Created, 'null' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:enc, 'http://schemas.xmlsoap.org/soap/encoding/' >>>>- Attr: xmlns:env, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:ns0, 'http://ztable.ejpd.ch/types' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Attr: xmlns:xsd, 'http://www.w3.org/2001/XMLSchema' >>>>- Attr: xmlns:xsi, 'http://www.w3.org/2001/XMLSchema-instance' >>>>- Tag: #text, '2005-09-12T09:03:21Z' >>>>- Tag: #text, ' >>>> ' >>>>- Tag: wsu:Expires, 'null' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:enc, 'http://schemas.xmlsoap.org/soap/encoding/' >>>>- Attr: xmlns:env, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:ns0, 'http://ztable.ejpd.ch/types' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Attr: xmlns:xsd, 'http://www.w3.org/2001/XMLSchema' >>>>- Attr: xmlns:xsi, 'http://www.w3.org/2001/XMLSchema-instance' >>>>- Tag: #text, '2005-09-12T09:08:21Z' >>>>- Tag: #text, ' >>>> ' >>>>- engineResolve= 33 >>>>- exit engineResolve, result: XMLSignatureInput/NodeSet/33 nodes/null >>>>- Verification failed for URI "#XWSSGID-11265158021251414682510" >>>> >>>>any hints? >>>>gruss, yves >>>> >>>>ps: attached is the soap message >>>> >>>> >>>>sunrise ADSL: gratis und so sicher wie noch nie >>>>http://www.sunrise.ch/home/proint/proint_ads-2.htm >>>> >>>> >>>> >>>> >>>> >>>>------------------------------------------------------------------------ >>>> >>>>--------------------------------------------------------------------- >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >> >> >> sunrise ADSL: gratis und so sicher wie noch nie >> http://www.sunrise.ch/home/proint/proint_ads-2.htm >> >> >> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > sunrise ADSL: gratis und so sicher wie noch nie http://www.sunrise.ch/home/proint/proint_ads-2.htm --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
