ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike O'Connell <mca...@gmail.com>
Subject Re: Signature verification failure with loose ds:Reference in payload.
Date Mon, 05 Dec 2011 11:32:47 GMT
Hi Colm,

>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
> 
> The reference in the signature points to "#id-1", which is the Id of
> the "Messaging" element. Why would the Reference with id
> "AS4-1340DA8B82E-C7F0C@000000000_1" in the Messaging element be
> interfering with signature validation, as it's a different URI?

When I remove the URI attribute for "#AS4-1340DA8B82E-C7F0C@000000000_1" or omit the ds:Reference
element surrounding it the signature verification works perfectly. See another request below
with the ds:Reference URI attribute removed from the receipt element.

Thanks,

Mike






Performing Security header verification
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial
1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
WSSResult - id: SIG-2
WSSResult - canonicalization-method: http://www.w3.org/2001/10/xml-exc-c14n#
WSSResult - signature-value: [B@3c0b655a
WSSResult - principal: C=ZA, CN=localhost
WSSResult - x509-certificate: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
env:mustUnderstand="true">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>tkPqcPetqaCAJRI3nH5BDF3h3ag=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>qCCsNZnQct+nh1w5DzQ3XjqgmEB/eIjqUqsK+0V1M5sieu7vBJT3Hlhovdb6cO1cDWLM5xr7Vgyh
KwNVOM6iboaiD6cDRYcN1waHtffdXkUYKfZghs5DuHFp/L09pSKDCbsi+2htioP4ujhofqycDAp3
Uxjl/hcbGj+v4nKsxa0=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-827486330BFAA824D313230845533145">
          <wsse:SecurityTokenReference wsu:Id="STR-827486330BFAA824D313230845533146">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
                <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-1">
      <eb:SignalMessage>
        <eb:MessageInfo>
          <eb:Timestamp>2011-12-05T11:29:13.294Z</eb:Timestamp>
          <eb:MessageId>FMS-A-20111205-132911.950-0.3235415620241763@999999999</eb:MessageId>
          <eb:RefToMessageId>AS4-1340DFC1273-756C9@000000000</eb:RefToMessageId>
        </eb:MessageInfo>
        <eb:Receipt>
          <ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
            <ebbpsig:MessagePartNRInformation>
              <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds ebbpsig env wsu"/>
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestValue>NbGFEDwnGokrW4/PHQ8fOkPYf2c=</ds:DigestValue>
              </ds:Reference>
            </ebbpsig:MessagePartNRInformation>
          </ebbpsig:NonRepudiationInformation>
        </eb:Receipt>
      </eb:SignalMessage>
    </eb:Messaging>
  </env:Header>
  <env:Body/>
</env:Envelope>







