Re: [Error] WSSecurityException: The signature or decryption was invalid

Tue, 11 Aug 2020 02:34:10 -0700 

Yes, it's a valid response. CXF/WSS4J handles the SubjectKeyIdentifier case
as follows:

https://github.com/apache/ws-wss4j/blob/420947d684383aeed40a2e41717da6197fb1d9dd/ws-security-common/src/main/java/org/apache/wss4j/common/token/SecurityTokenReference.java#L373

This extracts the SKI bytes from the message and asks the Crypto
implementation to match it to a Certificate stored in the keystore:

https://github.com/apache/ws-wss4j/blob/7707ffa5bcb1d903eb8e21cbd059dc94649cd5a5/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L1144

So the corresponding certificate should be stored in your local signature
keystore and it should work.

Colm.

On Mon, Aug 3, 2020 at 8:32 PM Raffaele Sgarro <[email protected]>
wrote:

> I'm programming a client for a SOAP service that is configured through a
> policy in the WSDL
> <https://gist.github.com/RaffaeleSgarro/60791b4ffdacae692d53c449de6d0ffb>.
> The service responds with a message that would be perfectly fine to work
> with, but has a signature that makes CXF throw an error and hence halting
> the execution of the program. From the XML of the response I can't tell if
> there's something wrong with CXF of the response itself, mainly because the
> piece:
>
> <ds:KeyInfo>
>   <wsse:SecurityTokenReference>
>     <wsse:KeyIdentifier
>             ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> "
>             EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> ">
>             KTK582+s/nxWsbkIeNRTRDH+ju0=
>     </wsse:KeyIdentifier>
>   </wsse:SecurityTokenReference></ds:KeyInfo>
>
> is not enough for me to understand where the certificate to verify the
> signature is supposed to be found.
>
> The full (and syntax highlighted) XML of the response is here
> <
> https://stackoverflow.com/questions/63234657/is-the-signature-in-the-following-soap-response-valid-can-it-be-validated-altog
> >.
> Can CXF tell if the message is valid using only the message itself and the
> given policy? Or do I need some other piece of information? If that's the
> case, how can I pass it?
>
>
> Thanks,
> Raffaele
>

Reply via email to