Guy, no, i didn't have a look into Axis yet. Maybe I can do this during the weekend. Will see if I can track it.
Regards, Werner Guy Rixon wrote: > Werner, > > OK, sounds like good progress. Thanks for looking. Did you manage to get a > working version by hacking on Axis itself? I mean, is it feasible for me to > make a modified version of Axis to go on with pending a proper patch? If so, > could you please point me at the right classes. > > Thanks, > Guy > > On Fri, 24 Mar 2006, Werner Dittmann wrote: > > >>Guy, >> >>thanks alot for your in-depth analysis. I repeated your tests >>with Axis 1.3 (I used 1.2.1 til now) and have the same error. >>I somehow didn't catch that you used Axis 1.3. >> >>I could see that Axis 1.3 modifies the document by inserting >>newlines at various places. This happens during re-parsing of >>the signed XML document to create a new SOAP enevelope. >> >>I've filed an issue with Axis 1.3 with priority "Blocker" because >>with Axis 1.3 all WSS4J test cases fail to work. >> >>Regards, >>Werner >> >>Guy Rixon wrote: >> >>>Hi, >>> >>>I'm still stuck this failing signature. I now have some more information >>>information. >>> >>>First, the failure happens with Axis 1.3 jars, but not with Axis 1.2.1. It >>>seems to be the same problem that you were discussing last October; did you >>>ever find out what was wrong. >>> >>>In this specific case, I've found out from the library logging that the >>>digests of the references are correct. Therefore, I presume that the failure >>>is in the digesting/canonicalization/signing of the SignedInfo itself. >>> >>>Further, after hacking in extra checks to my handler, I find that the >>>signature checks out OK after WSSignEnvelope has made it, but fails after I >>>pass the enevlope with the signed message to Axis' MessageContext and then >>>get it back again. I.e., it goes wrong before the pivot handler in the client >>>can change anything, and way before the service handlers get to play with it. >>> >>>Finally, is there any chance that this can be related to the canonicalization >>>problem reported as http://issues.apache.org/jira/browse/WSS-19 ? >>> >>>BTW, "go back to Axis 1.2.1" is not a cheap option for us. We'd really like >>>to >>>get this fixed. >>> >>>Cheers, >>>Guy >>> >>> >>>On Fri, 17 Mar 2006, Dittmann, Werner wrote: >>> >>> >>> >>>>Guy, >>>> >>>>you are right, it's part of the XMLUtils.outputDOM() method. >>>> >>>>It's necessary to have these c14n step and to use the >>>>Axis parameters to ensure that the namespace handling is >>>>correct. >>>> >>>>Regards, >>>>Werner >>>> >>>> >>>> >>>>>-----Urspr�ngliche Nachricht----- >>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] >>>>>Gesendet: Freitag, 17. M�rz 2006 15:15 >>>>>An: Dittmann, Werner >>>>>Cc: [EMAIL PROTECTED]; [email protected] >>>>>Betreff: Re: AW: AW:Problems with signatures >>>>> >>>>>Werner, >>>>> >>>>>OK, code is appended. Actually, I wrote this handler _after_ >>>>>I started seeing >>>>>this bug. I orginally had the problem when using >>>>>WSDoAllSender. I can't >>>>>see a canonicalization step in WSDoAllSender itself; is it part of >>>>>XMLUtils.outputDOM()? Originally, I used that (I