Brian, You are right. I have tested the attached wss4j.jar file too and I had success. My client now can produce a message that the .net client understand. The signature should be right, because the .NET WebService now don't respond with the Exception (Signature invalid).
I have build 2 Messsages, one with the new and one with the "old" wss4j.jar and attached. The old one, which don't works: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="usernameTokenId-12455463"> <wsse:Username>usuario3</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>senha3</wsse:Password> <wsu:Created>2005-07-05T14:10:26Z</wsu:Created> <wsse:Nonce>yOBObBQ+sbevlt2XM0Xukg==</wsse:Nonce> </wsse:UsernameToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenv wsa xsd xsi"></ec:InclusiveNamespaces> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod> <ds:Reference URI="#id-7866553"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsa xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>PmQSgFYbhiZciP5F6CRT5MZOPPk=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-3874052"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenv wsa wsse xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>jcRns/iJ1hxPJZEqUt1DIG0iDdo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-15606519"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>TB1t5JzPv1WQ4uMX05qKqIl2s9o=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-3779465"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>erDZuYXo9WJn29GSh6Kood6guzw=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-2929821"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>QbIGZGq03FxN6tA2aE9d11/hvh0=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-17160330"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd xsi"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>Y4vVT5KZ9FKbXLumKcaqvHaWhHM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>aLSM1mbqLMfNLKPVoi7dRqeVMT4=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-26956311"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-9734221"> <wsse:Reference URI="#usernameTokenId-12455463" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken";></wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-3874052"> <wsu:Created>2005-07-05T14:10:26Z</wsu:Created> <wsu:Expires>2005-07-05T14:15:26Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> <wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-3779465" soapenv:mustUnderstand="0">uuid:8912a6f0-ed5e-11d9-8c80-a1e4097e4740</wsa:MessageID> <wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-17160330" soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC/webservicegmc.asmx</wsa:To> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-15606519" soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webservicegmc.asmx?op=getClientes</wsa:Action> <wsa:From xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-2929821" soapenv:mustUnderstand="0"> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> </wsa:From> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-7866553"> <anunciar xmlns="http://weg.net/service";> <ns1:usuario xmlns:ns1="http://weg.net/service/";>1234</ns1:usuario> </anunciar> </soapenv:Body> </soapenv:Envelope> ------------------------------------------------------ and the new one working: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="usernameTokenId-32956236"> <wsse:Username>usuario3</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>senha3</wsse:Password> <wsu:Created>2005-07-08T18:21:20Z</wsu:Created> <wsse:Nonce>RKPwh5ELWCBqUa0FhZtP9A==</wsse:Nonce> </wsse:UsernameToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod> <ds:Reference URI="#id-9734221"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>FaQ7O3MS6a3e82I/jsfOhoDL+2M=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-867695"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>HinR+8MaMcU59CYiC25On0mv67U=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-20727434"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>YmbgnQ/0F+mxw9s3NrOibFvRj8w=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-3874052"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>iGemJhTiJd71u03JJWG22tLwfQ4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-15606519"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>3m17MdDRPyAuUKi93W08Xdh2XQg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-3779465"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>4Tb0yMaDPpAwiQXVpXdfJYWmvR0=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-2929821"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>t0XvlW4iqR3Qo2SirI+6sqkG4gk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Q1NqxNLzcBL4wIjc6UToVyJ6+Kc=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-19583390"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-2780950"> <wsse:Reference URI="#usernameTokenId-32956236" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken";></wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-20727434"> <wsu:Created>2005-07-08T18:21:20Z</wsu:Created> <wsu:Expires>2005-07-08T18:26:20Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> <wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-3874052" soapenv:mustUnderstand="0">uuid:14e28260-efdd-11d9-a841-a743b9d3b3f7</wsa:MessageID> <wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-2929821" soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC/webservicegmc.asmx</wsa:To> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-867695" soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webservicegmc.asmx?op=getClientes</wsa:Action> <wsa:From xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-3779465" soapenv:mustUnderstand="0"> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> </wsa:From> <wsa:ReplyTo xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-15606519" soapenv:mustUnderstand="0"> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> </wsa:ReplyTo> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-9734221"> <anunciar xmlns="http://weg.net/service";> <ns1:usuario