Thats a common misunderstanding. C14n does not remove blanks, tabs, etc that are not inside a XML tag. C14n inserts and orders namespaces, removes superflous blanks etc _inside_ tags. Character that are outside tags (e.g. blanks/tabs inserted to do pretty printing) count as content. The receiving part cannot know if thes blanks/tabs are inserted before or after the Signature was caluclated.
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 24. Februar 2006 14:26 > An: Dittmann, Werner > Cc: Benjamin BALET; [email protected] > Betreff: Re: AW: WSE / WSS4J / X509 secure Webservice > > On Fri, 24 Feb 2006, Dittmann, Werner wrote: > > > Yes, pertty printing after Signature definitly invalidates the > > Signature. > > > > Regards, > > Werner > > OK, that's useful to know; thanks. But I thought that the > canonicalization of > the message, before signature and again when the signature is > checked, is > supposed to avoid this. Maybe Axis doesn't do the canonicalization? > > > > > ________________________________ > > > > Von: Benjamin BALET [mailto:[EMAIL PROTECTED] > > Gesendet: Freitag, 24. Februar 2006 11:15 > > An: [email protected] > > Betreff: WSE / WSS4J / X509 secure Webservice > > > > > > > > Hello, > > > > > > > > Anyone succeed to make work a .Net WebService client WSE > > > > with WSS4J ? > > > > > > > > On the server my WSDD config is: > > > > > > > > <deployment xmlns="http://xml.apache.org/axis/wsdd/"; > > xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> > > > > <globalConfiguration> > > > > <parameter name="enableNamespacePrefixOptimization" > > value="false" /> > > > > <parameter name="disablePrettyXML" value="true"/> > > > > <requestFlow> > > > > <handler > > type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > > > > <parameter name="passwordCallbackClass" > > value="com.hp.ov.temip.ws.handler.PWCallback"/> > > > > <parameter name="action" > > value="UsernameTokenSignature UsernameToken Encrypt Timestamp"/> > > > > <parameter name="decryptionPropFile" > > value="security.properties" /> > > > > </handler> > > > > </requestFlow> > > > > </globalConfiguration> > > > > </deployment> > > > > > > > > On client's side, I developped with WSE 3.0 Policy framework > > > > The following SecureMessage overriden function: > > > > > > > > public override void SecureMessage(SoapEnvelope > > envelope, Security security) > > > > { > > > > //Must Understand Headers > > > > security.MustUnderstand = true; > > > > security.Timestamp.TtlInSeconds = 60; > > > > > > > > //User Name Token > > > > UsernameToken userToken = new > > UsernameToken(m_strUsername, m_strPassword, > > PasswordOption.SendPlainText); > > > > security.Tokens.Add(userToken); > > > > > > > > X509SecurityToken token = null; > > > > try > > > > { > > > > token = GetSecurityToken("CN=10.67.212.35"); > > > > } > > > > catch (Exception ex) > > > > { > > > > throw new Exception("Certificate not found : " + > > ex.Message); > > > > } > > > > > > > > //Define a custom X509 token > > > > ISecurityTokenManager stm = > > > SecurityTokenManager.GetSecurityTokenManagerByTokenType(WSTrus > t.TokenTyp > > es.X509v3); > > > > X509SecurityTokenManager x509tm = stm as > > X509SecurityTokenManager; > > > > x509tm.DefaultKeyAlgorithm = "RSA15"; > > > > x509tm.DefaultSessionKeyAlgorithm = "TripleDES"; > > > > > > > > //security.Elements.Add(new EncryptedData(token)); > > //De-comment this line will encrypt the Body > > > > // Add the token to the SOAP header. > > > > security.Tokens.Add(token); > > //Insert the token being used into header > > > > > > > > //Add Message Signature > > > > MessageSignature sig = new > > MessageSignature(userToken); > > > > sig.SignatureOptions = > > SignatureOptions.IncludeSoapBody; > > > > security.Elements.Add(sig); > > > > > > > > //Insert the encrypted UsernameToken > > > > security.Elements.Add(new EncryptedData(token, "#" + > > userToken.Id)); > > > > } > > > > > > > > Into TOMCAT logs, I can notice that WSS4J is able to: > > > > - retrieve my certificate with its public key > > > > - Decrypt the UserNameToken > > > > But the signature verification fails, some say that it could be > > due > > > > to a pretty-print component that alters the SOAP message after > > > > the signature, if so, how to deactivate such pretty-printer ? > > > > > > > > __________________ > > > > Benjamin BALET > > > > Capgemini France > > > > http://bbalet.free.fr/ > > > > > > > > This message contains information that may be privileged or > confidential > > and is the property of the Capgemini Group. It is intended > only for the > > person to whom it is addressed. If you are not the intended > recipient, > > you are not authorized to read, print, retain, copy, disseminate, > > distribute, or use this message or any part thereof. If you > receive this > > message in error, please notify the sender immediately and > delete all > > copies of this message. > > > > > > > > > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: > +44-1223-337523 >