lifted the >>>>>serialization code >>>> >>>>>from WSDoAllSender), but still got the problem. Maybe I >>>> >>>>>didn't try that with >>>>>the Axis don't-fiddle options set. >>>>> >>>>>Cheers, >>>>>Guy >>>>> >>>>> // Get the SOAP envelop as a DOM. >>>>> Document envelope = >>>>> >>>>>msgContext.getCurrentMessage().getSOAPEnvelope().getAsDocument(); >>>>> if (envelope == null) { >>>>> throw new Exception("SOAP Envelope is null"); >>>>> } >>>>> >>>>> // Sign the message using WSS4J. By default, the >>>>>WSSignEnvelope signs >>>>>the >>>>> // the SOAP body as a whole, which is correct for this use case. >>>>> Init.init(); >>>>> WSSignEnvelope signer = new WSSignEnvelope(); >>>>> signer.setUserInfo(alias, password); // Lets it use the Crypto. >>>>> >>>>>signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // >>>>>Includes certificates in the message. >>>>> Document newEnvelope = signer.build(envelope, crypto); >>>>> >>>>> >>>>> // DEBUG: dump the raw document. >>>>> org.apache.axis.utils.XMLUtils.DocumentToStream(newEnvelope, new >>>>>java.io.FileOutputStream("client.xml")); >>>>> >>>>> // Replace the unsigned message with the signed one. >>>>> String serializedEnvelope = >>>>> >>>>>org.apache.axis.utils.XMLUtils.DocumentToString(newEnvelope); >>>>> SOAPPart sp = >>>>> >>>>>(org.apache.axis.SOAPPart)(msgContext.getCurrentMessage().getS >>>>>OAPPart()); >>>>> sp.setCurrentMessage(serializedEnvelope.getBytes(), >>>>>SOAPPart.FORM_BYTES); >>>>> >>>>> >>>>> >>>>>On Fri, 17 Mar 2006, Dittmann, Werner wrote: >>>>> >>>>> >>>>> >>>>>>Guy, >>>>>> >>>>>>I wasn't aware that you use a custom handler. >>>>>> >>>>>>As I can see there could be a problem when you hand over >>>>>>the signed message to Axis for sending it over the wire. >>>>>>It's somewhat tricky to do this. Bevor handing it over >>>>>>to Axis the message should be fed thru a c14n method, >>>>>>this is was WSDoAllSender does before it sets the signed >>>>>>message as "new" message to Axis. >>>>>> >>>>>>Maybe you can show the code snippet where your handler >>>>>>do this. >>>>>> >>>>>>Regards, >>>>>>Werner >>>>>> >>>>>> >>>>>> >>>>>>>-----Urspr�ngliche Nachricht----- >>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] >>>>>>>Gesendet: Freitag, 17. M�rz 2006 11:06 >>>>>>>An: Dittmann, Werner >>>>>>>Cc: [EMAIL PROTECTED]; [email protected] >>>>>>>Betreff: Re: AW: AW: AW: Problems with signatures >>>>>>> >>>>>>>Test configuration: >>>>>>> >>>>>>>Custom handler in the client, calling WSSignEnvelope; based >>>>>>>on WSDoAllSender, >>>>>>>but stripped down so that it only has the code relevant >>>>> >>>>>to signature. >>>>> >>>>> >>>>>>>WSDoAllReceiver in the service (tweaked with extra logging, >>>>>>>but basically the >>>>>>>one from WSS4J 1.0.0). >>>>>>> >>>>>>>Certificates generated from local CA. The trust anchor was >>>>>>>made with OpenSSL >>>>>>>and the user certificate with KeyStore Explorer. The trust >>>>>>>anchor is an >>>>>>>X.509v3 and the user one an X.509v1. The keys do work for the >>>>>>>signature: I >>>>>>>know that because I put a check in WSSignEnvelope to check >>>>>>>the signature just >>>>>>>after signing. >>>>>>> >>>>>>>This is the log output from the