[
https://issues.apache.org/jira/browse/WSS-178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704216#action_12704216
]
Nitin Handa commented on WSS-178:
---------------------------------
Hi Colm,
I will try that fix and would let you know.
Apart from this, I am able to make signature and encryption work using
symmetric key using your fixes and also I had to make certain changes to
make it work through configuration.
I encountered 2 more minor issues that should be fixed in wss4j.. I am
going to file JIRA for them
1) xml generated by encryption using symmetric key is invalid as xenc
prefix used in ReferenceList was not declared anywhere - I fixed it locally.
2) whenever there is default namespace added in element after signing
then wss4j is unable to verify it, although it should be OK as unused
namespaces can be ignored when using exclusive canonicalization. So
wss4j should have ignored those default namespaces added while
canonicalizing signed element.
Thanks
Nitin
> signature verification failure of signed saml token due to The Reference for
> URI (bst-saml-uri) has no XMLSignatureInput
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: WSS-178
> URL: https://issues.apache.org/jira/browse/WSS-178
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Environment: Windows XP + tomcat 6x + axis 1.4 + wss4j 1.5.6
> Reporter: Nitin Handa
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j.log
>
>
> While doing interop testing with owsm, I am hitting a wss4j bug which is
> hindering me in completing testing.
> OWSM is sending saml token signed with signed & encrypted body. SAML token is
> referred from BST using KeyIdentifier, saml token in signed.
> At wss4j end, signature verification is failing as wss4j WsDoAllReceiver is
> not able to find out reference of saml token.
> <?xml version = '1.0' encoding = 'UTF-8'?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>soapenv:Server.generalException</faultcode>
> <faultstring>WSDoAllReceiver: security processing failed; nested
> exception is:
> org.apache.ws.security.WSSecurityException: The signature or
> decryption was invalid; nested exception is:
> org.apache.xml.security.signature.XMLSignatureException: The
> Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput
> Original Exception was
> org.apache.xml.security.signature.MissingResourceFailureException: The
> Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput
> Original Exception was
> org.apache.xml.security.signature.ReferenceNotInitializedException: No
> message with ID "WS Security Exception" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> org.apache.ws.security.WSSecurityException and message An error was
> discovered processing the <wsse:Security> header (Reference URI is null)
> Original Exception was
> org.apache.xml.security.signature.ReferenceNotInitializedException: No
> message with ID "WS Security Exception" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> org.apache.ws.security.WSSecurityException and message An error was
> discovered processing the <wsse:Security> header (Reference URI is null)
> Original Exception was
> org.apache.xml.security.signature.XMLSignatureException: No message with ID
> "WS Security Exception" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> org.apache.ws.security.WSSecurityException and message An error was
> discovered processing the <wsse:Security> header (Reference URI is null)
> Original Exception was
> org.apache.xml.security.transforms.TransformationException: No message with
> ID "WS Security Exception" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> org.apache.ws.security.WSSecurityException and message An error was
> discovered processing the <wsse:Security> header (Reference URI is null)
> Original Exception was
> org.apache.xml.security.c14n.CanonicalizationException: No message with ID
> "WS Security Exception" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> org.apache.ws.security.WSSecurityException and message An error was
> discovered processing the <wsse:Security> header (Reference URI is null)
> Original Exception was org.apache.ws.security.WSSecurityException: An error
> was discovered processing the <wsse:Security> header (Reference URI is
> null)</faultstring>
> <detail>
> <ns1:hostname
> xmlns:ns1="http://xml.apache.org/axis/";>nihanda-pc</ns1:hostname>
> </detail>
> </soapenv:Fault>
> </soapenv:Body>
> </soapenv:Envelope>
> SOAP Message that is received by wss4j is (i.e. sent from owsm):-
> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:ns0="http://stock.samples";
> xmlns:ns1="http://127.0.0.1:8080/axis/services/urn:xmltoday-delayed-quotes";><env:Header><wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> env:mustUnderstand="1"><wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> wsu:Id="BST-Upx5ivaWcOwLOBmjTbOkDg22"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTaG9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3ZWJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEChMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHAuQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHlR6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelfpxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";><dsig:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><dsig:KeyInfo
