ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike O'Connell <mca...@gmail.com>
Subject Signature verification failure with loose ds:Reference in payload.
Date Mon, 05 Dec 2011 09:59:06 GMT
Hi All

I'm having some signature verification issues when receiving a signed message (using the AS4
specification).

In AS4 the spec allows for a receipt to contain the ds:Reference (URI AS4-1340D972B85-751B2@000000000_1)
element of the message previously received for verification purposes. However I suspect that
the signature validation process picks this reference up and fails when attempting to verify
the ds:Reference (URI id-5) in the ds:Signature element. 

Can someone confirm that its either omitting the ds:Reference (URI AS4-1340D972B85-751B2@000000000_1)
from the check and thus failing the verification or that its attempting to verify that ds:Reference
(URI AS4-1340D972B85-751B2@000000000_1).

I've tried digging though the source, but can't find where the reference list is built or
where the DOMXMLSignatureFactory.unmarshalXMLSignature implementation is as per: 

XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);

Please see logs (and message) below...

Thanks,

Mike





<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
env:mustUnderstand="true">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="env"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>hTzK3Dxe8hipjfWH3tQOR0l5mjw=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>HnREEHPpyGEBGy/AHduJbNLdfc38B7nnGmb0uUIYBE9luH81uhFbX00tbjL5/+KDkUVi5MfUtDYW
5bOs4dA1i04f8jKsubjw46O1DNPAblAM1aEy1PRGDQsg4S7E4n7JGfSZdn6KcOppWAWE2xsanxC7
izdd/BjfOThcmNXyU0k=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-6C1B8765799420834813230790910795">
          <wsse:SecurityTokenReference wsu:Id="STR-6C1B8765799420834813230790910796">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>C=ZA,CN=localhost</ds:X509IssuerName>
                <ds:X509SerialNumber>1305901688879</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <eb:Messaging xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-1">
      <eb:SignalMessage>
        <eb:MessageInfo>
          <eb:Timestamp>2011-12-05T09:58:11.056Z</eb:Timestamp>
          <eb:MessageId>FMS-A-20111205-115809.534-0.9578405727393108@999999999</eb:MessageId>
          <eb:RefToMessageId>AS4-1340DA8B82E-C7F0C@000000000</eb:RefToMessageId>
        </eb:MessageInfo>
        <eb:Receipt>
          <ebbpsig:NonRepudiationInformation xmlns:ebbpsig="http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0">
            <ebbpsig:MessagePartNRInformation>
              <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#AS4-1340DA8B82E-C7F0C@000000000_1">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds ebbpsig env wsu"/>
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>vcd4x2i2Tfn154xINkENUXbRosI=</ds:DigestValue>
              </ds:Reference>
            </ebbpsig:MessagePartNRInformation>
          </ebbpsig:NonRepudiationInformation>
        </eb:Receipt>
      </eb:SignalMessage>
    </eb:Messaging>
  </env:Header>
  <env:Body/>
</env:Envelope>

 Performing Security header verification
[DEBUG] WSSecurityEngine - enter processSecurityHeader()
[DEBUG] WSSecurityEngine - Processing WS-Security header for '' actor.
[DEBUG] SignatureProcessor - Found signature element
[DEBUG] SignatureTrustValidator - Transmitted certificate has subject C=ZA,CN=localhost
[DEBUG] SignatureTrustValidator - Transmitted certificate has issuer C=ZA,CN=localhost (serial
1305901688879)
[DEBUG] SignatureTrustValidator - Direct trust for certificate with C=ZA,CN=localhost
[DEBUG] SignatureProcessor - Verify XML Signature
[DEBUG] SignatureProcessor - XML Signature verification has failed
[DEBUG] SignatureProcessor - Signature Validation check: true
[DEBUG] SignatureProcessor - Reference #id-1 check: false
Security Error: : The signature or decryption was invalid
Mime
View raw message