JUnit tests, starting from >>>>>>>the entry to >>>>>>>WSDoAllReceiver. >>>>>>> >>>>>>>1051 DEBUG org.astrogrid.security.ServiceHandler - >>>>>>>WSDoAllReceiver: enter >>>>>>>invoke() with msg type: null >>>>>>>1071 DEBUG org.astrogrid.security.ServiceHandler - Received >>>>>>>SOAP request: >>>>>>>1071 DEBUG org.astrogrid.security.ServiceHandler - >>>>>>><soapenv:Envelope xmlns="" >>>>>>>xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; >>>>>>>xmlns:xsd="http://www.w3.org/2001/XMLSchema"; >>>>>>>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>>>>>><soapenv:Header> >>>>>>> <wsse:Security soapenv:mustUnderstand="1" xmlns="" >>>>>>>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 >>>>>>>1-wss-wssecurity-secext-1.0.xsd"> >>>>>>> <wsse:BinarySecurityToken >>>>>>>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 >>>>>>>401-wss-soap-message-security-1.0#Base64Binary" >>>>>>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 >>>>>>>-wss-x509-token-profile-1.0#X509v3" >>>>>>>wsu:Id="CertId--273267" xmlns="" >>>>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 >>>>>>>-wss-wssecurity-utility-1.0.xsd"> >>>>>>>MIIDETCCAfmgAwIBAAIBBDANBgkqhkiG9w0BAQIFADBCMQswCQYDVQQDEwJDQT >>>>>>>ESMBAGA1UECxMJ >>>>>>>dW5pdC10ZXN0MRIwEAYDVQQKEwlBc3Ryb0dyaWQxCzAJBgNVBAYTAlVLMB4XDT >>>>>>>A2MDMwNzE4MjAz >>>>>>>OVoXDTE2MDMwNzE4MjAzOVowVjELMAkGA1UEBhMCVUsxEjAQBgNVBAoTCUFzdH >>>>>>>JvR3JpZDESMBAG >>>>>>>A1UECxMJdW5pdC10ZXN0MR8wHQYDVQQDExZTZWN1cml0eS1mYWNhZGUgdGVzdG >>>>>>>VyMIIBIjANBgkq >>>>>>>hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtA1mJfcoLg22xFvQiB9NY6tH7aY4Ub >>>>>>>FHGIl5AjampcD8 >>>>>>>zW/OcbaEndMaK495ODS8BbwXz8B0YPzIjczpO56k7H63sJWxrgMsDGU4oeIlh3 >>>>>>>DiAOYywD3h9PAu >>>>>>>c8tnoD7q5SyY0Vw9jkuRP6iOKmf+nTfi910zNB86PYjCk0zarie3Ehg7/LBYNC >>>>>>>0us+JV9M/q76mw >>>>>>>OOMzypgLjM1skBjO6tMbDosnCQe58+ei2ZfRT4gnCRhHRojLfcR3ND0pi7BS5T >>>>>>>OX8qTrQ8x++erN >>>>>>>BlA2X+uX3yAx4Y1cvW9YkKAjx5UxpUu8uJFYfLNKoTCq86E6+OFk5+SRQLp1Kp >>>>>>>S9EvfZ5wIDAQAB >>>>>>>MA0GCSqGSIb3DQEBAgUAA4IBAQARtZRiqKj1IXqD7wVlwqZPvE4CuFy9fjpu0n >>>>>>>xVN+UnKs3cNm7g >>>>>>>QfLPpDbh7maiGmmxWA2mFobptzbnfAyRfKYJWJ/hI8neouL+05L78cz7nTDDxp >>>>>>>jEhWpV8qtXdKp4 >>>>>>>r5S4GhG84HzPMrEqxxc0CRXbK3KLLLudbCPMNgSFxzRwimCpBTkwe81jwYH0FZ >>>>>>>ECyCBAsgfUMCz4 >>>>>>>jeYwBjqKxHlGeZERD9oRfsRF28nLgNRrP5D9IMj2Y2rhbILMmb0GTK/YWFpfD3 >>>>>>>H/DEP0hUVtRni7 >>>>>>>ykGvaLOYA7rI1eiKwxmFWTs6H+CPgkyZ+SW3l//uY/6HnzD1XacTIRASz1UK7Bzw >>>>>>></wsse:BinarySecurityToken> >>>>>>> <ds:Signature xmlns="" >>>>>>>xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>> >>>>>>> <ds:SignedInfo xmlns=""> >>>>>>> >>>>>>> <ds:CanonicalizationMethod >>>>>>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> >>>>>>> >>>>>>> <ds:SignatureMethod >>>>>>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns=""/> >>>>>>> >>>>>>> <ds:Reference URI="#id-367156" xmlns=""> >>>>>>> >>>>>>> <ds:Transforms xmlns=""> >>>>>>> >>>>>>> <ds:Transform >>>>>>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; >>>>>>>xmlns=""/> >>>>>>> >>>>>>> </ds:Transforms> >>>>>>> >>>>>>> <ds:DigestMethod >>>>>>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; >>>>>>>xmlns=""/> >>>>>>> >>>>>>> <ds:DigestValue