> On Mon, Dec 5, 2011 at 10:53 AM, Mike O'Connell <mcanix@gmail.com> wrote:
>> Hi Colm,
>> 
>> Wss4j - 1.6.3
>> Metro - 2.1.1
>> bcprov - jre6 145
>> 
>> Apologies, Copy&Paste error:
>> 
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-1) in the ds:Signature element.
>> 
>> Can someone confirm that its either omitting the ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1) from the check and thus failing the
>> verification or that its attempting to verify that ds:Reference
>> (URI AS4-1340DA8B82E-C7F0C@000000000_1).
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>>   <env:Header>
>>     <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> env:mustUnderstand="true">
>>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-2">
>>         <ds:SignedInfo>
>>           <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>             <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>           </ds:CanonicalizationMethod>
>>           <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>           <ds:Reference URI="#id-1">
>>             <ds:Transforms>
>>               <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>                 <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>               </ds:Transform>
>>             </ds:Transforms>
>>             <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>             <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>>           </ds:Reference>
>>         </ds:SignedInfo>
>> 
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>>         <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>>           <wsse:SecurityTokenReference
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>>             <ds:X509Data>
>>               <ds:X509IssuerSerial>
>>                 <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>>                 <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>>               </ds:X509IssuerSerial>
>>             </ds:X509Data>
>>           </wsse:SecurityTokenReference>
>>         </ds:KeyInfo>
>>       </ds:Signature>
>>     </wsse:Security>
>>     <eb:Messaging
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="id-1">
>>       <eb:SignalMessage>
>>         <eb:MessageInfo>
>>           <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>> 
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>> 
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>>         </eb:MessageInfo>
>>         <eb:Receipt>
>>           <ebbpsig:NonRepudiationInformation
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>>             <ebbpsig:MessagePartNRInformation>
>>               <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>>                 <ds:Transforms>
>>                   <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>                     <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> env wsu"/>
>>                   </ds:Transform>
>>                 </ds:Transforms>
>>                 <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> 
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>>               </ds:Reference>
>>             </ebbpsig:MessagePartNRInformation>
>>           </ebbpsig:NonRepudiationInformation>
>>         </eb:Receipt>
>>       </eb:SignalMessage>
>>     </eb:Messaging>
>>   </env:Header>
>>   <env:Body/>
>> </env:Envelope>
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> [DEBUG] SignatureProcessor - Found signature element
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> C=ZA,CN=localhost
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> C=ZA,CN=localhost (serial 1305901688879)
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> C=ZA,CN=localhost
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>> Security Error: : The signature or decryption was invalid
>> 
>> 
>> On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:
>> 
>> Hi Mike,
>> 
>> Firstly, what version of WSS4J are you using?
>> 
>> Secondly, I don't understand your explanation, e.g. where is "id-5" in
>> the message you posted? Is the signature referring to another message
>> that was previously received?
>> 
>> Colm.
>> 
>> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mcanix@gmail.com> wrote:
>> 
>> Hi All
>> 
>> 
>> I'm having some signature verification issues when receiving a signed
>> 
>> message (using the AS4 specification).
>> 
>> 
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> 
>> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>> 
>> received for verification purposes. However I suspect that the signature
>> 
>> validation process picks this reference up and fails when attempting to
>> 
>> verify the ds:Reference (URI id-5) in the ds:Signature element.
>> 
>> 
>> Can someone confirm that its either omitting the ds:Reference
>> 
>> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>> 
>> verification or that its attempting to verify that ds:Reference
>> 
>> (URI AS4-1340D972B85-751B2@000000000_1).
>> 
>> 
>> I've tried digging though the source, but can't find where the reference
>> 
>> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>> 
>> implementation is as per:
>> 
>> 
>> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>> 
>> 
>> Please see logs (and message) below...
>> 
>> 
>> Thanks,
>> 
>> 
>> Mike
>> 
>> 
>> 
>> 
>> 
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> 
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>> 
>>   <env:Header>
>> 
>>     <wsse:Security
>> 
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> 
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> 
>> env:mustUnderstand="true">
>> 
>>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> 
>> Id="SIG-2">
>> 
>>         <ds:SignedInfo>
>> 
>>           <ds:CanonicalizationMethod
>> 
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> 
>>             <ec:InclusiveNamespaces
>> 
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> 
>>           </ds:CanonicalizationMethod>
>> 
>>           <ds:SignatureMethod
>> 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> 
>>           <ds:Reference URI="#id-1">
>> 
>>             <ds:Transforms>
>> 
>>               <ds:Transform
>> 
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> 
>>                 <ec:InclusiveNamespaces
>> 
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>> 
>>               </ds:Transform>
>> 
>>             </ds:Transforms>
>> 
>>             <ds:DigestMethod
>> 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> 
>>             <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>> 
>>           </ds:Reference>
>> 
>>         </ds:SignedInfo>
>> 
>> 
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>> 
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>> 
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>> 
>>         <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>> 
>>           <wsse:SecurityTokenReference
>> 
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>> 
>>             <ds:X509Data>
>> 
>>               <ds:X509IssuerSerial>
>> 
>>                 <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>> 
>>                 <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>> 
>>               </ds:X509IssuerSerial>
>> 
>>             </ds:X509Data>
>> 
>>           </wsse:SecurityTokenReference>
>> 
>>         </ds:KeyInfo>
>> 
>>       </ds:Signature>
>> 
>>     </wsse:Security>
>> 
>>     <eb:Messaging
>> 
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> 
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> 
>> wsu:Id="id-1">
>> 
>>       <eb:SignalMessage>
>> 
>>         <eb:MessageInfo>
>> 
>>           <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>> 
>> 
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>> 
>> 
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>> 
>>         </eb:MessageInfo>
>> 
>>         <eb:Receipt>
>> 
>>           <ebbpsig:NonRepudiationInformation
>> 
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>> 
>>             <ebbpsig:MessagePartNRInformation>
>> 
>>               <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> 
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>> 
>>                 <ds:Transforms>
>> 
>>                   <ds:Transform
>> 
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> 
>>                     <ec:InclusiveNamespaces
>> 
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> 
>> env wsu"/>
>> 
>>                   </ds:Transform>
>> 
>>                 </ds:Transforms>
>> 
>>                 <ds:DigestMethod
>> 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> 
>> 
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>> 
>>               </ds:Reference>
>> 
>>             </ebbpsig:MessagePartNRInformation>
>> 
>>           </ebbpsig:NonRepudiationInformation>
>> 
>>         </eb:Receipt>
>> 
>>       </eb:SignalMessage>
>> 
>>     </eb:Messaging>
>> 
>>   </env:Header>
>> 
>>   <env:Body/>
>> 
>> </env:Envelope>
>> 
>> 
>>  Performing Security header verification
>> 
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> 
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> 
>> [DEBUG] SignatureProcessor - Found signature element
>> 
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> 
>> C=ZA,CN=localhost
>> 
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> 
>> C=ZA,CN=localhost (serial 1305901688879)
>> 
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> 
>> C=ZA,CN=localhost
>> 
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> 
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>> 
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>> 
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>> 
>> Security Error: : The signature or decryption was invalid
>> 
>> 
>> 
>> 
>> --
>> Colm O hEigeartaigh
>> 
>> Talend Community Coder
>> http://coders.talend.com
>> 
>> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com


Mime
View raw message