Test configuration: Custom handler in the client, calling WSSignEnvelope; based on WSDoAllSender, but stripped down so that it only has the code relevant to signature.
WSDoAllReceiver in the service (tweaked with extra logging, but basically the one from WSS4J 1.0.0). Certificates generated from local CA. The trust anchor was made with OpenSSL and the user certificate with KeyStore Explorer. The trust anchor is an X.509v3 and the user one an X.509v1. The keys do work for the signature: I know that because I put a check in WSSignEnvelope to check the signature just after signing. This is the log output from the JUnit tests, starting from the entry to WSDoAllReceiver. 1051 DEBUG org.astrogrid.security.ServiceHandler - WSDoAllReceiver: enter invoke() with msg type: null 1071 DEBUG org.astrogrid.security.ServiceHandler - Received SOAP request: 1071 DEBUG org.astrogrid.security.ServiceHandler - <soapenv:Envelope xmlns="" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns="" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="CertId--273267" xmlns="" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> MIIDETCCAfmgAwIBAAIBBDANBgkqhkiG9w0BAQIFADBCMQswCQYDVQQDEwJDQTESMBAGA1UECxMJ dW5pdC10ZXN0MRIwEAYDVQQKEwlBc3Ryb0dyaWQxCzAJBgNVBAYTAlVLMB4XDTA2MDMwNzE4MjAz OVoXDTE2MDMwNzE4MjAzOVowVjELMAkGA1UEBhMCVUsxEjAQBgNVBAoTCUFzdHJvR3JpZDESMBAG A1UECxMJdW5pdC10ZXN0MR8wHQYDVQQDExZTZWN1cml0eS1mYWNhZGUgdGVzdGVyMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtA1mJfcoLg22xFvQiB9NY6tH7aY4UbFHGIl5AjampcD8 zW/OcbaEndMaK495ODS8BbwXz8B0YPzIjczpO56k7H63sJWxrgMsDGU4oeIlh3DiAOYywD3h9PAu c8tnoD7q5SyY0Vw9jkuRP6iOKmf+nTfi910zNB86PYjCk0zarie3Ehg7/LBYNC0us+JV9M/q76mw OOMzypgLjM1skBjO6tMbDosnCQe58+ei2ZfRT4gnCRhHRojLfcR3ND0pi7BS5TOX8qTrQ8x++erN BlA2X+uX3yAx4Y1cvW9YkKAjx5UxpUu8uJFYfLNKoTCq86E6+OFk5+SRQLp1KpS9EvfZ5wIDAQAB MA0GCSqGSIb3DQEBAgUAA4IBAQARtZRiqKj1IXqD7wVlwqZPvE4CuFy9fjpu0nxVN+UnKs3cNm7g QfLPpDbh7maiGmmxWA2mFobptzbnfAyRfKYJWJ/hI8neouL+05L78cz7nTDDxpjEhWpV8qtXdKp4 r5S4GhG84HzPMrEqxxc0CRXbK3KLLLudbCPMNgSFxzRwimCpBTkwe81jwYH0FZECyCBAsgfUMCz4 jeYwBjqKxHlGeZERD9oRfsRF28nLgNRrP5D9IMj2Y2rhbILMmb0GTK/YWFpfD3H/DEP0hUVtRni7 ykGvaLOYA7rI1eiKwxmFWTs6H+CPgkyZ+SW3l//uY/6HnzD1XacTIRASz1UK7Bzw </wsse:BinarySecurityToken> <ds:Signature xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo xmlns=""> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns=""/> <ds:Reference URI="#id-367156" xmlns=""> <ds:Transforms xmlns=""> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns=""/> <ds:DigestValue xmlns=""> S4XaDnlI8lOC8p5vVKlx9sLrKl8= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns=""> fTcyC/oqssWUL1G96ma5ED/gNIaecHKgJBR7kCeXg2mzSwfSfe3gWRFEkiViGSzXE0OFvsDMjm7p JdytgsjH3iuMg9WaZOV9TU7ZaYhabZMtK0toq3zGFNJayIhfpuZq5WDAbdqvZ12BnJppWvYWADvy +zX7w0UGl3ApikKbcGMp7SSnB4JRb7TS0Ln0rk0dYcpm9cAEj76dT5UFW7e+afQQeUwj03E5sQfS H9KjN1gg+YD1B3gNPFYErwI+QeX+UDY9fb+qAqFxN734NhvR+/rC3JTNgieSmuiCjXE/8MKdOfFJ QpEE1YEqTC1SH6cUU0YR3rt84Eqg91JeyrCOpQ== </ds:SignatureValue> <ds:KeyInfo Id="KeyId-12014770" xmlns=""> <wsse:SecurityTokenReference wsu:Id="STRId-28360136" xmlns="" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsse:Reference URI="#CertId--273267" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; xmlns=""/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-367156" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <whoAmI xmlns=""/> </soapenv:Body> </soapenv:Envelope> 1071 INFO org.apache.ws.security.components.crypto.CryptoFactory - Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin] 1071 DEBUG org.apache.ws.security.WSSecurityEngine - enter processSecurityHeader() 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Processing WS-Security header for '' actor. 