Hello, I have a service where the response is signed. The policy attached to this mail is active for this service. If the service sends a "normal" signed response, the client accepts this response and the verification is successful. But if the service sends a signed service fault the signature verification for the body fails in the client. I tried it with a .NET client and also with a AXIS2 Java client. Is there something different between signing the "normal" response and signing a fault? Problem in the message builder? I attached the policy, the signed response and the signed fault to this mail. Greetings Christian
<?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; xmlns:wsa="http://www.w3.org/2005/08/addressing";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="true"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-8053093"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; /> <ds:Reference URI="#Id-3296133"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>sJ0LIfcNNTS7wxc4Z0DiQTgNiQM=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-13580450"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>1UxogK2jQq7+cMpkCHoPojM87sg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-30357264"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>rWEScIcaSbW3Uw9Bj7k7N2DARis=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>pPl8C8sjie+Vt51HZck5uC8y9I0=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-23325089"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-8347989"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>pUg0Qzg9pZ1SJepi/rjAA0mvIOk=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-13580450">http://test.net/project/wsdl/HelloWorldSecurePortType/helloResponse</wsa:Action> <wsa:RelatesTo xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-30357264">urn:uuid:26216d34-fb74-420a-b017-72604b8fe14f</wsa:RelatesTo> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-3296133"> <helloResponse xmlns="http://test.net/project/wsdl/types/helloworldsecure";> <response>Hello World! This is Chris</response> </helloResponse> </soapenv:Body> </soapenv:Envelope>
<?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; xmlns:wsa="http://www.w3.org/2005/08/addressing";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="true"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-1396421"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; /> <ds:Reference URI="#Id-32266719"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>+mEQ59bYYbYXbYVQ4ZeMqGsjf/Q=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-19969666"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>Fv8wXxdKvYHh2sEoGr6vNS+cNgY=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-18750117"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>AynXxpGi2e8P82Xoy/jPslYFAJk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>DnzS4Bcr17RfFh6My9EINeicJMY=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-15105042"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-31164770"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>8XIvB+0MiDtEUJ8/sslAslSFCDM=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-19969666">http://test.net/project/wsdl/HelloWorldSecurePortType/throwError/Fault/fault</wsa:Action> <wsa:RelatesTo xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-18750117">urn:uuid:639417ad-682b-4718-bab0-3929e6600da1</wsa:RelatesTo> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-32266719"> <soapenv:Fault> <soapenv:Code> <soapenv:Value>soapenv:Receiver</soapenv:Value> </soapenv:Code> <soapenv:Reason> <soapenv:Text xml:lang="en-US">ENFORCED ERROR THROWN CORRECTLY</soapenv:Text> </soapenv:Reason> <soapenv:Detail> <serviceFault xmlns="http://www.test.net/project/xsd/sys/common";> <faultcode>99990010</faultcode> <reason>ENFORCED ERROR THROWN CORRECTLY</reason> <node /> <detail>ENFORCED ERROR THROWN CORRECTLY</detail> <ctxId>AC1001230000011F4ABA0D2800000007</ctxId> <timestamp>2009-02-06T09:35:21.187+01:00</timestamp> </serviceFault> </soapenv:Detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>
<?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="TOKEN_SIGNED" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireKeyIdentifierReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <Address xmlns="http://www.w3.org/2005/08/addressing";> http://localhost:8080/axis2/services/SecurityToken</Address> </Issuer> <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType> <t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType> <t:KeySize xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:RequireInternalReference/> </wsp:Policy> </sp:IssuedToken> </wsp:Policy> </sp:SupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefThumbprint/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportIssuedTokens /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
