yes, that's it! i didn't consider this property of the c14n algorithm. without the newlines pointed out below, the verification is successful. thanks werner. gruss, yves
>-- Originalnachricht -- >Date: Thu, 15 Sep 2005 11:15:20 +0200 >From: Werner Dittmann <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >CC: [email protected] >Subject: Re: AW: Re: AW: Re: interop with sun jwsdp-1.6 > > >Yves, > >until now we had no problems with c14n implementation. AFAIK we also >had some interop test with JWSDP last year - pls have look at the wikki. > >On the other hand: there are of course newline characters, e.g. just >behind, as a string this would contain "...</wsu:Created>\n". These >newlines also appear in the Body and they count for the Signature. C14n >does _not_ remove these newlines or other significant whitespace. This >is a common misunderstanding that c14n does this. > >Regards, >Werner > >[EMAIL PROTECTED] wrote: >> hi werner, >> i don't think that the problem is due to 'pretty printing'. the timestamp >> tag for example: >> >> <wsu:Timestamp >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> wsu:Id="XWSSGID-1126712330472-1335315878"> >> <wsu:Created>2005-09-14T15:38:50Z</wsu:Created> >> <wsu:Expires>2005-09-14T15:43:50Z</wsu:Expires> >> </wsu:Timestamp> >> >> there are no newlines, tabs or blanks in the attribute values or in the >data. >> moreover, signature verification is successful doing it with jwsdp. >> perhaps it's a problem with the canonicalization method implementation? >> >> gruss, yves >> >> >>>-- Originalnachricht -- >>>Date: Thu, 15 Sep 2005 10:24:39 +0200 >>>From: Werner Dittmann <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>CC: [email protected] >>>Subject: Re: AW: Re: interop with sun jwsdp-1.6 >>> >>> >>>Yves, >>> >>>according to the trace and the SOAP request all looks ok. But somehow >>>the Body was modified after the Signature was added. This very often >>>is due to "pretty printing" the XML SOAP request after it got signed. >>>"Prettey Printing": adding some newline and/or blanks/tabs to make >>>the XML data mor readable. Do you know if that happens somehow on >>>the JWSDP side? >>> >>>Regards, >>>Werner >>> >>> >>>[EMAIL PROTECTED] wrote: >>> >>>>hi werner, >>>>sorry, the log and the soap message in my previous mail did not correspond. >>>>here is the correct log: >>>> >>>>- Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin] >>>>- enter processSecurityHeader() >>>>- Processing WS-Security header for '' actor. >>>>- Unknown Element: BinarySecurityToken >>>>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>>>- Found signature element >>>>- Verify XML Signature >>>>- setElement("ds:Signature", "null") >>>>- setElement("ds:SignedInfo", "null") >>>>- setElement("ds:SignatureMethod", "null") >>>>- Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "class >>> >>>org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" >>> >>>>- Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 >>>>- Created SignatureDSA using SHA1withRSA >>>>- setElement("ds:KeyInfo", "null") >>>>- Token reference uri: #XWSSGID-1126712329621513364021 >>>>- verify 2 References >>>>- I am not requested to follow nested Manifests >>>>- setElement("ds:Reference", "null") >>>>- Request for URI http://www.w3.org/2000/09/xmldsig#sha1 >>>>- I was asked to create a ResourceResolver and got 1 >>>>- extra resolvers to my existing 4 system-wide resolvers >>>>- check resolvability by class >>>>org.apache.ws.security.message.EnvelopeIdResolver >>>>- enter engineResolve, look for: #XWSSGID-1126712330472-1335315878 >>>>- Tag: wsu:Timestamp, 'null' >>>>- Attr: wsu:Id, 'XWSSGID-1126712330472-1335315878' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Tag: #text, ' >>>>' >>>>- Tag: wsu:Created, 'null' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Tag: #text, '2005-09-14T15:38:50Z' >>>>- Tag: #text, ' >>>>' >>>>- Tag: wsu:Expires, 'null' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:wsse, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Tag: #text, '2005-09-14T15:43:50Z' >>>>- Tag: #text, ' >>>>' >>>>- engineResolve= 24 >>>>- exit engineResolve, result: XMLSignatureInput/NodeSet/21 nodes/null >>>>- Verification failed for URI "#XWSSGID-1126712330472-1335315878" >>>>- The Reference has Type >>>>- setElement("ds:Reference", "null") >>>>- Request for URI http://www.w3.org/2000/09/xmldsig#sha1 >>>>- I was asked to create a ResourceResolver and got 1 >>>>- extra resolvers to my existing 4 system-wide resolvers >>>>- check resolvability by class >>>>org.apache.ws.security.message.EnvelopeIdResolver >>>>- enter engineResolve, look for: #XWSSGID-1126712330478-1126252258 >>>>- Tag: SOAP-ENV:Body, 'null' >>>>- Attr: wsu:Id, 'XWSSGID-1126712330478-1126252258' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Tag: #text, ' >>>>' >>>>- Tag: tru:StockSymbol, 'null' >>>>- Attr: xmlns, '' >>>>- Attr: xmlns:SOAP-ENV, 'http://schemas.xmlsoap.org/soap/envelope/' >>>>- Attr: xmlns:tru, 'http://fabrikam123.com/payloads' >>>>- Attr: xmlns:wsu, >>>>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >>>>- Tag: #text, 'QQQ' >>>>- Tag: #text, ' >>>>' >>>>- engineResolve= 6 >>>>- exit engineResolve, result: XMLSignatureInput/NodeSet/13 nodes/null >>>>- Verification failed for URI "#XWSSGID-1126712330478-1126252258" >>>>- The Reference has Type >>>>org.apache.ws.security.WSSecurityException: The signature verification >>> >>>failed >>> >>>> at >>>> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:627) >>>> at >>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:320) >>>> at >>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) >>>> at >>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:198) >>>> >>>>thanks, yves >>>> >>>> >>>> >>>>>-- Originalnachricht -- >>>>>Date: Thu, 15 Sep 2005 08:42:26 +0200 >>>>>From: Werner Dittmann <[EMAIL PROTECTED]> >>>>>To: [EMAIL PROTECTED] >>>>>CC: [email protected] >>>>>Subject: Re: interop with sun jwsdp-1.6 >>>>> ><SNIP> --------------------- <SNAP> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > sunrise ADSL: gratis und so sicher wie noch nie http://www.sunrise.ch/home/proint/proint_ads-2.htm --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