xmlns=""> >>>>>>>S4XaDnlI8lOC8p5vVKlx9sLrKl8= </ds:DigestValue> >>>>>>> >>>>>>> </ds:Reference> >>>>>>> >>>>>>> </ds:SignedInfo> >>>>>>> >>>>>>> <ds:SignatureValue xmlns=""> >>>>>>> >>>>>>>fTcyC/oqssWUL1G96ma5ED/gNIaecHKgJBR7kCeXg2mzSwfSfe3gWRFEkiViGS >>>>>>>zXE0OFvsDMjm7p >>>>>>>JdytgsjH3iuMg9WaZOV9TU7ZaYhabZMtK0toq3zGFNJayIhfpuZq5WDAbdqvZ1 >>>>>>>2BnJppWvYWADvy >>>>>>>+zX7w0UGl3ApikKbcGMp7SSnB4JRb7TS0Ln0rk0dYcpm9cAEj76dT5UFW7e+af >>>>>>>QQeUwj03E5sQfS >>>>>>>H9KjN1gg+YD1B3gNPFYErwI+QeX+UDY9fb+qAqFxN734NhvR+/rC3JTNgieSmu >>>>>>>iCjXE/8MKdOfFJ >>>>>>>QpEE1YEqTC1SH6cUU0YR3rt84Eqg91JeyrCOpQ== >>>>>>> </ds:SignatureValue> >>>>>>> >>>>>>> <ds:KeyInfo Id="KeyId-12014770" xmlns=""> >>>>>>> >>>>>>> <wsse:SecurityTokenReference wsu:Id="STRId-28360136" xmlns="" >>>>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 >>>>>>>-wss-wssecurity-utility-1.0.xsd"> >>>>>>> <wsse:Reference URI="#CertId--273267" >>>>>>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 >>>>>>>-wss-x509-token-profile-1.0#X509v3" >>>>>>>xmlns=""/> >>>>>>> </wsse:SecurityTokenReference> >>>>>>> >>>>>>> </ds:KeyInfo> >>>>>>> >>>>>>> </ds:Signature> >>>>>>> </wsse:Security> >>>>>>></soapenv:Header> >>>>>>><soapenv:Body wsu:Id="id-367156" >>>>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 >>>>>>>-wss-wssecurity-utility-1.0.xsd"> >>>>>>> <whoAmI xmlns=""/> >>>>>>></soapenv:Body> >>>>>>></soapenv:Envelope> >>>>>>> >>>>>>>1071 INFO >>>>>>>org.apache.ws.security.components.crypto.CryptoFactory - Using >>>>>>>Crypto Engine [org.apache.ws.security.components.crypto.Merlin] >>>>>>>1071 DEBUG org.apache.ws.security.WSSecurityEngine - enter >>>>>>>processSecurityHeader() >>>>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - >>>>>>>Processing WS-Security >>>>>>>header for '' actor. >>>>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - >>>>> >>>>>Unknown Element: >>>>> >>>>> >>>>>>>BinarySecurityToken >>>>>>>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu >>>>>>>rity-secext-1.0.xsd >>>>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - Found >>>>>>>signature element >>>>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - Verify >>>>>>>XML Signature >>>>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:Signature", "null") >>>>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:SignedInfo", "null") >>>>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:SignatureMethod", "null") >>>>>>>1081 DEBUG >>>>>>>org.apache.xml.security.algorithms.SignatureAlgorithm - >>>>> >>>>>Create URI >>>>> >>>>> >>>>>>>"http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class >>>>>>>"org.apache.xml.security.algorithms.implementations.SignatureB >>>>>>>aseRSA$SignatureRSASHA1" >>>>>>>1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - >>>>>>>Request for URI >>>>>>>http://www.w3.org/2000/09/xmldsig#rsa-sha1 >>>>>>>1081 DEBUG >>>>>>> >>>>> >>>>>org.apache.xml.security.algorithms.implementations.SignatureBaseRSA >>>>> >>>>> >>>>>>>- Created SignatureDSA using SHA1withRSA >>>>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:KeyInfo", "null") >>>>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - >>>>>>>Checking signature value >>>>>>>with a