Brian, Steve, all,
looking at it I see the difference. Soemtime ago one of the
contributers implemented some additons to be WS-I compliant.
This "InclusiveNamespace" stuff is due to this, and as it turned
out WSE is not yet ready to handle this. Due to this there is
a boolean in WSSConfig.java (wsiBSPCompliant). If this boolean
is true WSS4J works in BS-I compliant mode, setting it to false
WSS4J works as before.
Can you crosscheck and give it a try?
Thanks,
Werner
Steve Behrendt schrieb:
Brian,
You are right. I have tested the attached wss4j.jar file too and I had
success. My client now can produce a message that the .net client understand.
The signature should be right, because the .NET WebService now don't respond
with the Exception (Signature invalid).
I have build 2 Messsages, one with the new and one with the "old" wss4j.jar
and attached.
The old one, which don't works:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="usernameTokenId-12455463">
<wsse:Username>usuario3</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>senha3</wsse:Password>
<wsu:Created>2005-07-05T14:10:26Z</wsu:Created>
<wsse:Nonce>yOBObBQ+sbevlt2XM0Xukg==</wsse:Nonce>
</wsse:UsernameToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soapenv wsa xsd xsi"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod>
<ds:Reference URI="#id-7866553">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsa xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>PmQSgFYbhiZciP5F6CRT5MZOPPk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3874052">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenv wsa wsse xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>jcRns/iJ1hxPJZEqUt1DIG0iDdo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-15606519">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>TB1t5JzPv1WQ4uMX05qKqIl2s9o=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3779465">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>erDZuYXo9WJn29GSh6Kood6guzw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2929821">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>QbIGZGq03FxN6tA2aE9d11/hvh0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-17160330">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xsd
xsi"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>Y4vVT5KZ9FKbXLumKcaqvHaWhHM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aLSM1mbqLMfNLKPVoi7dRqeVMT4=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-26956311">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-9734221">
<wsse:Reference URI="#usernameTokenId-12455463"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken";></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-3874052">
<wsu:Created>2005-07-05T14:10:26Z</wsu:Created>
<wsu:Expires>2005-07-05T14:15:26Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:MessageID
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-3779465"
soapenv:mustUnderstand="0">uuid:8912a6f0-ed5e-11d9-8c80-a1e4097e4740</wsa:MessageID>
<wsa:To
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-17160330"
soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC/webservicegmc.asmx</wsa:To>
<wsa:Action
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-15606519"
soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webservicegmc.asmx?op=getClientes</wsa:Action>
<wsa:From
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-2929821" soapenv:mustUnderstand="0">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-7866553">
<anunciar xmlns="http://weg.net/service";>
<ns1:usuario xmlns:ns1="http://weg.net/service/";>1234</ns1:usuario>
</anunciar>
</soapenv:Body>
</soapenv:Envelope>
------------------------------------------------------
and the new one working:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="usernameTokenId-32956236">
<wsse:Username>usuario3</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>senha3</wsse:Password>
<wsu:Created>2005-07-08T18:21:20Z</wsu:Created>
<wsse:Nonce>RKPwh5ELWCBqUa0FhZtP9A==</wsse:Nonce>
</wsse:UsernameToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod>
<ds:Reference URI="#id-9734221">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>FaQ7O3MS6a3e82I/jsfOhoDL+2M=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-867695">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>HinR+8MaMcU59CYiC25On0mv67U=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-20727434">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>YmbgnQ/0F+mxw9s3NrOibFvRj8w=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3874052">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>iGemJhTiJd71u03JJWG22tLwfQ4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-15606519">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>3m17MdDRPyAuUKi93W08Xdh2XQg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3779465">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>4Tb0yMaDPpAwiQXVpXdfJYWmvR0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2929821">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>t0XvlW4iqR3Qo2SirI+6sqkG4gk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Q1NqxNLzcBL4wIjc6UToVyJ6+Kc=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-19583390">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-2780950">
<wsse:Reference URI="#usernameTokenId-32956236"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken";></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-20727434">
<wsu:Created>2005-07-08T18:21:20Z</wsu:Created>
<wsu:Expires>2005-07-08T18:26:20Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:MessageID
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-3874052"
soapenv:mustUnderstand="0">uuid:14e28260-efdd-11d9-a841-a743b9d3b3f7</wsa:MessageID>
<wsa:To
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-2929821"
soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC/webservicegmc.asmx</wsa:To>
<wsa:Action
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-867695"
soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webservicegmc.asmx?op=getClientes</wsa:Action>
<wsa:From
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-3779465" soapenv:mustUnderstand="0">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
<wsa:ReplyTo
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-15606519" soapenv:mustUnderstand="0">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-9734221">
<anunciar xmlns="http://weg.net/service";>
<ns1:usuario xmlns:ns1="http://weg.net/service/";>1234</ns1:usuario>
</anunciar>
</soapenv:Body>
</soapenv:Envelope>
-----------------------------------------------------------------------
Now we have an example to work on it. I have already compared each other.
