Re: signature verification failed after adding custom header into SOAP Header

Wed, 03 Jan 2007 05:20:22 -0800 

Hi,

Is it possible for you to add the headers before signing the message?
Probably adding the extra header changed the content being signed.

Usually it is a best practise not to touch the soap msg after signing.

Thanks,
Ruchith

On 1/3/07, Ashique <[EMAIL PROTECTED]> wrote:



Hi,

I am trying to do some test security token service system which will receive
signed RST(according to WS-Trust) request and respond with the requested RST
after after signature validation. I am not using doAllReceiver or
doAllSender handlers of WSS4J... rather i am using similar technique(adding
my own handleres that are doing the same thing).

I want to add my custom header(for my own purpose) in addition to the
security header into the soap header. I am signing the body which has the
RST request . If i send the signed message without my custom header then
server does not throw any exception . problem is  if i  add the  custom
header  (<SoapAccount>)  after  the  <security>  header  the  signature
verification fails  for the existing signature even though i did not do any
sort of modification in the body.My handler in the server side receves the
exact message that i have sent.
If this is not enough info to identify the problem i can provide more.

If some body can help me in this regerd!!!!! I am attaching both messages as
well.

my request message is:


<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>

<soapenv:Header>

<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>

<ds:Signature Id="Signature-15778003"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>

<ds:SignedInfo>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#id-13419912">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>

wEmMdV/3nnpizVExHoATXbf1nlk= </ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

5sVZ4fPOxezb2+xn34s9BBuFC0sEMQOu1EJFpFUeFPP/vxvHt3aMPZf++1XuOABOcZe3+CY5sTae

mITXyigWug== </ds:SignatureValue>

<ds:KeyInfo Id="KeyId-5210326">

<wsse:SecurityTokenReference wsu:Id="STRId-19712349"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>

<ds:X509Data>

<ds:X509IssuerSerial>

<ds:X509IssuerName>

CN=dims </ds:X509IssuerName>

<ds:X509SerialNumber>

44369778256217224370984914847992022613
</ds:X509SerialNumber>

</ds:X509IssuerSerial>

</ds:X509Data>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

<SA:SoapAccount
soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next";
soapenv:mustUnderstand="0"
xmlns:SA="http://www.sap.com/research/sophia/SA/";>

<SA:NoOfHeader>

2 </SA:NoOfHeader>

<SA:NoOfSignParts>

1 </SA:NoOfSignParts>

</SA:SoapAccount>

</soapenv:Header>

<soapenv:Body wsu:Id="id-13419912"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>

<wst:RequestSecurityToken wst:Context="http://context.context";
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust";>

<wst:TokenType>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
</wst:TokenType>

<te:TestElement
xmlns:te="http://testElementNs.testElementNs"/>

<wst:Lifetime>

<wsu:Created>

2007-01-03T00:13:02Z </wsu:Created>

<wsu:Expires>

2007-01-03T00:17:12Z </wsu:Expires>

</wst:Lifetime>

<wst:RequestType>

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
</wst:RequestType>

<wst:Base>

<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>

<wsse:Username>

bob </wsse:Username>

<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>

vOaXTlOGP1Ri8ABdvcHlCdnHpVo= </wsse:Password>

<wsse:Nonce>

bwWcsZNZYMdWpleNajtixw== </wsse:Nonce>

<wsu:Created>

2007-01-03T00:13:02.125Z </wsu:Created>

</wsse:UsernameToken>

</wst:Base>

</wst:RequestSecurityToken>

</soapenv:Body>

</soapenv:Envelope>





The server exception is:





org.apache.ws.security.WSSecurityException: The signature
verification failed
        at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignatur
e(SignatureProcessor.java:332)
        at
org.apache.ws.security.processor.SignatureProcessor.handleToken(Signa
tureProcessor.java:79)
        at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:279)
        at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:201)
        at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:154)
        at
org.sap.sophia.test.handler.STSSignatureHandler.signatureVerifier(STS
SignatureHandler.java:184)
        at
org.sap.sophia.test.handler.STSSignatureHandler.invoke(STSSignatureHa
ndler.java:94)
        at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at
org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at
org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at
org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454
)
        at
org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
        at
org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:69
9)
        at
javax.servlet.http.HttpServlet.service(HttpServlet.java:716)
        at
org.apache.axis.transport.http.AxisServletBase.service(AxisServletBas
e.java:327)
        at
javax.servlet.http.HttpServlet.service(HttpServlet.java:809)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:200)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:146)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:209)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:144)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
        at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
        at java.lang.Thread.run(Thread.java:595)







__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to