certificate in the name of CN=Security-facade tester, >>>>>>>OU=unit-test, >>>>>>>O=AstroGrid, C=UK issued by C=UK, O=AstroGrid, OU=unit-test, CN=CA >>>>>>>1081 DEBUG org.apache.xml.security.signature.Manifest - >>>>>>>verify 1 References >>>>>>>1081 DEBUG org.apache.xml.security.signature.Manifest - I am >>>>>>>not requested to >>>>>>>follow nested Manifests >>>>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:Reference", "null") >>>>>>>1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - >>>>>>>Request for URI >>>>>>>http://www.w3.org/2000/09/xmldsig#sha1 >>>>>>>1081 DEBUG >>>>>>>org.apache.xml.security.utils.resolver.ResourceResolver - I was >>>>>>>asked to create a ResourceResolver and got 1 >>>>>>>1081 DEBUG >>>>>>>org.apache.xml.security.utils.resolver.ResourceResolver - extra >>>>>>>resolvers to my existing 4 system-wide resolvers >>>>>>>1081 DEBUG >>>>>>>org.apache.xml.security.utils.resolver.ResourceResolver - check >>>>>>>resolvability by class >>>>>>>org.apache.ws.security.message.EnvelopeIdResolver >>>>>>>1091 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:Transforms", "null") >>>>>>>1091 DEBUG org.apache.xml.security.utils.ElementProxy - >>>>>>>setElement("ds:Transform", "null") >>>>>>>1091 DEBUG org.apache.xml.security.transforms.Transforms - >>>>>>>Preform the (0)th >>>>>>>http://www.w3.org/2001/10/xml-exc-c14n# transform >>>>>>>1091 WARN org.apache.xml.security.signature.Reference - >>>>>>>Verification failed >>>>>>>for URI "#id-367156" >>>>>>>1091 DEBUG org.apache.xml.security.signature.Manifest - The >>>>>>>Reference has >>>>>>>Type >>>>>>>------------- ---------------- --------------- >>>>>>>------------- Standard Error ----------------- >>>>>>>org.apache.ws.security.WSSecurityException: The signature >>>>>>>verification failed >>>>>>> at >>>>>>>org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSS >>>>>>>ecurityEngine.java:649) >>>>>>> at >>>>>>>org.apache.ws.security.WSSecurityEngine.processSecurityHeader( >>>>>>>WSSecurityEngine.java:334) >>>>>>> at >>>>>>>org.apache.ws.security.WSSecurityEngine.processSecurityHeader( >>>>>>>WSSecurityEngine.java:259) >>>>>>> at >>>>>>> >>>>> >>>>>org.astrogrid.security.ServiceHandler.invoke(ServiceHandler.java:160) >>>>> >>>>> >>>>>>> at >>>>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation >>>>>>>Strategy.java:32) >>>>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >>>>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >>>>>>> at >>>>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation >>>>>>>Strategy.java:32) >>>>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >>>>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >>>>>>> at >>>>>>> >>>>> >>>>>org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) >>>>> >>>>> >>>>>>> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) >>>>>>> at >>>>>>>org.apache.axis.transport.local.LocalSender.invoke(LocalSender >>>>>>>.java:141) >>>>>>> at >>>>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation >>>>>>>Strategy.java:32) >>>>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >>>>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >>>>>>> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) >>>>>>> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) >>>>>>> at