[jira] [Commented] (CXF-6310) Signature validation of body request fails but it works fine for other request elements

Thu, 02 Apr 2015 06:31:07 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14392613#comment-14392613
 ] 

AKROUR commented on CXF-6310:
-----------------------------

Thank you for your help, I've requested the same kind of information from the 
client stack dev team.
If it is exactly the same digest, then the issue is something else. Otherwise 
I'll have to check who has the truth ;). 
I'll keep you informed about my progress.


> Signature validation of body request fails but it works fine for other 
> request elements
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-6310
>                 URL: https://issues.apache.org/jira/browse/CXF-6310
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.14
>         Environment: WS server running on Windows x64
> WS client on SAP NetWeaver
>            Reporter: AKROUR
>
> When I connect my client (SAP NW) to WS service (CXF 2.7.14) I get the 
> following fault:
> {noformat}
> <faultcode 
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
> <faultstring>The signature or decryption was invalid</faultstring>
> {noformat}
> The WS service authenticate the user via an SAML Token that must have at 
> least a Signed Timestamp and a Signed Body request.
> When I enable the debug logs, we can see that the signature of the Timestamp 
> element is successfully validated by CXF 2.7.14 but the signature of the Body 
> request fails (see following logs):
> {noformat}
>  ....
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  isNodeSet() = true
>  Canonicalized SignedInfo:
>  <ds:SignedInfo 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference
>  URI="#part-Body-21"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>KDEnVjgujcy0Y7xa54n3BYDn79s=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>R249Zrff/b1ddHU58u2cZtD7pOI=</ds:DigestValue></ds:Reference><ds:Reference
>  URI="#str-FA163ECA11051EE4B3E19DFDCA3B7C3E"><ds:Transforms><ds:Transform 
> Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";><wsse:TransformationParameters
>  
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:CanonicalizationMethod
>  
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod
>  
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>2fitoKp3/MKG2MMXzV7rNkkTMes=</ds:DigestValue></ds:Reference></ds:SignedInfo>
>  Data to be 
> signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNwYXJ0LUJvZHktMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5LREVuVmpndWpjeTBZN3hhNTRuM0JZRG43OXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48ZHM6UmVmZXJlbmNlIFVSST0iI3RzLUZBMTYzRUNBMTEwNTFFRTRCM0UxOURGRENBM0IzQzNFIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+UjI0OVpyZmYvYjFkZEhVNTh1MmNadEQ3cE9JPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNzdHItRkExNjNFQ0ExMTA1MUVFNEIzRTE5REZEQ0EzQjdDM0UiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9yZy93c3MvMjAwNC8wMS9vYXNpcy0yMDA0MDEtd3NzLXNvYXAtbWVzc2FnZS1zZWN1cml0eS0xLjAjU1RSLVRyYW5zZm9ybSI+PHdzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzIHhtbG5zOndzc2U9Imh0dHA6Ly9kb2NzLm9hc2lzLW9wZW4ub3JnL3dzcy8yMDA0LzAxL29hc2lzLTIwMDQwMS13c3Mtd3NzZWN1cml0eS1zZWNleHQtMS4wLnhzZCI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48L3dzc2U6VHJhbnNmb3JtYXRpb25QYXJhbWV0ZXJzPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4yZml0b0twMy9NS0cyTU1YelY3ck5ra1RNZXM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <soap-env:Body xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"; 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="part-Body-21"><n1:echoRequest 
> xmlns:n1="http://schema.echo.ws.highdeal.com/";>String 
> 1</n1:echoRequest></soap-env:Body>
>  Expected digest: KDEnVjgujcy0Y7xa54n3BYDn79s=
>  Actual digest: y4TKcp+2RCjVy/+c8j+NJERECDw=
>  Reference[#part-Body-21] is valid: false
>  Couldn't validate the References
>  XML Signature verification has failed
>  Signature Validation check: true
>  Reference #part-Body-21 check: false
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
>  ApacheData = true
>  Pre-digested input:
>  <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> wsu:Id="ts-FA163ECA11051EE4B3E19DFDCA3B3C3E"><wsu:Created>2015-03-20T14:25:19Z</wsu:Created><wsu:Expires>2015-03-20T14:26:49Z</wsu:Expires></wsu:Timestamp>
>  Expected digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Actual digest: R249Zrff/b1ddHU58u2cZtD7pOI=
>  Reference #ts-FA163ECA11051EE4B3E19DFDCA3B3C3E check: true
>  URIDereferencer class name: 
> org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
>  Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
>  STR: KeyIdentifier
>  Token reference uri: saml-FA163ECA11051EE4B3E19DFDCA3B1C3E
>  Token reference ValueType: 
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>  after c14n: <saml:Assertion 
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  last result: 
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Pre-digested input:
>  <saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
> AssertionID="saml-FA163ECA11051EE4B3E19DFDCA3B1C3E" 
> IssueInstant="2015-03-20T14:25:19Z" Issuer="10.66.140.170" MajorVersion="1" 
> MinorVersion="1"><saml:Conditions NotBefore="2015-03-20T14:25:19Z" 
> NotOnOrAfter="2015-03-20T14:30:19Z"></saml:Conditions><saml:AuthenticationStatement
>  AuthenticationInstant="2015-03-20T14:25:19Z" 
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
> NameQualifier="">AKROUR</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion>
>  Expected digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Actual digest: 2fitoKp3/MKG2MMXzV7rNkkTMes=
>  Reference #str-FA163ECA11051EE4B3E19DFDCA3B7C3E check: true
> org.apache.ws.security.WSSecurityException: The signature or decryption was 
> invalid
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:455)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
> {noformat}
> Note: The request has a namespace 
> {noformat}xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740" 
>  
> {noformat} 
> The namespace is removed by the canonicalization of the XML. The received 
> request is:
> {noformat}
> <soap-env:Body wsu:Id="part-Body-21" 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><n1:echoRequest
>  xmlns:n1="http://schema.echo.ws.highdeal.com/"; 
> xmlns:prx="urn:sap.com:proxy:EMI:/1SAI/TAS36028FAD870EA3A21C56:740">String 
> 1</n1:echoRequest></soap-env:Body>
> {noformat}
> Unfortunately I cannot provide test cases but I can easily reproduce the 
> issue with CXF 2.7.15.
> Do you have any idea of what could happen here?
> Thank and Best Regards,
> K.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to