ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Libois Claude (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
Date Thu, 22 Sep 2016 15:36:20 GMT

    [ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513627#comment-15513627
] 

Libois Claude commented on WSS-588:
-----------------------------------

Thanks for the quick answer !
However I don't quite understand the need to provide the serial number as the complete certificate
seems to be provided in the BinarySecurityToken field.
Here is the complete soap header in case this could help:
{code}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action
xmlns="http://www.w3.org/2005/08/addressing">address</Action><MessageID xmlns="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="_a7185c7f-a787-4c30-9f65-6df6bfa674f0">urn:uuid:e5e524c5-cb0e-44b8-8424-e1d4c5821a83</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="_e27b74fd-8883-4aec-928d-79de0c485594">urn:uuid:df816004-5f3a-40a8-a6d9-d24a76169ab7</RelatesTo><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
wsu:Id="X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc">MIICyjCCAsYwggIvoAMCAQICCQCsepjmnpL7fjANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCQkUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUNoYXJsZXJvaTERMA8GA1UECgwITGUgRm9yZW0xDjAMBgNVBAsMBWZvcmVtMRkwFwYDVQQDDBB0ZXN0c3NsQGZvcmVtLmJlMR8wHQYJKoZIhvcNAQkBFhB0ZXN0c3NsQGZvcmVtLmJlMB4XDTE2MDgwNDA3MjgwMFoXDTE3MDgwNDA3MjgwMFowQzELMAkGA1UEBhMCQkUxETAPBgNVBAoTCFJhbmRTdGFkMQ4wDAYDVQQLEwVGb3JlbTERMA8GA1UEAxMIUmFuZFN0YWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5iJr04XPZqQdxXQ4NiAcyJ4SZI725V8T732eH4vtMTI/lwUiIDE1L95/29ARkn8S+g/i59pCafcjvBt07RFJ0gE6QhM2bnn8B+Zeww3AmmeXgYFUH/BKFfhGOXFTfjY/ysDrrpoJkj4Vcz8BOFeB2O/ye2AHQ4/nnJb2DM5QfJAgMBAAGjbzBtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNd2Jw262Yf3lRFGucioaR+kM6KCMAsGA1UdDwQEAwIEsDARBglghkgBhvhCAQEEBAMCBaAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOBgQAXSOEwo3Pcz7B3145FO5H8Qbty3mnCkmtiezLrBx6rvPy9vBybsH+7+pBK3C8+g0a+S1BfsC8wHnTJxkke7ecW5SyE6O17YTZlBR2ZUpEHagqG47YBjryTkYKMDPB/bC91p9o7IRqT/2VlrbYK6g+79cENtKEPn378HZUoxbKHhQ==</wsse:BinarySecurityToken><wsu:Timestamp
wsu:Id="TS-b343d119-3da0-4365-a923-aadb320d713b"><wsu:Created>2016-09-22T11:11:39.066Z</wsu:Created><wsu:Expires>2016-09-22T11:16:39.066Z</wsu:Expires></wsu:Timestamp><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-847e0393-6fb7-4d6c-84f1-a4837ee2e652"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#TS-b343d119-3da0-4365-a923-aadb320d713b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>LEF5he1V9D2KeqxE2Y0K1JsRbiS5jgiOZeJ53Hu6JEA=</ds:DigestValue></ds:Reference><ds:Reference
URI="#_47ba1428-0d7a-403d-aeed-e9a70f419345"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XpTNsgDOzAVM2nmQVb6FEuMg7926qWkoYFsg5WmVYLs=</ds:DigestValue></ds:Reference><ds:Reference
URI="#_a7185c7f-a787-4c30-9f65-6df6bfa674f0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XOQ/ndLAKGBMIcbhH9ZZ/3zLHBZJWBbwyzXN/vFJ/cA=</ds:DigestValue></ds:Reference><ds:Reference
URI="#_e27b74fd-8883-4aec-928d-79de0c485594"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>S7+xWrZbeR5D/P2ZiRTVNq0SrbYIJaBG8xoOixa5Aow=</ds:DigestValue></ds:Reference><ds:Reference
URI="#X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Hlix91X5/g8c860b0BSQKZUqxQU6RnxvpNqHSTdmJMI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>HJNcNc58V+8215eebdjY/iE3qewmgHy8uOiTokf6nSWxeKsE65JnfK77+bO8/ITnuBzQm4Vqli0WxiGP9x/5xkXxc4jdPsum84z80bXfirqtjyrm1zSwl/6Nlh1F1uHiVXwwVuFWMluPwVIScmY7rXY46RuqqpCAYgp4kqfFKEA=</ds:SignatureValue><ds:KeyInfo
Id="KI-2f709921-6449-424f-9c30-c5a652d226bf"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-c2b6e796-cba1-4dc4-af4c-4d3f60050b05"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,XXXXXX</ds:X509IssuerName><ds:X509SerialNumber>12428414237952637822</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="_47ba1428-0d7a-403d-aeed-e9a70f419345"><PositionOpeningResult xmlns="http://ns.hr-xml.org/2006-02-28"><PositionRecordInfo/><ProcessDate>2016-09-22T13:11:38</ProcessDate><ProcessFileName/><Warnings/><Errors/></PositionOpeningResult></soap:Body></soap:Envelope>
{code}
To be honest I didn't do anything special to use IssuerSerial reference. Moreover the issuer
DN provided in the certificate should be enough to match the certificate in my TrustStore.


> Server-side signature validation on client fail with only certificate CA is in the client
truststore
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WSS-588
>                 URL: https://issues.apache.org/jira/browse/WSS-588
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.4
>         Environment: Servicemix server using cxf+wss4j for WS-Security purpose
>            Reporter: Libois Claude
>            Assignee: Colm O hEigeartaigh
>              Labels: easyfix
>
> I have a webservices which is secured by WS-Security+Policy.
> I currently use Signature only for server response.
> However I keep having the same error on client side:
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or decryption
was invalid
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> 	at com.sun.proxy.$Proxy34.submit(Unknown Source)
> 	at client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93)
> 	at client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption
was invalid
> 	at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194)
> 	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428)
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278)
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129)
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)
> 	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
> 	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
> 	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> 	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)
> 	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> 	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
> 	... 8 more
> {code}
> My client truststore is set so that I only have the signer CA.
> *I have noticed that if I set the signer certificate in the client truststore, it works
!*
> I did a wireshark snoop and found that in the response part coming from the server:
> {code}
> <ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,CN=XXXXX</ds:X509IssuerName><ds:X509SerialNumber>12428414237952637822</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data>
> {code}
> The problem is that  12428414237952637822 isn't the CA(issuer) serial number but the
signer serial number !
> I have digged a little bit into the code I have found something that looks weird to me
in the WSSecSignature class :
> {code}
> case WSConstants.ISSUER_SERIAL:
>                 String issuer = certs[0].getIssuerX500Principal().getName();
>                 java.math.BigInteger serialNumber = certs[0].getSerialNumber();
> {code}
> i'm wondering why in the last line we don't take the issuer serial number ????  ->
> {code} java.math.BigInteger serialNumber = certs[0].getIssuerX500Principal().getSerialNumber();{code}
> I can't see how this can work since the client compare the serial number provided with
the serial number of the CA in the Merlin class:
> {code}
> if (x509cert.getSerialNumber().compareTo(serialNumber) == 0)
> {code}
> Hope I was clear enough.
> I have checked in the latest version of the WSSecSignature and I still see the same line...
> Best Regards,
> Claude



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message