signature verification failure of signed saml token due to The Reference for
URI (bst-saml-uri) has no XMLSignatureInput
------------------------------------------------------------------------------------------------------------------------
Key: WSS-178
URL: https://issues.apache.org/jira/browse/WSS-178
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.5.6
Environment: Windows XP + tomcat 6x + axis 1.4 + wss4j 1.5.6
Reporter: Nitin Handa
Assignee: Ruchith Udayanga Fernando
Priority: Blocker
While doing interop testing with owsm, I am hitting a wss4j bug which is
hindering me in completing testing.
OWSM is sending saml token signed with signed & encrypted body. SAML token is
referred from BST using KeyIdentifier, saml token in signed.
At wss4j end, signature verification is failing as wss4j WsDoAllReceiver is not
able to find out reference of saml token.
<?xml version = '1.0' encoding = 'UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server.generalException</faultcode>
<faultstring>WSDoAllReceiver: security processing failed; nested
exception is:
org.apache.ws.security.WSSecurityException: The signature or decryption
was invalid; nested exception is:
org.apache.xml.security.signature.XMLSignatureException: The Reference
for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: No message
with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was discovered
processing the <wsse:Security> header (Reference URI is null)
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: No message
with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was discovered
processing the <wsse:Security> header (Reference URI is null)
Original Exception was org.apache.xml.security.signature.XMLSignatureException:
No message with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was discovered
processing the <wsse:Security> header (Reference URI is null)
Original Exception was
org.apache.xml.security.transforms.TransformationException: No message with ID
"WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was discovered
processing the <wsse:Security> header (Reference URI is null)
Original Exception was org.apache.xml.security.c14n.CanonicalizationException:
No message with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was discovered
processing the <wsse:Security> header (Reference URI is null)
Original Exception was org.apache.ws.security.WSSecurityException: An error was
discovered processing the <wsse:Security> header (Reference URI is
null)</faultstring>
<detail>
<ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/";>nihanda-pc</ns1:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
SOAP Message that is received by wss4j is (i.e. sent from owsm):-
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:ns0="http://stock.samples";
xmlns:ns1="http://127.0.0.1:8080/axis/services/urn:xmltoday-delayed-quotes";><env:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
env:mustUnderstand="1"><wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="BST-Upx5ivaWcOwLOBmjTbOkDg22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTaG9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3ZWJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEChMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHAuQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHlR6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelfpxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#BST-Upx5ivaWcOwLOBmjTbOkDg22"/></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue
xmlns:xmime="http://www.w3.org/2005/05/xmlmime";
xmime:contentType="application/octet-stream">XTrrhXY7BdieWf1Q72nGVx7DkuTjf0sSW9ls76snQTBHS19i7dAh3d3IRM5APCGnuVy7FgiqUIiG
Zjcfgf+yBC0pRpFOTAJicqYiSjviHIICWSJhNTaJNmUNeMfpiM+q2T0uOoFNh5GmI3/Z0pbdt9oy
s4I7cYhqHHdBVNo8e9I=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#_10E1CqVVROnD2w8SWvT5ew22"/></xenc:ReferenceList></xenc:EncryptedKey><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><dsig:SignedInfo><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference
URI="#Timestamp-O11YJRXoOgF1kGei120b6w22"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>BKxsCSZfUq1RWr6Y9PU8Rr/Vs/g=</dsig:DigestValue></dsig:Reference><dsig:Reference
URI="#STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"><dsig:Transforms><dsig:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></wsse:TransformationParameters></dsig:Transform></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>faishbjLkuXbNz9Jx9Nxo8Monk4=</dsig:DigestValue></dsig:Reference><dsig:Reference
URI="#Body-LnMti7MrAJ3hLRqqWoN0Mg22"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>/X73mkutNvEF10D8lIDutYGoisA=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>YKNB+6O3FJjWCj2fqDkvfVJXlJkRo0XcoMO5PHqyoCdKCs81cmKXlcUcg8cn+rwwMg29ysfkPg+Wgv2d3CwyA7Fhd+6kC1099ZqEtB/ptnIR/RxoZL+2RXVholPz+Z7niGQM38YZlmdsoqgEyzbDH0u71GWYL6HFUfRAAcZRfb4=</dsig:SignatureValue><dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";
Id="KeyInfo-vJF2TIW0vRU50vjXKuQuuw22"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#BST-aiNal7jotn6Hmf9xN2JQhA22"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></dsig:KeyInfo></dsig:Signature><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
wsu:Id="STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsse:KeyIdentifier
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>SAML-Q1uTD1fnXqIpGqOFv7BMXQ22</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-O11YJRXoOgF1kGei120b6w22"><wsu:Created
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:37:19Z</wsu:Created><wsu:Expires
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:42:19Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="BST-aiNal7jotn6Hmf9xN2JQhA22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTaG9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3ZWJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEChMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHAuQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHlR6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelfpxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><saml:Assertion
MajorVersion="1" MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="SAML-Q1uTD1fnXqIpGqOFv7BMXQ22" IssueInstant="2009-04-26T16:37:19Z"
Issuer="www.oracle.com"><saml:Conditions NotBefore="2009-04-26T16:37:19Z"
NotOnOrAfter="2009-04-26T16:42:19Z"/><saml:AuthenticationStatement
AuthenticationInstant="2009-04-26T16:37:19Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
Format="UNSPECIFIED">wss4j</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion></wsse:Security></env:Header><env:Body
wsu:Id="Body-LnMti7MrAJ3hLRqqWoN0Mg22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Type="http://www.w3.org/2001/04/xmlenc#Content";
Id="_10E1CqVVROnD2w8SWvT5ew22"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><xenc:CipherData><xenc:CipherValue
xmlns:xmime="http://www.w3.org/2005/05/xmlmime";
xmime:contentType="application/octet-stream">19sJqHGIJkmZDXTwkBs0uZLQQghPZwQBp/zGnGsveJfoZTtgSX0rdw0MbCOO4eaWnAQkM6p3SSEi
ugtmvtLqPA5Q3rGWOEifij+WBnZ0tmTeunN6aEUJ7EdplJHv65URyBcfjGPHFLaWt5bRaJefeccf
2sX45d7pZSKzAjC8+Or3o8QpH1sWpc0XPdM18KIwHNigsZhbnTqiftTsPjuDz+GiRVtB1+niMAz5
SkK86dtki1ThwnWEbMZBmlVC7fJrTT+knjH7FfdLBG5I7K/Wd9R2Tc5IngJ0Ru2GXD/a8kz4m2j8
y/5RemSNl1uXch+8LAZCzx8aF4JuJbp2rSK9/0aQMer0kPF1cCju1GSBmiV6aV1rSwUK1GA2uSa/
5wp3vWZXvEb58jHr+ib/bfSbFxpzQMAKzKF44eJfG6NPnfQ0znBAa7gl7dfNzoE7OqzcL/kuIQH7
rAHALuVZ17/Up5roTjpVA7YE8CBK2DSD4c0sbfkM3MGzCFx+NCK//nuyPVaQEgcNq/W5WpjUFg+B
C9Gvc5NDchMG2BADKMoS5N8MRRdkGkk6KbH1e+rirT8HQsqFvPwyHDOHNfBdCiaLJsMb1lkFxcFa
3f/C35RcxWK6QtwH7LLtmNMJS8Ryf/ijBcFnx/ous+jGKVx7IriNrCuz/pS4XS1RCaDCGHcH6v4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