org.apache.axis.client.Call.invoke(Call.java:2767) >>>>>>> at org.apache.axis.client.Call.invoke(Call.java:2443) >>>>>>> at org.apache.axis.client.Call.invoke(Call.java:2366) >>>>>>> at org.apache.axis.client.Call.invoke(Call.java:1812) >>>>>>> at >>>>>>>org.astrogrid.security.sample.SamplePortSoapBindingStub.whoAmI >>>>>>>(SamplePortSoapBindingStub.java:108) >>>>>>> at >>>>>>>org.astrogrid.security.sample.SampleDelegate.whoAmI(SampleDele >>>>>>>gate.java:42) >>>>>>> at >>>>>>>org.astrogrid.security.EndToEndTest.testGoodCredentials(EndToE >>>>>>>ndTest.java:58) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess >>>>>>>orImpl.java:39) >>>>>>> at >>>>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth >>>>>>>odAccessorImpl.java:25) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:324) >>>>>>> at junit.framework.TestCase.runTest(TestCase.java:154) >>>>>>> at junit.framework.TestCase.runBare(TestCase.java:127) >>>>>>> at junit.framework.TestResult$1.protect(TestResult.java:106) >>>>>>> at junit.framework.TestResult.runProtected(TestResult.java:124) >>>>>>> at junit.framework.TestResult.run(TestResult.java:109) >>>>>>> at junit.framework.TestCase.run(TestCase.java:118) >>>>>>> at junit.framework.TestSuite.runTest(TestSuite.java:208) >>>>>>> at junit.framework.TestSuite.run(TestSuite.java:203) >>>>>>> at >>>>>>>org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.r >>>>>>>un(JUnitTestRunner.java:325) >>>>>>> at >>>>>>>org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.m >>>>>>>ain(JUnitTestRunner.java:536) >>>>>>> >>>>>>> >>>>>>>I made it log the actual exception thrown by XMLSec: >>>>>>> >>>>>>>1091 WARN org.apache.xml.security.signature.Reference - >>>>>>>Verification failed >>>>>>>for URI "#id-367156" >>>>>>> >>>>>>>Cheers, >>>>>>>Guy >>>>>>> >>>>>>> >>>>>>> >>>>>>>On Fri, 17 Mar 2006, Dittmann, Werner wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>>Guy, >>>>>>>> >>>>>>>>whatis your test configuration? Which certificates do you use? >>>>>>>> >>>>>>>>What is the exception that xml-sec throws? >>>>>>>> >>>>>>>>Thanks, >>>>>>>>Werner >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>-----Urspr�ngliche Nachricht----- >>>>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] >>>>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 17:11 >>>>>>>>>An: Dittmann, Werner >>>>>>>>>Cc: [EMAIL PROTECTED]; [email protected] >>>>>>>>>Betreff: Re: AW: AW: Problems with signatures >>>>>>>>> >>>>>>>>>I've set the options on both client and service and the >>>>>>>>>verification still >>>>>>>>>fails. I've dumped the raw XML messages with and without the >>>>>>>>>options and there >>>>>>>>>doesn't seem to be any difference. >>>>>>>>> >>>>>>>>>On Thu, 16 Mar 2006, Dittmann, Werner wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>Probably on both if the service responds with >>>>> >>>>>signed messages. >>>>> >>>>> >>>>>>>>>>Regards, >>>>>>>>>>Werner >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>-----Urspr�ngliche Nachricht----- >>>>>>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] >>>>>>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 