RE: Signature verification fails when used with Encryption
67rUPf8+U3nB9Muy5ZyIijxxbQRItMcSengxXi6lHYEJI8gZcYCBVTe6TwhqKn19cGAtkh3kUCZNrT94D9P6Bw/s+2rgZr5/V921DfwDttDyIb3QIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPIbmLUmPfZsEXiSHfeD0R9RaFjNMIHBBgNVHSMEgbkwgbaAFG/XrNLKNVaMoEImPQLiQ8T/r0GloYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUZhaXJmaWVsZDETMBEGA1UEChMKQ29wYXJ0LEluYzEMMAoGA1UECxMDTUlTMRIwEAYDVQQDEwlDb3BhcnQgSVQxLTArBgkqhkiG9w0BCQEWHndlYnNlcnZpY2VzamF2YXRlYW1AY29wYXJ0LmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQBOS9DSGKRG569OVH+JkNdId7jAN2hkbjkzE1AFzyjA4nmtEqnPBYSpuhQLP6FFIHJywFyqxUghZfEOacJb8nMfLUg2zTdybPj8Xt8VUKmJxXwtHbvmqozOF4h1SXcW9IWbzuyVNvkoAJW3mvG6B/YZfmq+PgGovBx8XGibOVhGFw== http://www.w3.org/2000/09/xmldsig#";> http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> http://www.w3.org/2001/10/xml-exc-c14n#"; /> http://www.w3.org/2000/09/xmldsig#sha1"; /> RpVtpAceBaYCQO4Nh4ThcWLsq0w= AkoT+jWp8IDK6gUzb20GjpOhUlLt3I0N3kXiq6USbMTygBWa3wNIPFtg36zMtgA39EiANdLkITDvO5fHDfWBWo9DugW9qPDL+vIrgbo99H8AmUJz1lvePYNJgah4DPiOMvLOoy+wXcPKNq+lKxDAl9fYO67aXZtg1nSsFU+whIQ= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; /> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="SecurityToken-9fe438d4-9af3-415e-a45a-acca9894bd29">MIIDgTCCAuqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlGYWlyZmllbGQxEzARBgNVBAoTCkNvcGFydCxJbmMxDDAKBgNVBAsTA01JUzESMBAGA1UEAxMJQ29wYXJ0IElUMS0wKwYJKoZIhvcNAQkBFh53ZWJzZXJ2aWNlc2phdmF0ZWFtQGNvcGFydC5jb20wHhcNMDYwOTI5MTU1MzQ2WhcNMDcwOTI5MTU1MzQ2WjBUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAoTCkNvcGFydCxJbmMxDDAKBgNVBAsTA01JUzEVMBMGA1UEAxMMQVBTIFByb2R1Y2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgoCNz31aHmXscbh3NACbtIbXmipQ4rF1s4X1fgMe4eSOlpuqa2L0P9IdfJQ7NzhDNqLpfUMlyDf0WFNplxKLTk4URWC1IaW3eOKIeJr5E8hJM5UlEqjkxstdMC5Mye/asfi5x+dV0oSLwBO5NLmz4kIJmsSo7w60gVusA5lIBeQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOvkxv6oyMF4GOjwtLgfTxFfgxHxMIHBBgNVHSMEgbkwgbaAFG/XrNLKNVaMoEImPQLiQ8T/r0GloYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUZhaXJmaWVsZDETMBEGA1UEChMKQ29wYXJ0LEluYzEMMAoGA1UECxMDTUlTMRIwEAYDVQQDEwlDb3BhcnQgSVQxLTArBgkqhkiG9w0BCQEWHndlYnNlcnZpY2VzamF2YXRlYW1AY29wYXJ0LmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQCh3nAvrbniJsIVh5YTCdLyjp06ycnKw+tATqP4DYDV9mzikZ4NTROfWNOfeFUxj0Osp/GxVo0l63hcw+enqlYi26ClHTUn5U3209Z4ssa0neVlcMxyX3POY/Xy0a4W+/mqaIN+VK2bJkgukWB6bVgM4YnIkJduYHM4myuejJ0FoQ== http://www.w3.org/2001/04/xmlenc#";> http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> http://www.w3.org/2000/09/xmldsig#";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; /> yZxWJ0+XhlMWNl7hPZge0299Ysd+akgEbXl+hNQ75kkgWKn4p+U6S1CJAxPkWwHa9eAoKg5P8ObiVOKdMe6djK5JmlWXnEmI5K9Uh607wHXOGzagxMBbI5k9SPVZ8ZxqEyZniB63ExxFuPYd7WA1V1XRI6L6cZ05Q9DJDh4pikE= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> 2BPpey3b0xyHs+7gaO3w6d4cgYQwjdPQn1fq8/AkEPU= -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 4:48 AM To: axis-user@ws.apache.org Subject: Re: Signature verification fails when used with Encryption Hi, Looking at the msg you sent ... the signature seems to be referring to the cert using the subject key identifier. In this case you MUST have the service's cert in the client's keystore and your signaturePropertyFile has to point to that. Also since there are two timestamp headers ... your action items will have to be as : Timestamp Signature Encrypt Timestamp to be able to successfully process the message. Thanks, Ruchith On 11/10/06, Sriram Vaidyanathan <[EMAIL PROTECTED]> wrote: > > > > > Hello, > > I am using a Web service-testing tool, which is based on .NET to talk > to a Web service in Axis2 > > > > The web service implements WS-Security using Rampart. > > > > When I set the service
Re: Signature verification fails when used with Encryption
