Most often this happens if the message is modified after the Signature was created, e.g. by doing some sort of pretty printing or such. AFAIK there is a parameter in Axis to switch off such a behaviour.
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 27. Februar 2006 02:53 > An: [email protected] > Betreff: Re: Signature verification problem [more info from > debugging into the WSSecurityEngine] > > Hi > I debugged further into the exception [as shown below] that > was there in > the server logs and I put some some debugs in the > WSSecurityEngine file and checked that with the IssuerSerial > token its able > to load the correct certificate [I printed the certificate handle] and > then it gives error in signature verification! thats pretty > strange and am > just wondering whether this something to do with the > exclusive c14n used. Not sure if I am hitting a bug there with the xml > security implementation?? Am using wss4j 1.1 with Axis 1.2.1. > Can anybody pls confirm if this a bug and if it is whether it has been > fixed in any builds. > > org.apache.ws.security.WSSecurityException: The signature verification > failed > at > org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurity > Engine.java:630) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur > ityEngine.java:320) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur > ityEngine.java:245) > at > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja > va:156) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg > y.java:32) > at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg > y.java:32) > at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453 > ) > at > org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > at > org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:69 > 9) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:760) > at > org.apache.axis.transport.http.AxisServletBase.service(AxisServletBas > e.java:327) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > at > weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run > (ServletStubImpl.java:1006) > at > weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm > pl.java:419) > at > weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm > pl.java:315) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio > n.run(WebAppServletContext.java:6718) > at > weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate > dSubject.java:321) > at > weblogic.security.service.SecurityManager.runAs(SecurityManager.java: > 121) > at > weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe > rvletContext.java:3764) > at > weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm > pl.java:2644) > at > weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178) > > thanks > Anamitra > > > > > > Anamitra.Bhattach > > [EMAIL PROTECTED] > > > To > 02/24/2006 12:47 > [email protected] > PM > cc > > > > Subject > Signature verification > problem > > > > > > > > > > > > > > > > > > Hi > I am trying to test a Signature action from the client to the > server. I > have imported the clients certificate into the server store. > When I try > invoking the web service I get the following exception. I checked the > message in tcpmon and am not seeing anything to raise a flag > except that > the serial number does not match the serial number shown by > the keytool > [not sure if its encoded in different way]. I am not sure what I am > missing. I am attaching the server wsdd and the client wsdd > and the keytool > commands. > > AxisFault > faultCode: > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException > faultSubcode: > faultString: WSDoAllReceiver: security processing failed; > nested exception > is: > org.apache.ws.security.WSSecurityException: The signature > verification failed > faultActor: > faultNode: > faultDetail: > {http://xml.apache.org/axis/}hostname:D2DFJ971 > > WSDoAllReceiver: security processing failed; nested exception is: > org.apache.ws.security.WSSecurityException: The signature > verification failed > > soap header > --------------------- > <wsse:Security > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu > rity-secext-1.0.xsd > " > soapenv:mustUnderstand="1"><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "></ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 > "></ds:SignatureMethod> > <ds:Reference URI="#id-27173235"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue>bIURuKkNJkvOePjL2w3nNum8KrA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > uH8F5vW9KKvWTs9hJtEq2mWn01+t+MHQCDWvC/gUn/dxqkWpdjfXtfWuhYEkjj > E5U4PYpfyqY3De > > D5JULLmW2qBJfFUbONFbcpR2VTUi+Ya9c+jcLpSP9dYZ/bys9ey/h5JhZWkEN2 > ERmwwQCJiKDg6R > > 522tMtlT9HMFa7GxZ18= > </ds:SignatureValue> > <ds:KeyInfo Id="KeyId-24697864"> > <wsse:SecurityTokenReference > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu > rity-utility-1.0.xsd > " > wsu:Id="STRId-26625789"><ds:X509IssuerSerial> > <ds:X509IssuerName>CN=testalias2</ds:X509IssuerName> > > <ds:X509SerialNumber>1140456858</ds:X509SerialNumber> > </ds:X509IssuerSerial></wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature></wsse:Security> > > > Server wsdd > -------------------- > <service name="MXINVOICEInterface" provider="java:MSG" > style="message" > use="literal"> > <requestFlow> > <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > <parameter name="action" value="Signature"/> > <parameter name="signaturePropFile" > value="mysigcrypto.properties" /> > </handler> > </requestFlow> > > <wsdlFile>C:\bea8\user_projects\domains\mydomain\wsdl\MXINVOIC > EInterface.wsdl</wsdlFile> > > <parameter name="allowedMethods" value="processDocument"/> > <parameter name="className" > value="psdi.iface.webservices.MEADocumentService"/> > <parameter name="scope" value="Application"/> > <parameter name="sendXsiTypes" value="false"/> > <parameter name="sendMultiRefs" value="false"/> > </service> > > mysigcrypto.properties > ----------------------------------- > org.apache.ws.security.crypto.provider=org.apache.ws.security. > components.crypto.Merlin > > org.apache.ws.security.crypto.merlin.keystore.type=jks > org.apache.ws.security.crypto.merlin.keystore.password=testsp1 > org.apache.ws.security.crypto.merlin.file=teststore1 > > > Clients wsdd > --------------------- > <deployment xmlns="http://xml.apache.org/axis/wsdd/"; > xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> > <transport name="http" > pivot="java:org.apache.axis.transport.http.HTTPSender"/> > <globalConfiguration > > <requestFlow > > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > > <parameter name="action" value="Signature"/> > <parameter name="user" value="testalias2"/> > <parameter name="signaturePropFile" > value="clientsigcrypto.properties" > /> > <parameter name="passwordCallbackClass" > value="psdi.iface.webservices.PWCallBack"/> > </handler> > </requestFlow> > </globalConfiguration> > </deployment> > > clientsigcrypto.properties > -------------------------------------- > org.apache.ws.security.crypto.provider=org.apache.ws.security. > components.crypto.Merlin > > org.apache.ws.security.crypto.merlin.keystore.type=jks > org.apache.ws.security.crypto.merlin.keystore.password=testsp2 > org.apache.ws.security.crypto.merlin.file=teststore2 > > > > Keytool commands > ------------------------------ > keytool -genkey -alias testalias1 -keystore teststore1 -dname > "cn=testalias1" -keypass testkp1 -storepass testsp1 -keyalg RSA > > keytool -genkey -alias testalias2 -keystore teststore2 -dname > "cn=testalias2" -keypass testkp2 -storepass testsp2 -keyalg RSA > > keytool -selfcert -alias testalias1 -keystore teststore1 > -keypass testkp1 > -storepass testsp1 > > keytool -selfcert -alias testalias2 -keystore teststore2 > -keypass testkp2 > -storepass testsp2 > > keytool -export -keystore teststore2 -alias testalias2 > -storepass testsp2 > -file testcert2 -rfc > > keytool -import -alias testcert2 -file testcert2 -keystore teststore1 > -storepass testsp1 > > Any pointers appeciated. > thanks > Anamitra > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