xmlns:ns1="http://weg.net/service/";>1234</ns1:usuario> </anunciar> </soapenv:Body> </soapenv:Envelope> ----------------------------------------------------------------------- Now we have an example to work on it. I have already compared each other. The main difference I had found was the "CanonicalizationMethod" - Tag and the "Transform" Tag of the "Transforms" tags. Perhaps there are the problems?!?!? Steve -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 8 de julho de 2005 07:59 Para: Dittmann, Werner; Steve Behrendt Cc: Gürkan Vural; Granqvist, Hans; [email protected] Assunto: Re: AW: AW: order of sign and encr in .NET Werner, Gürkan and David, Since Steve's post to the list concerning his problems using wss4j with UsernameToken Signature I've look at it again. My personal conclusion is that it once worked, but that in the meantime it's become broken. At the present time I can't say when exactly. I've tried various version of wss4j, axis and bouncycastle and the only way I can get it working is by using an older version of wss4j that I build. I've attached it, so you can try it out and hopefully have a request come through. Regards Brian > Gürkan, > > is this a real log of the request? If I save the file and try > to open it with an XML editor it fails because of non-well > formed document. Looking at it with emacs I see some linebreaks > at unusual points, e.g. in the middle of an element name. > > I'm not sure if this is due to e-mail transport or similar. > But because you sent it as an attachement I would suspect that is > not the case. > > Can you verify this? > > Regards, > Werner > >> -----Ursprüngliche Nachricht----- >> Von: Gürkan Vural [mailto:[EMAIL PROTECTED] >> Gesendet: Freitag, 8. Juli 2005 11:06 >> An: Dittmann, Werner >> Cc: Granqvist, Hans; [email protected] >> Betreff: Re: AW: order of sign and encr in .NET >> >> >> sorry wss4j can verify all elements but not final signature value. it >> processes all elements in the correct order. I am trying to verify >> username token signature with >> http://www.w3.org/2000/09/xmldsig#hmac-sha1 algorithm. I can >> verify what >> i send to biztalk but not from biztalk. In the attachment there is a >> sample soap message. Can anyone try to verify this? >> >> -- >> gurkan >> >> Dittmann, Werner wrote: >> >> >Gürkan, >> > >> >to me it seems a problem of BizTalk and/or the .Net WSE >> >implementation. According to the OASIS WSS specification, >> >chapter 5: >> > >> ><quote> >> >As elements are added to a <wsse:Security> header block, >> >they SHOULD be prepended to the existing elements. As such, >> >the <wsse:Security> header block represents the signing and >> >encryption steps the message producer took to create the message. >> >This prepending rule ensures that the receiving application can >> >process sub-elements in the order they appear in the >> ><wsse:Security> header block, because there will be no forward >> >dependency among the sub-elements. Note that this specification >> >does not impose any specific order of processing the >> >sub-elements. The receiving application can use whatever order >> >is required. >> ></quote> >> > >> >This means, if the receiver sees an encryption sub-element >> >before a Signature sub-element if processes encryption first. >> >The ordering of elements is the _only_ information about the >> >processing sequence. How could the receiver otherweise >> >determine that it should first check Signature, then decrypt? >> > >> >Maybe you may crosscheck with the MS folks to clarfiy that? >> >Are there known problems with BizTalk / .Net WSE? In general >> >we tested interop with .Net WSE. >> > >> >Regards, >> >Werner >> > >> > >> > >> >>-----Ursprüngliche Nachricht----- >> >>Von: Gürkan Vural [mailto:[EMAIL PROTECTED] >> >>Gesendet: Freitag, 8. Juli 2005 07:59 >> >>An: Granqvist, Hans >> >>Cc: [email protected] >> >>Betreff: Re: order of sign and encr in .NET >> >> >> >> >> >>Granqvist, Hans wrote: >> >> >> >> >> >> >> >>>>... biztalk outputs >> >>>>DataReference above Signature element and this causes >> >>>>decryption before signature and sign validation fails because >> >>>>decryption changes the value of body element. >> >>>> >> >>>> >> >>>> >> >>>> >> >>>Is it you or biztalk that implies processing order from >> >>>the element order? >> >>> >> >>>Hans >> >>> >> >>> >> >>> >> >>> >> >>Whatever order I send data to Biztalk it processes correctly. >> >>Because my >> >>java client (wss4j) puts the headers of last operation above >> >>the others. >> >>However Biztalk always sends DataReference above Signature >> element and >> >>my java client (wss4j) first processes the encrypted body >> so signature >> >>validation fails. >> >> >> >>-- >> >>gurkan >> >> >> >>==========================================================- >> >>Bu e-posta sadece yukarida isimleri belirtilen kisiler >> >>arasinda özel haberlesme amacini tasimaktadir. Size >> >>yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz >> >>ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez >> >>Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir >> >>hukuksal sorumlulugu kabul etmez. >> >> >> >>This e-mail communication is intended for the private use of >> >>the people named above. If you received this message in >> >>error, please immediately notify the sender and delete it >> >>from your system. The Central Bank of The Republic of Turkey >> >>does not accept legal responsibility for the contents of >> this message. >> >> >> >> >> >> >> >> >> >> ==========================================================- >> Bu e-posta sadece yukarida isimleri belirtilen kisiler >> arasinda özel haberlesme amacini tasimaktadir. Size >> yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz >> ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez >> Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir >> hukuksal sorumlulugu kabul etmez. >> >> This e-mail communication is intended for the private use of >> the people named above. If you received this message in >> error, please immediately notify the sender and delete it >> from your system. The Central Bank of The Republic of Turkey >> does not accept legal responsibility for the contents of this message. >> >