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Unknown Element: BinarySecurityToken http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Found signature element 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Verify XML Signature 1081 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "null") 1081 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "null") 1081 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "null") 1081 DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 1081 DEBUG org.apache.xml.security.algorithms.implementations.SignatureBaseRSA - Created SignatureDSA using SHA1withRSA 1081 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:KeyInfo", "null") 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Checking signature value with a certificate in the name of CN=Security-facade tester, OU=unit-test, O=AstroGrid, C=UK issued by C=UK, O=AstroGrid, OU=unit-test, CN=CA 1081 DEBUG org.apache.xml.security.signature.Manifest - verify 1 References 1081 DEBUG org.apache.xml.security.signature.Manifest - I am not requested to follow nested Manifests 1081 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Reference", "null") 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#sha1 1081 DEBUG org.apache.xml.security.utils.resolver.ResourceResolver - I was asked to create a ResourceResolver and got 1 1081 DEBUG org.apache.xml.security.utils.resolver.ResourceResolver - extra resolvers to my existing 4 system-wide resolvers 1081 DEBUG org.apache.xml.security.utils.resolver.ResourceResolver - check resolvability by class org.apache.ws.security.message.EnvelopeIdResolver 1091 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transforms", "null") 1091 DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null") 1091 DEBUG org.apache.xml.security.transforms.Transforms - Preform the (0)th http://www.w3.org/2001/10/xml-exc-c14n# transform 1091 WARN org.apache.xml.security.signature.Reference - Verification failed for URI "#id-367156" 1091 DEBUG org.apache.xml.security.signature.Manifest - The Reference has Type ------------- ---------------- --------------- ------------- Standard Error ----------------- org.apache.ws.security.WSSecurityException: The signature verification failed at org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:649) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259) at org.astrogrid.security.ServiceHandler.invoke(ServiceHandler.java:160) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.local.LocalSender.invoke(LocalSender.java:141) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at org.astrogrid.security.sample.SamplePortSoapBindingStub.whoAmI(SamplePortSoapBindingStub.java:108) at org.astrogrid.security.sample.SampleDelegate.whoAmI(SampleDelegate.java:42) at org.astrogrid.security.EndToEndTest.testGoodCredentials(EndToEndTest.java:58) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at junit.framework.TestCase.runTest(TestCase.java:154) at junit.framework.TestCase.runBare(TestCase.java:127) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.run(JUnitTestRunner.java:325) at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.main(JUnitTestRunner.java:536) I made it log the actual exception thrown by XMLSec: 1091 WARN org.apache.xml.security.signature.Reference - Verification failed for URI "#id-367156" Cheers, Guy On Fri, 17 Mar 2006, Dittmann, Werner wrote: > Guy, > > whatis your test configuration? Which certificates do you use? > > What is the exception that xml-sec throws? > > Thanks, > Werner > > > -----Ursprüngliche Nachricht----- > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > Gesendet: Donnerstag, 16. März 2006 17:11 > > An: Dittmann, Werner > > Cc: [EMAIL PROTECTED]; [email protected] > > Betreff: Re: AW: AW: Problems with signatures > > > > I've set the options on both client and service and the > > verification still > > fails. I've dumped the raw XML messages with and without