4 messages in net.java.dev.jwsdp.usersRe: Signature validation fails for un...| From | Sent On | Attachments |
|---|---|---|
| Pollmann, Uta (external) | Dec 9, 2005 4:01 am | |
| Venu | Dec 9, 2005 5:48 am | |
| Venu | Dec 9, 2005 7:39 am | |
| V B Kumar Jayanti | Dec 11, 2005 9:47 pm |
| Subject: | Re: Signature validation fails for unknown reason | |
|---|---|---|
| From: | Venu (K.Ve...@Sun.COM) | |
| Date: | Dec 9, 2005 5:48:21 am | |
| List: | net.java.dev.jwsdp.users | |
Please set logger level to finest in what ever container you are running jwsdp ,you can also set javax.enterprise.resource.webservices.security.level to FINEST in jdk logging.properties file. This should dump a detailed log message , the log message should tell which target is failing .
We will try to use your message to debug.
Thanks, Venu
Pollmann, Uta (external) wrote:
Hi,
We use Sun JWSDP 1.6 for testing interoperability with Datapower XS40. I send a signed Soap request to XS40, it is validated in the box and the response gets signed by XS40. Afterwards the signature is validated by the JWSDP test client.
I have the problem that the validation of the signature in JWSDP fails, although the certificate is correct and found in the clients certificate store. Comparing the signatures that are produced by Sun and XS40 there are three differences:
1. Sun explicitly uses the namespace ds for all targets of the signature (<ds:Signature>, <ds:SignedInfo> etc), XS 40 uses the default targets <Signature> etc.
The first version is how it is described in WSS 1.0 standard and Basic Security Profile 1.0. Of course in XML style this should be the same.
2. Sun uses the <InclusiveNamespaces PrefixList="*wsse enc env ns0 xsd xsi*" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /> in the CanonicalizationMethod Tag, XS 40 does not.
3. Sun doesn't explicitly use the Transform tag for all references, XS40 does, but this should not be the problem.
This is the SOAP response I receive in my client: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://wsgw.carat.tmobile.de/types" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header> <wsse:Security soapenv:mustUnderstand="1"> <wsu:Timestamp wsu:Id="Timestamp-05a7b5f5-f16e-43b3-b1c9-0be0b90459f3"> <wsu:Created>2005-12-09T08:22:54Z</wsu:Created> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-a09c082b-dbb1-4499-9a03-9692e2a9f5f2">MIIC8zCCAlygAwIBAgIBAjANBgkqhkiG9w0BAQQFADBUMQswCQYDVQQGEwJJTjET
MBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1Mx FDASBgNVBAMTC1Jvb3RDQSAyMDA1MB4XDTA1MDQxMjA1MzcyOVoXDTA2MDQxMjA1 MzcyOVowTzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNV BAoTA1NVTjEMMAoGA1UECxMDSldTMQ8wDQYDVQQDEwZTZXJ2ZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAMqUq/wPQvZoA6es1gJmkSJB2/5NFO1IHJC3KxCZ TDsaykbYLPOgJeFHQKouRXz6VLuIOxxqsY9+UBZxvhy2pAiAWS4KtERESYyo450s /D+Ed6KNnwn+4j7jzyQzlXQpvPr3+Ra0PUQiINIG6R9yURlyz5QZ7jwf1utrj+qw VvHxAgMBAAGjgdkwgdYwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCX4Ipff32fGqbOlQ7Lf xkMb/GyOMHwGA1UdIwR1MHOAFEnXft+E9/6MLG8H5vj1jWdhYuDjoVikVjBUMQsw CQYDVQQGEwJJTjETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQww CgYDVQQLEwNKV1MxFDASBgNVBAMTC1Jvb3RDQSAyMDA1ggEAMA0GCSqGSIb3DQEB BAUAA4GBAEyiGyY6vlzvH1vVmASYKpbPfxOW9TCntY9zA0eaHf9SglFawv69Tw7G pfH6r3RaAZ8elKIca514riuNlvBBFo4XqopKaYzrqPsjOVHjKysBgSOyv2x0/d/v MFBCvoiU+AjQPmxIWmYQiiuEGkGtQ3u1+58HZRLS97o+vmKy84OE </wsse:BinarySecurityToken> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#Body-8ad48a6c-288b-4676-9b64-3de3b381f4c2"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>ewCMAHe1ivaqsGb5h/XOo+oYQIo=</DigestValue> </Reference> <Reference URI="#Timestamp-05a7b5f5-f16e-43b3-b1c9-0be0b90459f3"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>SZf6SxZOxQPIQtzAv9VroMD4s2A=</DigestValue> </Reference> </SignedInfo>
<SignatureValue>mbxOFebwwAUEBqYW+SYtlnJClRr+KMuO5inw690q567++L2Br4ycyhxHw5PwyjiL2SqszKmu5gOhSb1y2Sys/EQxuiVFj5lgLj3MyBxljEClHiQSdpwDZz68kQcpxZc+ppIVxf88mTZqK1p0+IFPdmPCbR27PKZm34wtNGijS5w=</SignatureValue>
<KeyInfo> <wsse:SecurityTokenReference xmlns=""> <wsse:Reference URI="#SecurityToken-a09c082b-dbb1-4499-9a03-9692e2a9f5f2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security> </soapenv:Header> <env:Body wsu:Id="Body-8ad48a6c-288b-4676-9b64-3de3b381f4c2"> <ans1:getContractInfoByMSISDNResponse xmlns:ans1="http://wsgw.carat.tmobile.de/wsdl"> <S_GetContractInfoByMSISDNOutputWebService_3> <value> <admission>1</admission> <contractTemplateID>5657</contractTemplateID> <isPremium>false</isPremium> <isPrepaid>false</isPrepaid> <noticeExists>false</noticeExists> <ownerId>1</ownerId> </value> </S_GetContractInfoByMSISDNOutputWebService_3> </ans1:getContractInfoByMSISDNResponse> </env:Body> </soapenv:Envelope>
The validation in the SecurityEnvironmentHandler, the validate method of the callback returns true.
The error message in the client unfortunately does not give a more detailed information like this: 1) testCallGetContractInfoByMSISDN(de.tmobile.carat.webservice.security.test.WsdpClientTest)javax.xml.rpc.soap.SOAPFaultException: com.sun.xml.wss.WssSoapFaultException: Signature verification failed
at com.sun.xml.rpc.security.SecurityPluginUtil.getSOAPFaultException(SecurityPluginUtil.java:411)
at com.sun.xml.rpc.security.SecurityPluginUtil._preHandlingHook(SecurityPluginUtil.java:183)
at de.tmobile.services.cprm.contract.contractreadservices.wscli.ContractReadServicesWebService_Stub._preHandlingHook(ContractReadServicesWebService_Stub.java:2013)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:107) at de.tmobile.services.cprm.contract.contractreadservices.wscli.ContractReadServicesWebService_Stub.getContractInfoByMSISDN(ContractReadServicesWebService_Stub.java:312)
at de.tmobile.carat.webservice.security.test.WsdpClientTest.testCallGetContractInfoByMSISDN(WsdpClientTest.java:244)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at de.tmobile.carat.webservice.security.test.WsdpClientTest.main(WsdpClientTest.java:78)
I studied the specs and found nothing incorrect in my signature: none of the 3 details that differ in the signature from the sun signature style should be a problem.
Uta