The main difference I had found was the "CanonicalizationMethod" - Tag and the
"Transform" Tag of the "Transforms" tags.
Perhaps there are the problems?!?!?
Steve
-----Mensagem original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Enviada em: sexta-feira, 8 de julho de 2005 07:59
Para: Dittmann, Werner; Steve Behrendt
Cc: Gürkan Vural; Granqvist, Hans; [email protected]
Assunto: Re: AW: AW: order of sign and encr in .NET
Werner, Gürkan and David,
Since Steve's post to the list concerning his problems using wss4j with
UsernameToken Signature I've look at it again. My personal conclusion is
that it once worked, but that in the meantime it's become broken. At the
present time I can't say when exactly. I've tried various version of
wss4j, axis and bouncycastle and the only way I can get it working is by
using an older version of wss4j that I build. I've attached it, so you can
try it out and hopefully have a request come through.
Regards Brian
Gürkan,
is this a real log of the request? If I save the file and try
to open it with an XML editor it fails because of non-well
formed document. Looking at it with emacs I see some linebreaks
at unusual points, e.g. in the middle of an element name.
I'm not sure if this is due to e-mail transport or similar.
But because you sent it as an attachement I would suspect that is
not the case.
Can you verify this?
Regards,
Werner
-----Ursprüngliche Nachricht-----
Von: Gürkan Vural [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 8. Juli 2005 11:06
An: Dittmann, Werner
Cc: Granqvist, Hans; [email protected]
Betreff: Re: AW: order of sign and encr in .NET
sorry wss4j can verify all elements but not final signature value. it
processes all elements in the correct order. I am trying to verify
username token signature with
http://www.w3.org/2000/09/xmldsig#hmac-sha1 algorithm. I can
verify what
i send to biztalk but not from biztalk. In the attachment there is a
sample soap message. Can anyone try to verify this?
--
gurkan
Dittmann, Werner wrote:
Gürkan,
to me it seems a problem of BizTalk and/or the .Net WSE
implementation. According to the OASIS WSS specification,
chapter 5:
<quote>
As elements are added to a <wsse:Security> header block,
they SHOULD be prepended to the existing elements. As such,
the <wsse:Security> header block represents the signing and
encryption steps the message producer took to create the message.
This prepending rule ensures that the receiving application can
process sub-elements in the order they appear in the
<wsse:Security> header block, because there will be no forward
dependency among the sub-elements. Note that this specification
does not impose any specific order of processing the
sub-elements. The receiving application can use whatever order
is required.
</quote>
This means, if the receiver sees an encryption sub-element
before a Signature sub-element if processes encryption first.
The ordering of elements is the _only_ information about the
processing sequence. How could the receiver otherweise
determine that it should first check Signature, then decrypt?
Maybe you may crosscheck with the MS folks to clarfiy that?
Are there known problems with BizTalk / .Net WSE? In general
we tested interop with .Net WSE.
Regards,
Werner
-----Ursprüngliche Nachricht-----
Von: Gürkan Vural [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 8. Juli 2005 07:59
An: Granqvist, Hans
Cc: [email protected]
Betreff: Re: order of sign and encr in .NET
Granqvist, Hans wrote:
... biztalk outputs
DataReference above Signature element and this causes
decryption before signature and sign validation fails because
decryption changes the value of body element.
Is it you or biztalk that implies processing order from
the element order?
Hans
Whatever order I send data to Biztalk it processes correctly.
Because my
java client (wss4j) puts the headers of last operation above
the others.
However Biztalk always sends DataReference above Signature
element and
my java client (wss4j) first processes the encrypted body
so signature
validation fails.
--
gurkan
==========================================================-
Bu e-posta sadece yukarida isimleri belirtilen kisiler
arasinda özel haberlesme amacini tasimaktadir. Size
yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz
ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir
hukuksal sorumlulugu kabul etmez.
This e-mail communication is intended for the private use of
the people named above. If you received this message in
error, please immediately notify the sender and delete it
from your system. The Central Bank of The Republic of Turkey
does not accept legal responsibility for the contents of
this message.
==========================================================-
Bu e-posta sadece yukarida isimleri belirtilen kisiler
arasinda özel haberlesme amacini tasimaktadir. Size
yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz
ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir
hukuksal sorumlulugu kabul etmez.
This e-mail communication is intended for the private use of
the people named above. If you received this message in
error, please immediately notify the sender and delete it
from your system. The Central Bank of The Republic of Turkey
does not accept legal responsibility for the contents of this message.