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> URI="#BST-Upx5ivaWcOwLOBmjTbOkDg22"/></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue
> xmlns:xmime="http://www.w3.org/2005/05/xmlmime";
> xmime:contentType="application/octet-stream">XTrrhXY7BdieWf1Q72nGVx7DkuTjf0sSW9ls76snQTBHS19i7dAh3d3IRM5APCGnuVy7FgiqUIiG
> Zjcfgf+yBC0pRpFOTAJicqYiSjviHIICWSJhNTaJNmUNeMfpiM+q2T0uOoFNh5GmI3/Z0pbdt9oy
> s4I7cYhqHHdBVNo8e9I=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
>
> URI="#_10E1CqVVROnD2w8SWvT5ew22"/></xenc:ReferenceList></xenc:EncryptedKey><dsig:Signature
>
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><dsig:SignedInfo><dsig:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference
> URI="#Timestamp-O11YJRXoOgF1kGei120b6w22"><dsig:Transforms><dsig:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>BKxsCSZfUq1RWr6Y9PU8Rr/Vs/g=</dsig:DigestValue></dsig:Reference><dsig:Reference
> URI="#STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"><dsig:Transforms><dsig:Transform
> Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><dsig:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></wsse:TransformationParameters></dsig:Transform></dsig:Transforms><dsig:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>faishbjLkuXbNz9Jx9Nxo8Monk4=</dsig:DigestValue></dsig:Reference><dsig:Reference
> URI="#Body-LnMti7MrAJ3hLRqqWoN0Mg22"><dsig:Transforms><dsig:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>/X73mkutNvEF10D8lIDutYGoisA=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>YKNB+6O3FJjWCj2fqDkvfVJXlJkRo0XcoMO5PHqyoCdKCs81cmKXlcUcg8cn+rwwMg29ysfkPg+Wgv2d3CwyA7Fhd+6kC1099ZqEtB/ptnIR/RxoZL+2RXVholPz+Z7niGQM38YZlmdsoqgEyzbDH0u71GWYL6HFUfRAAcZRfb4=</dsig:SignatureValue><dsig:KeyInfo
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";
> Id="KeyInfo-vJF2TIW0vRU50vjXKuQuuw22"><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> URI="#BST-aiNal7jotn6Hmf9xN2JQhA22"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></dsig:KeyInfo></dsig:Signature><wsse:SecurityTokenReference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> wsu:Id="STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsse:KeyIdentifier
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>SAML-Q1uTD1fnXqIpGqOFv7BMXQ22</wsse:KeyIdentifier></wsse:SecurityTokenReference><wsu:Timestamp
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-O11YJRXoOgF1kGei120b6w22"><wsu:Created
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:37:19Z</wsu:Created><wsu:Expires
>
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:42:19Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> wsu:Id="BST-aiNal7jotn6Hmf9xN2JQhA22"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTaG9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3ZWJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEChMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHAuQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHlR6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelfpxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><saml:Assertion
> MajorVersion="1" MinorVersion="1"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="SAML-Q1uTD1fnXqIpGqOFv7BMXQ22"
> IssueInstant="2009-04-26T16:37:19Z" Issuer="www.oracle.com"><saml:Conditions
> NotBefore="2009-04-26T16:37:19Z"
> NotOnOrAfter="2009-04-26T16:42:19Z"/><saml:AuthenticationStatement
> AuthenticationInstant="2009-04-26T16:37:19Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
>
> Format="UNSPECIFIED">wss4j</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion></wsse:Security></env:Header><env:Body
> wsu:Id="Body-LnMti7MrAJ3hLRqqWoN0Mg22"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Type="http://www.w3.org/2001/04/xmlenc#Content";
> Id="_10E1CqVVROnD2w8SWvT5ew22"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><xenc:CipherData><xenc:CipherValue
> xmlns:xmime="http://www.w3.org/2005/05/xmlmime";
> xmime:contentType="application/octet-stream">19sJqHGIJkmZDXTwkBs0uZLQQghPZwQBp/zGnGsveJfoZTtgSX0rdw0MbCOO4eaWnAQkM6p3SSEi
> ugtmvtLqPA5Q3rGWOEifij+WBnZ0tmTeunN6aEUJ7EdplJHv65URyBcfjGPHFLaWt5bRaJefeccf
> 2sX45d7pZSKzAjC8+Or3o8QpH1sWpc0XPdM18KIwHNigsZhbnTqiftTsPjuDz+GiRVtB1+niMAz5
> SkK86dtki1ThwnWEbMZBmlVC7fJrTT+knjH7FfdLBG5I7K/Wd9R2Tc5IngJ0Ru2GXD/a8kz4m2j8
> y/5RemSNl1uXch+8LAZCzx8aF4JuJbp2rSK9/0aQMer0kPF1cCju1GSBmiV6aV1rSwUK1GA2uSa/
> 5wp3vWZXvEb58jHr+ib/bfSbFxpzQMAKzKF44eJfG6NPnfQ0znBAa7gl7dfNzoE7OqzcL/kuIQH7
> rAHALuVZ17/Up5roTjpVA7YE8CBK2DSD4c0sbfkM3MGzCFx+NCK//nuyPVaQEgcNq/W5WpjUFg+B
> C9Gvc5NDchMG2BADKMoS5N8MRRdkGkk6KbH1e+rirT8HQsqFvPwyHDOHNfBdCiaLJsMb1lkFxcFa
> 3f/C35RcxWK6QtwH7LLtmNMJS8Ryf/ijBcFnx/ous+jGKVx7IriNrCuz/pS4XS1RCaDCGHcH6v4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
