4 messages in net.java.dev.jwsdp.usersSignature validation fails for unknow...| From | Sent On | Attachments |
|---|---|---|
| Pollmann, Uta (external) | Dec 9, 2005 4:01 am | |
| Venu | Dec 9, 2005 5:48 am | |
| Venu | Dec 9, 2005 7:39 am | |
| V B Kumar Jayanti | Dec 11, 2005 9:47 pm |
| Subject: | Signature validation fails for unknown reason | |
|---|---|---|
| From: | Pollmann, Uta (external) (Uta....@external.t-mobile.de) | |
| Date: | Dec 9, 2005 4:01:39 am | |
| List: | net.java.dev.jwsdp.users | |
Hi,
We use Sun JWSDP 1.6 for testing interoperability with Datapower XS40. I send a signed Soap request to XS40, it is validated in the box and the response gets signed by XS40. Afterwards the signature is validated by the JWSDP test client. I have the problem that the validation of the signature in JWSDP fails, although the certificate is correct and found in the clients certificate store. Comparing the signatures that are produced by Sun and XS40 there are three differences: 1. Sun explicitly uses the namespace ds for all targets of the signature (<ds:Signature>, <ds:SignedInfo> etc), XS 40 uses the default targets <Signature> etc. The first version is how it is described in WSS 1.0 standard and Basic Security Profile 1.0. Of course in XML style this should be the same. 2. Sun uses the <InclusiveNamespaces PrefixList="wsse enc env ns0 xsd xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /> in the CanonicalizationMethod Tag, XS 40 does not. 3. Sun doesn't explicitly use the Transform tag for all references, XS40 does, but this should not be the problem.
This is the SOAP response I receive in my client: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://wsgw.carat.tmobile.de/types" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1"> <wsu:Timestamp wsu:Id="Timestamp-05a7b5f5-f16e-43b3-b1c9-0be0b90459f3"> <wsu:Created>2005-12-09T08:22:54Z</wsu:Created> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m essage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke n-profile-1.0#X509v3" wsu:Id="SecurityToken-a09c082b-dbb1-4499-9a03-9692e2a9f5f2">MIIC8zCCAlygAwIB AgIBAjANBgkqhkiG9w0BAQQFADBUMQswCQYDVQQGEwJJTjET MBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1Mx FDASBgNVBAMTC1Jvb3RDQSAyMDA1MB4XDTA1MDQxMjA1MzcyOVoXDTA2MDQxMjA1 MzcyOVowTzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNV BAoTA1NVTjEMMAoGA1UECxMDSldTMQ8wDQYDVQQDEwZTZXJ2ZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAMqUq/wPQvZoA6es1gJmkSJB2/5NFO1IHJC3KxCZ TDsaykbYLPOgJeFHQKouRXz6VLuIOxxqsY9+UBZxvhy2pAiAWS4KtERESYyo450s /D+Ed6KNnwn+4j7jzyQzlXQpvPr3+Ra0PUQiINIG6R9yURlyz5QZ7jwf1utrj+qw VvHxAgMBAAGjgdkwgdYwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCX4Ipff32fGqbOlQ7Lf xkMb/GyOMHwGA1UdIwR1MHOAFEnXft+E9/6MLG8H5vj1jWdhYuDjoVikVjBUMQsw CQYDVQQGEwJJTjETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQww CgYDVQQLEwNKV1MxFDASBgNVBAMTC1Jvb3RDQSAyMDA1ggEAMA0GCSqGSIb3DQEB BAUAA4GBAEyiGyY6vlzvH1vVmASYKpbPfxOW9TCntY9zA0eaHf9SglFawv69Tw7G pfH6r3RaAZ8elKIca514riuNlvBBFo4XqopKaYzrqPsjOVHjKysBgSOyv2x0/d/v MFBCvoiU+AjQPmxIWmYQiiuEGkGtQ3u1+58HZRLS97o+vmKy84OE </wsse:BinarySecurityToken> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#Body-8ad48a6c-288b-4676-9b64-3de3b381f4c2"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>ewCMAHe1ivaqsGb5h/XOo+oYQIo=</DigestValue> </Reference> <Reference URI="#Timestamp-05a7b5f5-f16e-43b3-b1c9-0be0b90459f3"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>SZf6SxZOxQPIQtzAv9VroMD4s2A=</DigestValue> </Reference> </SignedInfo>
<SignatureValue>mbxOFebwwAUEBqYW+SYtlnJClRr+KMuO5inw690q567++L2Br4ycyhxHw5Pw yjiL2SqszKmu5gOhSb1y2Sys/EQxuiVFj5lgLj3MyBxljEClHiQSdpwDZz68kQcpxZc+ppIVxf88 mTZqK1p0+IFPdmPCbR27PKZm34wtNGijS5w=</SignatureValue> <KeyInfo> <wsse:SecurityTokenReference xmlns=""> <wsse:Reference URI="#SecurityToken-a09c082b-dbb1-4499-9a03-9692e2a9f5f2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke n-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security> </soapenv:Header> <env:Body wsu:Id="Body-8ad48a6c-288b-4676-9b64-3de3b381f4c2"> <ans1:getContractInfoByMSISDNResponse xmlns:ans1="http://wsgw.carat.tmobile.de/wsdl"> <S_GetContractInfoByMSISDNOutputWebService_3> <value> <admission>1</admission> <contractTemplateID>5657</contractTemplateID> <isPremium>false</isPremium> <isPrepaid>false</isPrepaid> <noticeExists>false</noticeExists> <ownerId>1</ownerId> </value> </S_GetContractInfoByMSISDNOutputWebService_3> </ans1:getContractInfoByMSISDNResponse> </env:Body> </soapenv:Envelope>
The validation in the SecurityEnvironmentHandler, the validate method of the callback returns true.
The error message in the client unfortunately does not give a more detailed information like this: 1) testCallGetContractInfoByMSISDN(de.tmobile.carat.webservice.security.test.Ws dpClientTest)javax.xml.rpc.soap.SOAPFaultException: com.sun.xml.wss.WssSoapFaultException: Signature verification failed at com.sun.xml.rpc.security.SecurityPluginUtil.getSOAPFaultException(SecurityPl uginUtil.java:411) at com.sun.xml.rpc.security.SecurityPluginUtil._preHandlingHook(SecurityPluginU til.java:183) at de.tmobile.services.cprm.contract.contractreadservices.wscli.ContractReadSer vicesWebService_Stub._preHandlingHook(ContractReadServicesWebService_Stub.ja va:2013) at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:107) at de.tmobile.services.cprm.contract.contractreadservices.wscli.ContractReadSer vicesWebService_Stub.getContractInfoByMSISDN(ContractReadServicesWebService_ Stub.java:312) at de.tmobile.carat.webservice.security.test.WsdpClientTest.testCallGetContract InfoByMSISDN(WsdpClientTest.java:244) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at de.tmobile.carat.webservice.security.test.WsdpClientTest.main(WsdpClientTest .java:78)
I studied the specs and found nothing incorrect in my signature: none of the 3 details that differ in the signature from the sun signature style should be a problem.
Uta