[ https://issues.apache.org/jira/browse/CXF-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14371970#comment-14371970 ]
AKROUR commented on CXF-6310: ----------------------------- Hello, thank you for your quick answer. The SOAP request declares a namespace that I think, may be used like a meta data for the proxy. Unfortunately client logs are not available. So I cannot check the canonicalization of the request. Do you know how I could reproduce/simulate the wrong canonicalization including the added namespace to proove that the issue is client issue? A Java library or an online tool? Best Regards, K ___________________________________________________________ Mode, hifi, maison,… J'achète malin. Je compare les prix avec Voila.fr http://shopping.voila.fr/ > Signature validation of body request fails but it works fine for other > request elements > --------------------------------------------------------------------------------------- > > Key: CXF-6310 > URL: https://issues.apache.org/jira/browse/CXF-6310 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.7.14 > Environment: WS server running on Windows x64 > WS client on SAP NetWeaver > Reporter: AKROUR > > When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the > following fault: > {noformat} > <faultcode > xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode> > <faultstring>The signature or decryption was invalid</faultstring> > {noformat} > The WS service authenticate the user via an SAML Token that must have at > least a Signed Timestamp and a Signed Body request. > When I enable the debug logs, we can see that the signature of the Timestamp > element is successfully validated by CXF 2.7.14 but the signature of the Body > request fails (see following logs): > {noformat} > .... > Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# > isNodeSet() = true > Canonicalized SignedInfo: > <ds:SignedInfo > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference > URI="#part-Body-21"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference > URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference > URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform > Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"><wsse:TransformationParameters > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo> > Data to be > signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+ > URIDereferencer class name: > org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer > Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData > Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# > ApacheData = true > Pre-digested input: > <soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="part-Body-21"><n1:echoRequest > xmlns:n1="http://schema.echo.ws.highdeal.com/">String > 1</n1:echoRequest></soap-env:Body> > Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s= > Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw= > Reference[#part-Body-21] is valid: false > Couldn't validate the References > XML Signature verification has failed > Signature Validation check: true > Reference #part-Body-21 check: false > URIDereferencer class name: > org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer > Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData > Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# > ApacheData = true > Pre-digested input: > <wsu:Timestamp > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp> > Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI= > Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI= > Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true > URIDereferencer class name: > org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer > Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData > STR: KeyIdentifier > Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E > Token reference ValueType: > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > after c14n: <saml:Assertion > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" > IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" > MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" > NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement > AuthenticationInstant="2015-03-20T14:25:19Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion> > last result: > <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" > IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" > MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" > NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement > AuthenticationInstant="2015-03-20T14:25:19Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion> > Pre-digested input: > <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" > IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" > MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" > NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement > AuthenticationInstant="2015-03-20T14:25:19Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion> > Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes= > Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes= > Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true > org.apache.ws.security.WSSecurityException: The signature or decryption was > invalid > at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455) > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402) > {noformat} > Note: The request has a namespace > {noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740" > > {noformat} > The namespace is removed by the canonicalization of the XML. The received > request is: > {noformat} > <soap-env:Body wsu:Id="part-Body-21" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><n1:echoRequest > xmlns:n1="http://schema.echo.ws.highdeal.com/" > xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String > 1</n1:echoRequest></soap-env:Body> > {noformat} > Unfortunately I cannot provide test cases but I can easily reproduce the > issue with CXF 2.7.15. > Do you have any idea of what could happen here? > Thank and Best Regards, > K. -- This message was sent by Atlassian JIRA (v6.3.4#6332)