the > > options and there > > doesn't seem to be any difference. > > > > On Thu, 16 Mar 2006, Dittmann, Werner wrote: > > > > > Probably on both if the service responds with signed messages. > > > > > > Regards, > > > Werner > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > Gesendet: Donnerstag, 16. März 2006 16:29 > > > > An: [EMAIL PROTECTED] > > > > Cc: Dittmann, Werner; [email protected] > > > > Betreff: Re: AW: Problems with signatures > > > > > > > > Thanks. > > > > > > > > Do these parameters have to be set on the client, the > > service or both? > > > > Setting them just on the service doesn't fix the problem, and > > > > to set them on > > > > the client I have to find out how to do it programmatically. > > > > > > > > On Thu, 16 Mar 2006 [EMAIL PROTECTED] wrote: > > > > > > > > > Hi Guy > > > > > setting these 2 props works for me. > > > > > <parameter name="enableNamespacePrefixOptimization" > > > > value="false" /> > > > > > <parameter name="disablePrettyXML" value="true"/> > > > > > > > > > > thanks > > > > > Anamitra > > > > > > > > > > > > > > > > > > > > "Dittmann, > > > > > Werner" > > > > > <werner.dittmann@ > > > > To > > > > > siemens.com> "Guy Rixon" > > > > <[EMAIL PROTECTED]>, > > > > > <[email protected]> > > > > > 03/16/2006 09:10 > > > > cc > > > > > AM > > > > > > > > > Subject > > > > > AW: Problems > > with signatures > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > AFAIK there is a switch / parameter in the Axis WSDD files > > > > > to disable XML pretty printing. Maybe this "feature" is enabled > > > > > by default - pretty printing always destroys the signature > > > > > hashes. > > > > > > > > > > Also there is a parameter for Axis to disable some sort > > > > > of namespace optimization - sorry but I haven't the parameter > > > > > names at hand. > > > > > > > > > > Regards, > > > > > Werner > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > > Gesendet: Donnerstag, 16. März 2006 14:01 > > > > > > An: [email protected] > > > > > > Betreff: Problems with signatures > > > > > > > > > > > > Hi, > > > > > > > > > > > > can you help me with a signature problem? I have a client > > > > > > and service, both > > > > > > using WSS4J 1.0.0. The client signs the SOAP body of the > > > > > > request, but the > > > > > > signature checking in the service always fails at the XMLSec > > > > > > level. The > > > > > > signature uses a direct reference to a BinarySecurityToken, > > > > > > and the service > > > > > > seems to be reading the token properly; at least, it gets the > > > > > > subject DN > > > > > > right. > > > > > > > > > > > > I've checked the signature in the client immediately after > > > > > > signing and it > > > > > > verifies correctly there. Something bad seems to be happening > > > > > > to the XML on > > > > > > the way to the service, but I can't think what. No other > > > > > > special handlers are > > > > > > involved. > > > > > > > > > > > > This is all with Axis 1.3 and "local" transport, BTW. > > > > > > > > > > > > Thanks, > > > > > > Guy > > > > > > > > > > > > Guy Rixon > > > > > [EMAIL PROTECTED] > > > > > > Institute of Astronomy Tel: > > > > +44-1223-337542 > > > > > > Madingley Road, Cambridge, UK, CB3 0HA > > Fax: > > > > > > +44-1223-337523 > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > Guy Rixon > > [EMAIL PROTECTED] > > > > Institute of Astronomy Tel: +44-1223-337542 > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > +44-1223-337523 > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > Guy Rixon [EMAIL PROTECTED] > > Institute of Astronomy Tel: +44-1223-337542 > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > +44-1223-337523 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Guy Rixon [EMAIL PROTECTED] Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
