Guy, I wasn't aware that you use a custom handler.
As I can see there could be a problem when you hand over the signed message to Axis for sending it over the wire. It's somewhat tricky to do this. Bevor handing it over to Axis the message should be fed thru a c14n method, this is was WSDoAllSender does before it sets the signed message as "new" message to Axis. Maybe you can show the code snippet where your handler do this. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 17. März 2006 11:06 > An: Dittmann, Werner > Cc: [EMAIL PROTECTED]; [email protected] > Betreff: Re: AW: AW: AW: Problems with signatures > > Test configuration: > > Custom handler in the client, calling WSSignEnvelope; based > on WSDoAllSender, > but stripped down so that it only has the code relevant to signature. > > WSDoAllReceiver in the service (tweaked with extra logging, > but basically the > one from WSS4J 1.0.0). > > Certificates generated from local CA. The trust anchor was > made with OpenSSL > and the user certificate with KeyStore Explorer. The trust > anchor is an > X.509v3 and the user one an X.509v1. The keys do work for the > signature: I > know that because I put a check in WSSignEnvelope to check > the signature just > after signing. > > This is the log output from the JUnit tests, starting from > the entry to > WSDoAllReceiver. > > 1051 DEBUG org.astrogrid.security.ServiceHandler - > WSDoAllReceiver: enter > invoke() with msg type: null > 1071 DEBUG org.astrogrid.security.ServiceHandler - Received > SOAP request: > 1071 DEBUG org.astrogrid.security.ServiceHandler - > <soapenv:Envelope xmlns="" > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Header> > <wsse:Security soapenv:mustUnderstand="1" xmlns="" > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 > 1-wss-wssecurity-secext-1.0.xsd"> > <wsse:BinarySecurityToken > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 > 401-wss-soap-message-security-1.0#Base64Binary" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-x509-token-profile-1.0#X509v3" > wsu:Id="CertId--273267" xmlns="" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-wssecurity-utility-1.0.xsd"> > MIIDETCCAfmgAwIBAAIBBDANBgkqhkiG9w0BAQIFADBCMQswCQYDVQQDEwJDQT > ESMBAGA1UECxMJ > dW5pdC10ZXN0MRIwEAYDVQQKEwlBc3Ryb0dyaWQxCzAJBgNVBAYTAlVLMB4XDT > A2MDMwNzE4MjAz > OVoXDTE2MDMwNzE4MjAzOVowVjELMAkGA1UEBhMCVUsxEjAQBgNVBAoTCUFzdH > JvR3JpZDESMBAG > A1UECxMJdW5pdC10ZXN0MR8wHQYDVQQDExZTZWN1cml0eS1mYWNhZGUgdGVzdG > VyMIIBIjANBgkq > hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtA1mJfcoLg22xFvQiB9NY6tH7aY4Ub > FHGIl5AjampcD8 > zW/OcbaEndMaK495ODS8BbwXz8B0YPzIjczpO56k7H63sJWxrgMsDGU4oeIlh3 > DiAOYywD3h9PAu > c8tnoD7q5SyY0Vw9jkuRP6iOKmf+nTfi910zNB86PYjCk0zarie3Ehg7/LBYNC > 0us+JV9M/q76mw > OOMzypgLjM1skBjO6tMbDosnCQe58+ei2ZfRT4gnCRhHRojLfcR3ND0pi7BS5T > OX8qTrQ8x++erN > BlA2X+uX3yAx4Y1cvW9YkKAjx5UxpUu8uJFYfLNKoTCq86E6+OFk5+SRQLp1Kp > S9EvfZ5wIDAQAB > MA0GCSqGSIb3DQEBAgUAA4IBAQARtZRiqKj1IXqD7wVlwqZPvE4CuFy9fjpu0n > xVN+UnKs3cNm7g > QfLPpDbh7maiGmmxWA2mFobptzbnfAyRfKYJWJ/hI8neouL+05L78cz7nTDDxp > jEhWpV8qtXdKp4 > r5S4GhG84HzPMrEqxxc0CRXbK3KLLLudbCPMNgSFxzRwimCpBTkwe81jwYH0FZ > ECyCBAsgfUMCz4 > jeYwBjqKxHlGeZERD9oRfsRF28nLgNRrP5D9IMj2Y2rhbILMmb0GTK/YWFpfD3 > H/DEP0hUVtRni7 > ykGvaLOYA7rI1eiKwxmFWTs6H+CPgkyZ+SW3l//uY/6HnzD1XacTIRASz1UK7Bzw > </wsse:BinarySecurityToken> > <ds:Signature xmlns="" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo xmlns=""> > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> > > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns=""/> > > <ds:Reference URI="#id-367156" xmlns=""> > > <ds:Transforms xmlns=""> > > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > xmlns=""/> > > </ds:Transforms> > > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > xmlns=""/> > > <ds:DigestValue