[jira] [Commented] (CXF-6310) Signature validation of body request fails but it works fine for other request elements

Fri, 20 Mar 2015 12:54:04 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14371970#comment-14371970
 ] 

AKROUR commented on CXF-6310:
-----------------------------

Hello,

thank you for your quick answer. The SOAP request declares a namespace that I 
think, may be used like a meta data for the proxy. Unfortunately client logs 
are not available. So I cannot check the canonicalization of the request.
Do you know how I could reproduce/simulate the wrong canonicalization including 
the added namespace to proove that the issue is client issue? A Java library or 
an online tool?

Best Regards,
K





___________________________________________________________
Mode, hifi, maison,… J'achète malin. Je compare les prix avec Voila.fr 
http://shopping.voila.fr/


> Signature validation of body request fails but it works fine for other 
> request elements
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-6310
>                 URL: https://issues.apache.org/jira/browse/CXF-6310
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.14
>         Environment: WS server running on Windows x64
> WS client on SAP NetWeaver
>            Reporter: AKROUR
>
> When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the 
> following fault:
> {noformat}
> <faultcode 
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
> <faultstring>The signature or decryption was invalid</faultstring>
> {noformat}
> The WS service authenticate the user via an SAML Token that must have at 
> least a Signed Timestamp and a Signed Body request.
> When I enable the debug logs, we can see that the signature of the Timestamp 
> element is successfully validated by CXF 2.7.14 but the signature of the Body 
> request fails (see following logs):
> {noformat}
>  ....
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  isNodeSet() = true
>  Canonicalized SignedInfo:
>  <ds:SignedInfo 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference
>  URI="#part-Body-21"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
>  
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:CanonicalizationMethod
>  
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo>
>  Data to be 
> signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"; 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="part-Body-21"><n1:echoRequest 
> xmlns:n1="http://schema.echo.ws.highdeal.com/";>String 
> 1</n1:echoRequest></soap-env:Body>
>  Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s=
>  Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw=
>  Reference[#part-Body-21] is valid: false
>  Couldn't validate the References
>  XML Signature verification has failed
>  Signature Validation check: true
>  Reference #part-Body-21 check: false
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp>
>  Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  STR: KeyIdentifier
>  Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E
>  Token reference ValueType: 
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>  after c14n: <saml:Assertion 
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  last result: 
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Pre-digested input:
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true
> org.apache.ws.security.WSSecurityException: The signature or decryption was 
> invalid
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
> {noformat}
> Note: The request has a namespace 
> {noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740" 
>  
> {noformat} 
> The namespace is removed by the canonicalization of the XML. The received 
> request is:
> {noformat}
> <soap-env:Body wsu:Id="part-Body-21" 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><n1:echoRequest
>  xmlns:n1="http://schema.echo.ws.highdeal.com/"; 
> xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String 
> 1</n1:echoRequest></soap-env:Body>
> {noformat}
> Unfortunately I cannot provide test cases but I can easily reproduce the 
> issue with CXF 2.7.15.
> Do you have any idea of what could happen here?
> Thank and Best Regards,
> K.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to