signature verification failed after adding custom header into SOAP Header

Ashique Wed, 03 Jan 2007 01:07:19 -0800

Hi,

I am trying to do some test security token service system which will receive 
signed RST(according to WS-Trust) request and respond with the requested RST 
after after signature validation. I am not using doAllReceiver or doAllSender 
handlers of WSS4J... rather i am using similar technique(adding my own 
handleres that are doing the same thing).


I want to add my custom header(for my own purpose) in addition to the security 
header into the soap header. I am signing the body which has the RST request . 
If i send the signed message without my custom header then server does not 
throw any exception . problem is  if i  add the  custom  header  
(<SoapAccount>)  after  the  <security>  header  the  signature verification 
fails  for the existing signature even though i did not do any sort of 
modification in the body.My handler in the server side receves the exact 
message that i have sent. 
If this is not enough info to identify the problem i can provide more.

If some body can help me in this regerd!!!!! I am attaching both messages as 
well.

my request message is:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<ds:Signature Id="Signature-15778003" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-13419912">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
wEmMdV/3nnpizVExHoATXbf1nlk= </ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
5sVZ4fPOxezb2+xn34s9BBuFC0sEMQOu1EJFpFUeFPP/vxvHt3aMPZf++1XuOABOcZe3+CY5sTae
mITXyigWug== </ds:SignatureValue>
<ds:KeyInfo Id="KeyId-5210326">
<wsse:SecurityTokenReference wsu:Id="STRId-19712349" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
CN=dims </ds:X509IssuerName>
<ds:X509SerialNumber>
44369778256217224370984914847992022613 </ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<SA:SoapAccount soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"; 
soapenv:mustUnderstand="0" xmlns:SA="http://www.sap.com/research/sophia/SA/";>
<SA:NoOfHeader>
2 </SA:NoOfHeader>
<SA:NoOfSignParts>
1 </SA:NoOfSignParts>
</SA:SoapAccount>
</soapenv:Header>
<soapenv:Body wsu:Id="id-13419912" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wst:RequestSecurityToken wst:Context="http://context.context"; 
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust";>
<wst:TokenType>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
 </wst:TokenType>
<te:TestElement xmlns:te="http://testElementNs.testElementNs"/>
<wst:Lifetime>
<wsu:Created>
2007-01-03T00:13:02Z </wsu:Created>
<wsu:Expires>
2007-01-03T00:17:12Z </wsu:Expires>
</wst:Lifetime>
<wst:RequestType>
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue </wst:RequestType>
<wst:Base>
<wsse:UsernameToken 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Username>
bob </wsse:Username>
<wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>
vOaXTlOGP1Ri8ABdvcHlCdnHpVo= </wsse:Password>
<wsse:Nonce>
bwWcsZNZYMdWpleNajtixw== </wsse:Nonce>
<wsu:Created>
2007-01-03T00:13:02.125Z </wsu:Created>
</wsse:UsernameToken>
</wst:Base>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>


The server exception is:


org.apache.ws.security.WSSecurityException: The signature verification failed
        at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignatur
e(SignatureProcessor.java:332)
        at org.apache.ws.security.processor.SignatureProcessor.handleToken(Signa
tureProcessor.java:79)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:279)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:201)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:154)
        at org.sap.sophia.test.handler.STSSignatureHandler.signatureVerifier(STS
SignatureHandler.java:184)
        at org.sap.sophia.test.handler.STSSignatureHandler.invoke(STSSignatureHa
ndler.java:94)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454
)
        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
        at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:69
9)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:716)
        at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBas
e.java:327)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:809)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:200)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:146)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:209)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:144)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
        at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
        at java.lang.Thread.run(Thread.java:595)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

org.apache.ws.security.WSSecurityException: The signature verification failed
        at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignatur
e(SignatureProcessor.java:332)
        at org.apache.ws.security.processor.SignatureProcessor.handleToken(Signa
tureProcessor.java:79)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:279)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:201)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:154)
        at org.sap.sophia.test.handler.STSSignatureHandler.signatureVerifier(STS
SignatureHandler.java:184)
        at org.sap.sophia.test.handler.STSSignatureHandler.invoke(STSSignatureHa
ndler.java:94)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
y.java:32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454
)
        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
        at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:69
9)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:716)
        at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBas
e.java:327)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:809)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:200)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:146)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:209)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:144)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
        at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
        at java.lang.Thread.run(Thread.java:595)

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
 <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
   <ds:Signature Id="Signature-15778003" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
    <ds:SignedInfo>
     <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#id-13419912">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>
wEmMdV/3nnpizVExHoATXbf1nlk=      </ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
5sVZ4fPOxezb2+xn34s9BBuFC0sEMQOu1EJFpFUeFPP/vxvHt3aMPZf++1XuOABOcZe3+CY5sTae
mITXyigWug==    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-5210326">
     <wsse:SecurityTokenReference wsu:Id="STRId-19712349" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
      <ds:X509Data>
       <ds:X509IssuerSerial>
        <ds:X509IssuerName>
CN=dims        </ds:X509IssuerName>
        <ds:X509SerialNumber>
44369778256217224370984914847992022613        </ds:X509SerialNumber>
       </ds:X509IssuerSerial>
      </ds:X509Data>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
  <SA:SoapAccount soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"; 
soapenv:mustUnderstand="0" xmlns:SA="http://www.sap.com/research/sophia/SA/";>
   <SA:NoOfHeader>
2   </SA:NoOfHeader>
   <SA:NoOfSignParts>
1   </SA:NoOfSignParts>
  </SA:SoapAccount>
 </soapenv:Header>
 <soapenv:Body wsu:Id="id-13419912" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
  <wst:RequestSecurityToken wst:Context="http://context.context"; 
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust";>
   <wst:TokenType>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
   </wst:TokenType>
   <te:TestElement xmlns:te="http://testElementNs.testElementNs"/>
   <wst:Lifetime>
    <wsu:Created>
2007-01-03T00:13:02Z    </wsu:Created>
    <wsu:Expires>
2007-01-03T00:17:12Z    </wsu:Expires>
   </wst:Lifetime>
   <wst:RequestType>
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue   </wst:RequestType>
   <wst:Base>
    <wsse:UsernameToken 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
     <wsse:Username>
bob     </wsse:Username>
     <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>
vOaXTlOGP1Ri8ABdvcHlCdnHpVo=     </wsse:Password>
     <wsse:Nonce>
bwWcsZNZYMdWpleNajtixw==     </wsse:Nonce>
     <wsu:Created>
2007-01-03T00:13:02.125Z     </wsu:Created>
    </wsse:UsernameToken>
   </wst:Base>
  </wst:RequestSecurityToken>
 </soapenv:Body>
</soapenv:Envelope>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

signature verification failed after adding custom header into SOAP Header

Reply via email to