xmlns=""> > S4XaDnlI8lOC8p5vVKlx9sLrKl8= </ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue xmlns=""> > > fTcyC/oqssWUL1G96ma5ED/gNIaecHKgJBR7kCeXg2mzSwfSfe3gWRFEkiViGS > zXE0OFvsDMjm7p > JdytgsjH3iuMg9WaZOV9TU7ZaYhabZMtK0toq3zGFNJayIhfpuZq5WDAbdqvZ1 > 2BnJppWvYWADvy > +zX7w0UGl3ApikKbcGMp7SSnB4JRb7TS0Ln0rk0dYcpm9cAEj76dT5UFW7e+af > QQeUwj03E5sQfS > H9KjN1gg+YD1B3gNPFYErwI+QeX+UDY9fb+qAqFxN734NhvR+/rC3JTNgieSmu > iCjXE/8MKdOfFJ > QpEE1YEqTC1SH6cUU0YR3rt84Eqg91JeyrCOpQ== > </ds:SignatureValue> > > <ds:KeyInfo Id="KeyId-12014770" xmlns=""> > > <wsse:SecurityTokenReference wsu:Id="STRId-28360136" xmlns="" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-wssecurity-utility-1.0.xsd"> > <wsse:Reference URI="#CertId--273267" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-x509-token-profile-1.0#X509v3" > xmlns=""/> > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > </wsse:Security> > </soapenv:Header> > <soapenv:Body wsu:Id="id-367156" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-wssecurity-utility-1.0.xsd"> > <whoAmI xmlns=""/> > </soapenv:Body> > </soapenv:Envelope> > > 1071 INFO > org.apache.ws.security.components.crypto.CryptoFactory - Using > Crypto Engine [org.apache.ws.security.components.crypto.Merlin] > 1071 DEBUG org.apache.ws.security.WSSecurityEngine - enter > processSecurityHeader() > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - > Processing WS-Security > header for '' actor. > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Unknown Element: > BinarySecurityToken > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu > rity-secext-1.0.xsd > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Found > signature element > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Verify > XML Signature > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:Signature", "null") > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:SignedInfo", "null") > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:SignatureMethod", "null") > 1081 DEBUG > org.apache.xml.security.algorithms.SignatureAlgorithm - Create URI > "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class > "org.apache.xml.security.algorithms.implementations.SignatureB > aseRSA$SignatureRSASHA1" > 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > Request for URI > http://www.w3.org/2000/09/xmldsig#rsa-sha1 > 1081 DEBUG > org.apache.xml.security.algorithms.implementations.SignatureBaseRSA > - Created SignatureDSA using SHA1withRSA > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:KeyInfo", "null") > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - > Checking signature value > with a certificate in the name of CN=Security-facade tester, > OU=unit-test, > O=AstroGrid, C=UK issued by C=UK, O=AstroGrid, OU=unit-test, CN=CA > 1081 DEBUG org.apache.xml.security.signature.Manifest - > verify 1 References > 1081 DEBUG org.apache.xml.security.signature.Manifest - I am > not requested to > follow nested Manifests > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:Reference", "null") > 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > Request for URI > http://www.w3.org/2000/09/xmldsig#sha1 > 1081 DEBUG > org.apache.xml.security.utils.resolver.ResourceResolver - I was > asked to create a ResourceResolver and got 1 > 1081 DEBUG > org.apache.xml.security.utils.resolver.ResourceResolver - extra > resolvers to my existing 4 system-wide resolvers > 1081 DEBUG > org.apache.xml.security.utils.resolver.ResourceResolver - check > resolvability by class > org.apache.ws.security.message.EnvelopeIdResolver > 1091 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:Transforms", "null") > 1091 DEBUG org.apache.xml.security.utils.ElementProxy - > setElement("ds:Transform", "null") > 1091 DEBUG org.apache.xml.security.transforms.Transforms - > Preform the (0)th > http://www.w3.org/2001/10/xml-exc-c14n# transform > 1091 WARN org.apache.xml.security.signature.Reference - > Verification failed > for URI "#id-367156" > 1091 DEBUG org.apache.xml.security.signature.Manifest - The > Reference has > Type > ------------- ---------------- --------------- > ------------- Standard Error ----------------- > org.apache.ws.security.WSSecurityException: The signature > verification failed > at > org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSS > ecurityEngine.java:649) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > WSSecurityEngine.java:334) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > WSSecurityEngine.java:259) > at > org.astrogrid.security.ServiceHandler.invoke(ServiceHandler.java:160) > at > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > Strategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > Strategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > at > org.apache.axis.transport.local.LocalSender.invoke(LocalSender > .java:141) > at > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > Strategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at org.apache.axis.client.Call.invoke(Call.java:2767) > at org.apache.axis.client.Call.invoke(Call.java:2443) > at org.apache.axis.client.Call.invoke(Call.java:2366) > at org.apache.axis.client.Call.invoke(Call.java:1812) > at > org.astrogrid.security.sample.SamplePortSoapBindingStub.whoAmI > (SamplePortSoapBindingStub.java:108) > at > org.astrogrid.security.sample.SampleDelegate.whoAmI(SampleDele > gate.java:42) > at > org.astrogrid.security.EndToEndTest.testGoodCredentials(EndToE > ndTest.java:58) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > orImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > odAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at junit.framework.TestCase.runTest(TestCase.java:154) > at junit.framework.TestCase.runBare(TestCase.java:127) > at junit.framework.TestResult$1.protect(TestResult.java:106) > at junit.framework.TestResult.runProtected(TestResult.java:124) > at junit.framework.TestResult.run(TestResult.java:109) > at junit.framework.TestCase.run(TestCase.java:118) > at junit.framework.TestSuite.runTest(TestSuite.java:208) > at junit.framework.TestSuite.run(TestSuite.java:203) > at > org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.r > un(JUnitTestRunner.java:325) > at > org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.m > ain(JUnitTestRunner.java:536) > > > I made it log the actual exception thrown by XMLSec: > > 1091 WARN org.apache.xml.security.signature.Reference - > Verification failed > for URI "#id-367156" > > Cheers, > Guy > > > > On Fri, 17 Mar 2006, Dittmann, Werner wrote: > > > Guy, > > > > whatis your test configuration? Which certificates do you use? > > > > What is the exception that xml-sec throws? > > > > Thanks, > > Werner > > > > > -----Ursprüngliche Nachricht----- > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > Gesendet: Donnerstag, 16. März 2006 17:11 > > > An: Dittmann, Werner > > > Cc: [EMAIL PROTECTED]; [email protected] > > > Betreff: Re: AW: AW: Problems with signatures > > > > > > I've set the options on both client and service and the > > > verification still > > > fails. I've dumped the raw XML messages with and without the > > > options and there > > > doesn't seem to be any difference. > > > > > > On Thu, 16 Mar 2006, Dittmann, Werner wrote: > > > > > > > Probably on both if the service responds with signed messages. > > > > > > > > Regards, > > > > Werner > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > Gesendet: Donnerstag, 16. März 2006 