ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike O'Connell <mca...@gmail.com>
Subject Re: Signature verification failure with loose ds:Reference in payload.
Date Mon, 05 Dec 2011 10:53:51 GMT
Hi Colm, 

Wss4j - 1.6.3
Metro - 2.1.1 
bcprov - jre6 145

Apologies, Copy&Paste error:

In AS4 the spec allows for a receipt to contain the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1)
element of the message previously received for verification purposes. However I suspect that
the signature validation process picks this reference up and fails when attempting to verify
the ds:Reference (URI id-1) in the ds:Signature element. 

Can someone confirm that its either omitting the ds:Reference (URI AS4-1340DA8B82E-C7F0C@000000000_1)
from the check and thus failing the verification or that its attempting to verify that ds:Reference
(URI AS4-1340DA8B82E-C7F0C@000000000_1).

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
env:mustUnderstand="true">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
          <wsse:SecurityTokenReference wsu:Id="STR-6C1B8765799420834813230790910796">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
                <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-1">
      <eb:SignalMessage>
        <eb:MessageInfo>
          <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
          <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
          <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
        </eb:MessageInfo>
        <eb:Receipt>
          <ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
            <ebbpsig:MessagePartNRInformation>
              <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds ebbpsig env wsu"/>
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
              </ds:Reference>
            </ebbpsig:MessagePartNRInformation>
          </ebbpsig:NonRepudiationInformation>
        </eb:Receipt>
      </eb:SignalMessage>
    </eb:Messaging>
  </env:Header>
  <env:Body/>
</env:Envelope>
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial
1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
[DEBUG] SignatureProcessor - XML Signature verification has failed
[DEBUG] SignatureProcessor - Signature Validation check: true
[DEBUG] SignatureProcessor - Reference #id-1 check: false
Security Error: : The signature or decryption was invalid


On 05 Dec 2011, at 12:33 PM, Colm O hEigeartaigh wrote:

> Hi Mike,
> 
> Firstly, what version of WSS4J are you using?
> 
> Secondly, I don't understand your explanation, e.g. where is "id-5" in
> the message you posted? Is the signature referring to another message
> that was previously received?
> 
> Colm.
> 
> On Mon, Dec 5, 2011 at 9:59 AM, Mike O'Connell <mcanix@gmail.com> wrote:
>> Hi All
>> 
>> I'm having some signature verification issues when receiving a signed
>> message (using the AS4 specification).
>> 
>> In AS4 the spec allows for a receipt to contain the ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1) element of the message previously
>> received for verification purposes. However I suspect that the signature
>> validation process picks this reference up and fails when attempting to
>> verify the ds:Reference (URI id-5) in the ds:Signature element.
>> 
>> Can someone confirm that its either omitting the ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1) from the check and thus failing the
>> verification or that its attempting to verify that ds:Reference
>> (URI AS4-1340D972B85-751B2@000000000_1).
>> 
>> I've tried digging though the source, but can't find where the reference
>> list is built or where the DOMXMLSignatureFactory.unmarshalXMLSignature
>> implementation is as per:
>> 
>> XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
>> 
>> Please see logs (and message) below...
>> 
>> Thanks,
>> 
>> Mike
>> 
>> 
>> 
>> 
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
>>   <env:Header>
>>     <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> env:mustUnderstand="true">
>>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-2">
>>         <ds:SignedInfo>
>>           <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>             <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>           </ds:CanonicalizationMethod>
>>           <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>           <ds:Reference URI="#id-1">
>>             <ds:Transforms>
>>               <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>                 <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
>>               </ds:Transform>
>>             </ds:Transforms>
>>             <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>             <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
>>           </ds:Reference>
>>         </ds:SignedInfo>
>> 
>> <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
>> 5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
>> izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
>>         <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
>>           <wsse:SecurityTokenReference
>> wsu:Id="STR-6C1B8765799420834813230790910796">
>>             <ds:X509Data>
>>               <ds:X509IssuerSerial>
>>                 <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
>>                 <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
>>               </ds:X509IssuerSerial>
>>             </ds:X509Data>
>>           </wsse:SecurityTokenReference>
>>         </ds:KeyInfo>
>>       </ds:Signature>
>>     </wsse:Security>
>>     <eb:Messaging
>> xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="id-1">
>>       <eb:SignalMessage>
>>         <eb:MessageInfo>
>>           <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
>> 
>> <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
>> 
>> <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
>>         </eb:MessageInfo>
>>         <eb:Receipt>
>>           <ebbpsig:NonRepudiationInformation
>> xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
>>             <ebbpsig:MessagePartNRInformation>
>>               <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
>>                 <ds:Transforms>
>>                   <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>                     <ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds ebbpsig
>> env wsu"/>
>>                   </ds:Transform>
>>                 </ds:Transforms>
>>                 <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> 
>> <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
>>               </ds:Reference>
>>             </ebbpsig:MessagePartNRInformation>
>>           </ebbpsig:NonRepudiationInformation>
>>         </eb:Receipt>
>>       </eb:SignalMessage>
>>     </eb:Messaging>
>>   </env:Header>
>>   <env:Body/>
>> </env:Envelope>
>> 
>>  Performing Security header verification
>> [DEBUG] WSSecurityEngine - enter processSecurityHeader()
>> [DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
>> [DEBUG] SignatureProcessor - Found signature element
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has subject
>> C=ZA,CN=localhost
>> [DEBUG] SignatureTrustValidator - Transmitted certificate has issuer
>> C=ZA,CN=localhost (serial 1305901688879)
>> [DEBUG] SignatureTrustValidator - Direct trust for certificate with
>> C=ZA,CN=localhost
>> [DEBUG] SignatureProcessor - Verify XML Signature
>> [DEBUG] SignatureProcessor - XML Signature verification has failed
>> [DEBUG] SignatureProcessor - Signature Validation check: true
>> [DEBUG] SignatureProcessor - Reference #id-1 check: false
>> Security Error: : The signature or decryption was invalid
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com


Mime
View raw message