Chris, your setup seems to be correct. Looking at the error message it tells us, that the verfication for the SOAP Body failed. The computed digest value doe not match the stored digest value in the reference.
Looking at the request you included in the mail I see very strange linebreaks in the middle of words. Because other lines are longer I don't think it is part of the e-mail formatting. Another strange thing is the duoble "--" in the cert identifier. Is there any chance that the SOAP request was modified during the transfer? At least this would explain the failure. btw, did you look at package.html in **/security/axis. Even if its outdated it gives you some hints how to do Signature etc. Regards, Werner Chris Nappin wrote: > Hi, > > I've been trying for some time now to get a simple working example of wss4j > using signatures, but am struggling with the current sparse level of > documentation. I can get UsernameToken working fine, but with Signatures I've > only got as far as sending what I think is a valid SOAP request with a > signature on it, but the server rejects it as it thinks the signature is > invalid. > > I'll outline what I'm doing, I assume it's something simple I am doing > something wrong? > > - I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP > > - I created a client key using keytool (i.e. a self-signed X509 v1 > certificate using RSA), exported it as a certificate and imported it into the > server's keystore > > - My client code uses the WSS4JHandler, with the following settings: > - action = Signature > - signaturePropFile = client-signature.properties (which references > client.keystore) > - user = clientkey > - signatureKeyIdentifier = DirectReference > > - My server-config.wsdd uses the WSDoAllReceiver handler, with the following > settings: > - action = Signature > - signaturePropFile = server-signature.properties (which references > server.keystore) > > > (I would use signatureKeyIdentifier = IssuerSerial, as this is what most of > the examples I've seen use, but I'm unsure where the long hex serial number > comes from?) > > keytool -printcert on my client certificate gives: > > Owner: CN=clientkey > Issuer: CN=clientkey > Serial number: 43175c89 > Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005 > Certificate fingerprints: > MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E > SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE > > The SOAP request is: > > POST /sidWS/services/SecureService HTTP/1.0 > Content-Type: text/xml; charset=utf-8 > Accept: application/soap+xml, application/dime, multipart/related, text/* > User-Agent: Axis/1.2.1 > Host: localhost:9080 > Cache-Control: no-cache > Pragma: no-cache > SOAPAction: "http://localhost:8080/sidWS/services/SecureService"; > Content-Length: 2885 > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri > ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m > essage-security-1.0#Base64Binary" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke > n-profile-1.0#X509v3" > wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA1UEA > xMJY2xpZW50a2V5MB4XDTA1 > MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0GCSqG > SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR86XK > x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sfcuvk > Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUAPiaz+A4GB > AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrsAHBm+whEn > EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVFdcBj > jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod> > <ds:Reference URI="#id-20214052"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKByaRvZZ > a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORysJC9Kco3ttafBUlytRhVe7Ac= > </ds:SignatureValue> > <ds:KeyInfo Id="KeyId-15308417"> > <wsse:SecurityTokenReference > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit > y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference > URI="#CertId--34480" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke > n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit > y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal > xmlns="http://www.test.com/Test"; xmlns:ns1="http://www.test.com/Test";> > <ns1:name>Bert</ns1:name> > <ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Envelope> > > The server stack trace is: > > Verification failed for URI "#id-20214052" > org.apache.ws.security.WSSecurityException: The signature verification failed > at > org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259) > at > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:183) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at > org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) > at > org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) > at > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153) > at > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) > at > org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) > at java.lang.Thread.run(Thread.java:595) > > > Chris Nappin > Technical Architect > > ABM United Kingdom Limited > Telephone: +44 (0) 115 977 6999 > Facsimile: +44 (0) 115 977 6850 > Web: http://www.abm-uk.com > > ABM for Intelligent Solutions > > > > CONFIDENTIALITY & PRIVILEGE NOTICE > > This e-mail is confidential to its intended recipient. It may also be > privileged. Neither the confidentiality nor any privilege attaching to this > e-mail is waived lost or destroyed by reason that it has been mistakenly > transmitted to a person or entity other than its intended recipient. If you > are not the intended recipient please notify us immediately by telephone or > fax at the numbers provided above or e-mail by Reply To Author and return the > printed e-mail to us by post at our expense. We believe, but do not warrant, > that this e-mail and any attachments are virus-free, but you should check. We > may monitor traffic data of both business and personal e-mails. We are not > liable for any opinions expressed by the sender where this is a non-business > e-mail. If you do not receive all the message, or if you have difficulty with > the transmission, please telephone us immediately. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
