ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Libois Claude (JIRA)" <>
Subject [jira] [Created] (WSS-588) Server Signature validation on client failed while using only CA in the client truststore
Date Thu, 22 Sep 2016 14:55:20 GMT
Libois Claude created WSS-588:

             Summary: Server Signature validation on client failed while using only CA in
the client truststore
                 Key: WSS-588
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.0.4
         Environment: Servicemix server using cxf+wss4j for WS-Security
            Reporter: Libois Claude
            Assignee: Colm O hEigeartaigh
            Priority: Blocker

I have a webservices which is secured by WS-Security+Policy.
I currently use Signature only for server response.
However I keep having the same error:
Exception in thread "main" The signature or decryption
was invalid
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
	at com.sun.proxy.$Proxy34.submit(Unknown Source)
	at client.OffresEmploiClientUserToken.doCall(
	at client.OffresEmploiClientUserToken.main(
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(
	at java.lang.reflect.Method.invoke(
	at com.intellij.rt.execution.application.AppMain.main(
Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was
	at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(
	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
	at org.apache.cxf.endpoint.ClientImpl.onMessage(
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(
	at org.apache.cxf.transport.AbstractConduit.close(
	at org.apache.cxf.transport.http.HTTPConduit.close(
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(
	at org.apache.cxf.endpoint.ClientImpl.invoke(
	at org.apache.cxf.endpoint.ClientImpl.invoke(
	at org.apache.cxf.endpoint.ClientImpl.invoke(
	at org.apache.cxf.frontend.ClientProxy.invokeSync(
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
	... 8 more

My client truststore is set so that I only have the signer CA.
I have noticed that if I set the signer certificate in the truststore, it works !
I did a wireshark snoop and found that in the response part:
The problem is that  12428414237952637822 isn't the CA serial number but the signer serial
I have digged a little bit into the code I have found something that looks weird to me in
the WSSecSignature class :
case WSConstants.ISSUER_SERIAL:
                String issuer = certs[0].getIssuerX500Principal().getName();
                java.math.BigInteger serialNumber = certs[0].getSerialNumber();
i'm wondering why in the last line we don't take the issuer serial number ????  -> java.math.BigInteger
serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();

I can't see how this can work since the client compare the serial number provided with the
serial number of the CA in the Merlin class:
if (x509cert.getSerialNumber().compareTo(serialNumber) == 0)

Hope I was clear enough.
I have checked in the latest version of the WSSecSignature and I still see the same line...
Best Regards,

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message