[jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[
https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513627#comment-15513627
]
Libois Claude edited comment on WSS-588 at 9/22/16 3:43 PM:
Thanks for the quick answer !
deleted previous comment cause I have checked in the specs...
To be honest I didn't do anything special to use IssuerSerial reference server
side. Do you have any pointer to a wss4j property that would do the trick ?
I think it's vital to not set the server certificate cause this certificate
typically last one year while the CA last at least 5 years. I don't want that
every client have to change their certificate every year !
was (Author: clibois):
Thanks for the quick answer !
However I don't quite understand the need to provide the serial number as the
complete certificate seems to be provided in the BinarySecurityToken field.
Here is the complete soap header in case this could help:
{code}
http://schemas.xmlsoap.org/soap/envelope/;>http://www.w3.org/2005/08/addressing;>addresshttp://www.w3.org/2005/08/addressing;
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
wsu:Id="_a7185c7f-a787-4c30-9f65-6df6bfa674f0">urn:uuid:e5e524c5-cb0e-44b8-8424-e1d4c5821a83http://www.w3.org/2005/08/addressing;>http://www.w3.org/2005/08/addressing/anonymoushttp://www.w3.org/2005/08/addressing;
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
wsu:Id="_e27b74fd-8883-4aec-928d-79de0c485594">urn:uuid:df816004-5f3a-40a8-a6d9-d24a76169ab7http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
soap:mustUnderstand="1">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary;
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1;
wsu:Id="X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc">MIICyjCCAsYwggIvoAMCAQICCQCsepjmnpL7fjANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCQkUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUNoYXJsZXJvaTERMA8GA1UECgwITGUgRm9yZW0xDjAMBgNVBAsMBWZvcmVtMRkwFwYDVQQDDBB0ZXN0c3NsQGZvcmVtLmJlMR8wHQYJKoZIhvcNAQkBFhB0ZXN0c3NsQGZvcmVtLmJlMB4XDTE2MDgwNDA3MjgwMFoXDTE3MDgwNDA3MjgwMFowQzELMAkGA1UEBhMCQkUxETAPBgNVBAoTCFJhbmRTdGFkMQ4wDAYDVQQLEwVGb3JlbTERMA8GA1UEAxMIUmFuZFN0YWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5iJr04XPZqQdxXQ4NiAcyJ4SZI725V8T732eH4vtMTI/lwUiIDE1L95/29ARkn8S+g/i59pCafcjvBt07RFJ0gE6QhM2bnn8B+Zeww3AmmeXgYFUH/BKFfhGOXFTfjY/ysDrrpoJkj4Vcz8BOFeB2O/ye2AHQ4/nnJb2DM5QfJAgMBAAGjbzBtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNd2Jw262Yf3lRFGucioaR+kM6KCMAsGA1UdDwQEAwIEsDARBglghkgBhvhCAQEEBAMCBaAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOBgQAXSOEwo3Pcz7B3145FO5H8Qbty3mnCkmtiezLrBx6rvPy9vBybsH+7+pBK3C8+g0a+S1BfsC8wHnTJxkke7ecW5SyE6O17YTZlBR2ZUpEHagqG47YBjryTkYKMDPB/bC91p9o7IRqT/2VlrbYK6g+79cENtKEPn378HZUoxbKHhQ==2016-09-22T11:11:39.066Z2016-09-22T11:16:39.066Zhttp://www.w3.org/2000/09/xmldsig#;
Id="SIG-847e0393-6fb7-4d6c-84f1-a4837ee2e652">http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#;
PrefixList="soap"/>http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#; PrefixList="wsse
soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>LEF5he1V9D2KeqxE2Y0K1JsRbiS5jgiOZeJ53Hu6JEA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#;
PrefixList=""/>http://www.w3.org/2001/04/xmlenc#sha256"/>XpTNsgDOzAVM2nmQVb6FEuMg7926qWkoYFsg5WmVYLs=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#;
PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>XOQ/ndLAKGBMIcbhH9ZZ/3zLHBZJWBbwyzXN/vFJ/cA=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#;
PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>S7+xWrZbeR5D/P2ZiRTVNq0SrbYIJaBG8xoOixa5Aow=http://www.w3.org/2001/10/xml-exc-c14n#;>http://www.w3.org/2001/10/xml-exc-c14n#;
PrefixList="soap"/>http://www.w3.org/2001/04/xmlenc#sha256"/>Hlix91X5/g8c860b0BSQKZUqxQU6RnxvpNqHSTdmJMI=HJNcNc58V+8215eebdjY/iE3qewmgHy8uOiTokf6nSWxeKsE65JnfK77+bO8/ITnuBzQm4Vqli0WxiGP9x/5xkXxc4jdPsum84z80bXfirqtjyrm1zSwl/6Nlh1F1uHiVXwwVuFWMluPwVIScmY7rXY46RuqqpCAYgp4kqfFKEA=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
wsu:Id="STR-c2b6e796-cba1-4dc4-af4c-4d3f60050b05">1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,XX12428414237952637822http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
wsu:Id="_47ba1428-0d7a-403d-aeed-e9a70f419345">http://ns.hr-xml.org/2006-02-28;>2016-09-22T13:11:38
{code}
To be honest I didn't do
[jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certificate CA is in the client truststore
[
https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513627#comment-15513627
]
Libois Claude edited comment on WSS-588 at 9/22/16 3:44 PM:
Thanks for the quick answer !
deleted previous comment cause I have checked in the specs...
To be honest I didn't do anything special to use IssuerSerial reference server
side. Do you have any pointer to a wss4j property that would change this
behaviour ?
I think it's vital to not set the server certificate cause this certificate
typically last one year while the CA last at least 5 years. I don't want that
every client have to change their certificate every year !
was (Author: clibois):
Thanks for the quick answer !
deleted previous comment cause I have checked in the specs...
To be honest I didn't do anything special to use IssuerSerial reference server
side. Do you have any pointer to a wss4j property that would do the trick ?
I think it's vital to not set the server certificate cause this certificate
typically last one year while the CA last at least 5 years. I don't want that
every client have to change their certificate every year !
> Server-side signature validation on client fail with only certificate CA is
> in the client truststore
>
>
> Key: WSS-588
> URL: https://issues.apache.org/jira/browse/WSS-588
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
>Affects Versions: 2.0.4
> Environment: Servicemix server using cxf+wss4j for WS-Security purpose
>Reporter: Libois Claude
>Assignee: Colm O hEigeartaigh
> Labels: easyfix
>
> I have a webservices which is secured by WS-Security+Policy.
> I currently use Signature only for server response.
> However I keep having the same error on client side:
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
> signature or decryption was invalid
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy34.submit(Unknown Source)
> at
> client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93)
> at
> client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or
> decryption was invalid
> at
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194)
> at
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at