16:29 >>>>>>>>>>>An: [EMAIL PROTECTED] >>>>>>>>>>>Cc: Dittmann, Werner; [email protected] >>>>>>>>>>>Betreff: Re: AW: Problems with signatures >>>>>>>>>>> >>>>>>>>>>>Thanks. >>>>>>>>>>> >>>>>>>>>>>Do these parameters have to be set on the client, the >>>>>>>>> >>>>>>>>>service or both? >>>>>>>>> >>>>>>>>> >>>>>>>>>>>Setting them just on the service doesn't fix the >>>>> >>>>>problem, and >>>>> >>>>> >>>>>>>>>>>to set them on >>>>>>>>>>>the client I have to find out how to do it >>>>> >>>>>programmatically. >>>>> >>>>> >>>>>>>>>>>On Thu, 16 Mar 2006 [EMAIL PROTECTED] wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>Hi Guy >>>>>>>>>>>>setting these 2 props works for me. >>>>>>>>>>>> <parameter name="enableNamespacePrefixOptimization" >>>>>>>>>>> >>>>>>>>>>>value="false" /> >>>>>>>>>>> >>>>>>>>>>>> <parameter name="disablePrettyXML" value="true"/> >>>>>>>>>>>> >>>>>>>>>>>>thanks >>>>>>>>>>>>Anamitra >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> "Dittmann, >>>>>>>>>>>> Werner" >>>>>>>>>>>> <werner.dittmann@ >>>>>>>>>>> >>>>>>>>>>> To >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> siemens.com> "Guy Rixon" >>>>>>>>>>> >>>>>>>>>>><[EMAIL PROTECTED]>, >>>>>>>>>>> >>>>>>> >>>>>>><[email protected]> >>>>>>> >>>>>>>>>>>> 03/16/2006 09:10 >>>>>>>>>>> >>>>>>>>>>> cc >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> AM >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Subject >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> AW: Problems >>>>>>>>> >>>>>>>>>with signatures >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>AFAIK there is a switch / parameter in the Axis >>>>> >>>>>WSDD files >>>>> >>>>> >>>>>>>>>>>>to disable XML pretty printing. Maybe this >>>>>>> >>>>>>>"feature" is enabled >>>>>>> >>>>>>> >>>>>>>>>>>>by default - pretty printing always destroys >>>>> >>>>>the signature >>>>> >>>>> >>>>>>>>>>>>hashes. >>>>>>>>>>>> >>>>>>>>>>>>Also there is a parameter for Axis to disable some sort >>>>>>>>>>>>of namespace optimization - sorry but I haven't the >>>>>>> >>>>>>>parameter >>>>>>> >>>>>>> >>>>>>>>>>>>names at hand. >>>>>>>>>>>> >>>>>>>>>>>>Regards, >>>>>>>>>>>>Werner >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>-----Urspr�ngliche Nachricht----- >>>>>>>>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] >>>>>>>>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 14:01 >>>>>>>>>>>>>An: [email protected] >>>>>>>>>>>>>Betreff: Problems with signatures >>>>>>>>>>>>> >>>>>>>>>>>>>Hi, >>>>>>>>>>>>> >>>>>>>>>>>>>can you help me with a signature problem? I >>>>> >>>>>have a client >>>>> >>>>> >>>>>>>>>>>>>and service, both >>>>>>>>>>>>>using WSS4J 1.0.0. The client signs the SOAP >>>>> >>>>>body of the >>>>> >>>>> >>>>>>>>>>>>>request, but the >>>>>>>>>>>>>signature checking in the service always fails at >>>>>>> >>>>>>>the XMLSec >>>>>>> >>>>>>> >>>>>>>>>>>>>level. The >>>>>>>>>>>>>signature uses a direct reference to a >>>>>>> >>>>>>>BinarySecurityToken, >>>>>>> >>>>>>> >>>>>>>>>>>>>and the service >>>>>>>>>>>>>seems to be reading the token properly; at least, >>>>>>> >>>>>>>it gets the >>>>>>> >>>>>>> >>>>>>>>>>>>>subject