Hi, Looking at the msg you sent ... the signature seems to be referring to the cert using the subject key identifier. In this case you MUST have the service's cert in the client's keystore and your signaturePropertyFile has to point to that. Also since there are two timestamp headers ... your action items will have to be as : Timestamp Signature Encrypt Timestamp to be able to successfully process the message. Thanks, Ruchith On 11/10/06, Sriram Vaidyanathan <[EMAIL PROTECTED]> wrote: Hello, I am using a Web service-testing tool, which is based on .NET to talk to a Web service in Axis2 The web service implements WS-Security using Rampart. When I set the service side actions to " Signature Timestamp" or "Encrypt Timestamp" and have my .NET tool send a message with the corresponding security actions, I get a successful response. No problems thereā¦ But when I set the service side actions to "Signature Encrypt Timestamp" and then have the .NET tool to send a message with the same corresponding actions, I get a " Signature verification failed" message. rg.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed; nested exception is: org.apache.ws.security.WSSecurityException: The signature verification failed Could it be possible that there is a bug in the .NET based testing tool which when using Encryption along with Signature is messing up the signed content. Also I see that the tool is adding two Timestamp Headers. Could that be an issue? Below is the request message from the .NET based testing tool that fails. Any help on this would be appreciated. Thanks Sriram http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:tns="http://ws.test.com/test/";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> 2006-11-10T08:11:53Z 2006-11-10T08:16:53Z http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="SecurityToken-f98f02e3-53cb-4e03-9f80-4685fa96ff4f">MIIDgTCCAuqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlGYWlyZmllbGQxEzARBgNVBAoTCkNvcGFydCxJbmMxDDAKBgNVBAsTA01JUzESMBAGA1UEAxMJQ29wYXJ0IElUMS0wKwYJKoZIhvcNAQkBFh53ZWJzZXJ2aWNlc2phdmF0ZWFtQGNvcGFydC5jb20wHhcNMDYwOTI5MTU1MzQ2WhcNMDcwOTI5MTU1MzQ2WjBUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAoTCkNvcGFydCxJbmMxDDAKBgNVBAsTA01JUzEVMBMGA1UEAxMMQVBTIFByb2R1Y2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgoCNz31aHmXscbh3NACbtIbXmipQ4rF1s4X1fgMe4eSOlpuqa2L0P9IdfJQ7NzhDNqLpfUMlyDf0WFNplxKLTk4URWC1IaW3eOKIeJr5E8hJM5UlEqjkxstdMC5Mye/asfi5x+dV0oSLwBO5NLmz4kIJmsSo7w60gVusA5lIBeQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOvkxv6oyMF4GOjwtLgfTxFfgxHxMIHBBgNVHSMEgbkwgbaAFG/XrNLKNVaMoEImPQLiQ8T/r0GloYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUZhaXJmaWVsZDETMBEGA1UEChMKQ29wYXJ0LEluYzEMMAoGA1UECxMDTUlTMRIwEAYDVQQDEwlDb3BhcnQgSVQxLTArBgkqhkiG9w0BCQEWHndlYnNlcnZpY2VzamF2YXRlYW1AY29wYXJ0LmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQCh3nAvrbniJsIVh5YTCdLyjp06ycnKw+tATqP4DYDV9mzikZ4NTROfWNOfeFUxj0Osp/GxVo0l63hcw+enqlYi26ClHTUn5U3209Z4ssa0neVlcMxyX3POY/Xy0a4W+/mqaIN+VK2bJkgukWB6bVgM4YnIkJduYHM4myuejJ0FoQ== http://www.w3.org/2001/04/xmlenc#";> http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> http://www.w3.org/2000/09/xmldsig#";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; /> X4olpsRrvcvOxlJCDNJjDhPvu5mK25zl18d/bcfmYA9pPxDo1WtyckMU4vf0ba/Gf53UDp2FjzY5gl54d3/jduPQ1gt8W/kEVwnL16zg/ucv1M0gaChxXwd/v3bO3Dqhrs0M2wojmbBTx0yJqvqkvkK+oCx/LB6O7OfZCRDPNuI= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> 2006-11-10T08:11:53Z 2006-11-10T08:16:53Z http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="SecurityToken-17daaa18-6b8f-4744-9172-2c09a6a7ce57">MIIDgTCCAuqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlGYWlyZmllbGQxEzARBgNVBAoTCkNvcGFydCxJbmMxDDAKBgNVBAsTA01JUzESMBAGA1UEAxMJQ29wYXJ0IElUMS0wKwYJKoZIhvcNAQkBFh53ZWJzZXJ2aWNlc2phdmF0ZWFtQGNvcGFydC5jb20wHhcNMDYwOTI5MTU0ODU4WhcNMDcwOTI5MTU0ODU4WjBUMQ