16:29 > > > > > An: [EMAIL PROTECTED] > > > > > Cc: Dittmann, Werner; [email protected] > > > > > Betreff: Re: AW: Problems with signatures > > > > > > > > > > Thanks. > > > > > > > > > > Do these parameters have to be set on the client, the > > > service or both? > > > > > Setting them just on the service doesn't fix the problem, and > > > > > to set them on > > > > > the client I have to find out how to do it programmatically. > > > > > > > > > > On Thu, 16 Mar 2006 [EMAIL PROTECTED] wrote: > > > > > > > > > > > Hi Guy > > > > > > setting these 2 props works for me. > > > > > > <parameter name="enableNamespacePrefixOptimization" > > > > > value="false" /> > > > > > > <parameter name="disablePrettyXML" value="true"/> > > > > > > > > > > > > thanks > > > > > > Anamitra > > > > > > > > > > > > > > > > > > > > > > > > "Dittmann, > > > > > > Werner" > > > > > > <werner.dittmann@ > > > > > To > > > > > > siemens.com> "Guy Rixon" > > > > > <[EMAIL PROTECTED]>, > > > > > > > <[email protected]> > > > > > > 03/16/2006 09:10 > > > > > cc > > > > > > AM > > > > > > > > > > > Subject > > > > > > AW: Problems > > > with signatures > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > AFAIK there is a switch / parameter in the Axis WSDD files > > > > > > to disable XML pretty printing. Maybe this > "feature" is enabled > > > > > > by default - pretty printing always destroys the signature > > > > > > hashes. > > > > > > > > > > > > Also there is a parameter for Axis to disable some sort > > > > > > of namespace optimization - sorry but I haven't the > parameter > > > > > > names at hand. > > > > > > > > > > > > Regards, > > > > > > Werner > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > > > Gesendet: Donnerstag, 16. März 2006 14:01 > > > > > > > An: [email protected] > > > > > > > Betreff: Problems with signatures > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > can you help me with a signature problem? I have a client > > > > > > > and service, both > > > > > > > using WSS4J 1.0.0. The client signs the SOAP body of the > > > > > > > request, but the > > > > > > > signature checking in the service always fails at > the XMLSec > > > > > > > level. The > > > > > > > signature uses a direct reference to a > BinarySecurityToken, > > > > > > > and the service > > > > > > > seems to be reading the token properly; at least, > it gets the > > > > > > > subject DN > > > > > > > right. > > > > > > > > > > > > > > I've checked the signature in the client immediately after > > > > > > > signing and it > > > > > > > verifies correctly there. Something bad seems to > be happening > > > > > > > to the XML on > > > > > > > the way to the service, but I can't think what. No other > > > > > > > special handlers are > > > > > > > involved. > > > > > > > > > > > > > > This is all with Axis 1.3 and "local" transport, BTW. > > > > > > > > > > > > > > Thanks, > > > > > > > Guy > > > > > > > > > > > > > > Guy Rixon > > > > > > [EMAIL PROTECTED] > > > > > > > Institute of Astronomy Tel: > > > > > +44-1223-337542 > > > > > > > Madingley Road, Cambridge, UK, CB3 0HA > > > Fax: > > > > > > > +44-1223-337523 > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > > > > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Guy Rixon > > > [EMAIL PROTECTED] > > > > > Institute of Astronomy Tel: > +44-1223-337542 > > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > > +44-1223-337523 > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > Guy Rixon > [EMAIL PROTECTED] > > > Institute of Astronomy Tel: +44-1223-337542 > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > +44-1223-337523 > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: > +44-1223-337523 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