DN >>>>>>>>>>>>>right. >>>>>>>>>>>>> >>>>>>>>>>>>>I've checked the signature in the client >>>>> >>>>>immediately after >>>>> >>>>> >>>>>>>>>>>>>signing and it >>>>>>>>>>>>>verifies correctly there. Something bad seems to >>>>>>> >>>>>>>be happening >>>>>>> >>>>>>> >>>>>>>>>>>>>to the XML on >>>>>>>>>>>>>the way to the service, but I can't think >>>>> >>>>>what. No other >>>>> >>>>> >>>>>>>>>>>>>special handlers are >>>>>>>>>>>>>involved. >>>>>>>>>>>>> >>>>>>>>>>>>>This is all with Axis 1.3 and "local" transport, BTW. >>>>>>>>>>>>> >>>>>>>>>>>>>Thanks, >>>>>>>>>>>>>Guy >>>>>>>>>>>>> >>>>>>>>>>>>>Guy Rixon >>>>>>>>>>>> >>>>>>>>>>>>[EMAIL PROTECTED] >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>Institute of Astronomy >>>>> >>>>> Tel: >>>>> >>>>> >>>>>>>>>>>+44-1223-337542 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>>Madingley Road, Cambridge, UK, CB3 0HA >>>>>>>>> >>>>>>>>> Fax: >>>>>>>>> >>>>>>>>> >>>>>>>>>>>>>+44-1223-337523 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>>>>>>>To unsubscribe, e-mail: >>>>>>> >>>>>>>[EMAIL PROTECTED] >>>>>>> >>>>>>> >>>>>>>>>>>>>For additional commands, e-mail: >>>>>>> >>>>>>>[EMAIL PROTECTED] >>>>>>> >>>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>>>>>>To unsubscribe, e-mail: >>>>> >>>>>[EMAIL PROTECTED] >>>>> >>>>> >>>>>>>>>>>>For additional commands, e-mail: >>>>>>> >>>>>>>[EMAIL PROTECTED] >>>>>>> >>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>Guy Rixon >>>>>>>>> >>>>>>>>>[EMAIL PROTECTED] >>>>>>>>> >>>>>>>>> >>>>>>>>>>>Institute of Astronomy Tel: >>>>>>> >>>>>>>+44-1223-337542 >>>>>>> >>>>>>> >>>>>>>>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: >>>>>>>>>>>+44-1223-337523 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>>>>>To unsubscribe, e-mail: >>>>> >>>>>[EMAIL PROTECTED] >>>>> >>>>> >>>>>>>>>>>For additional commands, e-mail: >>>>> >>>>>[EMAIL PROTECTED] >>>>> >>>>> >>>>>>>>>Guy Rixon >>>>>>> >>>>>>>[EMAIL PROTECTED] >>>>>>> >>>>>>> >>>>>>>>>Institute of Astronomy Tel: >>>>> >>>>>+44-1223-337542 >>>>> >>>>> >>>>>>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: >>>>>>>>>+44-1223-337523 >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>>>> >>>>>>>> >>>>>>> >>>>>>>Guy Rixon >>>>> >>>>>[EMAIL PROTECTED] >>>>> >>>>> >>>>>>>Institute of Astronomy Tel: +44-1223-337542 >>>>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: >>>>>>>+44-1223-337523 >>>>>>> >>>>>>> >>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>--------------------------------------------------------------------- >>>>> >>>>> >>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>> >>>>>Guy Rixon [EMAIL PROTECTED] >>>>>Institute of Astronomy Tel: +44-1223-337542 >>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: >>>>>+44-1223-337523 >>>>> >>>>>--------------------------------------------------------------------- >>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>> >>>>--------------------------------------------------------------------- >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>> >>> >>>Guy Rixon [EMAIL PROTECTED] >>>Institute of Astronomy Tel: +44-1223-337542 >>>Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
