My attachments were blocked so I've included them below a) dev-axis-wss4j-signed-request.xml - the signed request from the Axis/WSS4J client
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="CertId-31473332" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIIEnjCCBAegAwIBAgIQY8QNnVXYrW61t/kNhUAbszANBgkqhkiG9w0BAQQFADBJMSwwKgYDVQQKEyNPcmlnbyBTZWN1cmUgSW50ZXJuZXQgU2VydmljZXMgTHRkLjEZMBcGA1UEAxMQT1NJUyBDdXN0b21lciBDQTAeFw0wNjEwMjAwMDAwMDBaFw0wNzA0MTgyMzU5NTlaMIIBGjELMAkGA1UEBhMCR0IxIzAhBgNVBAoUGkZpcm1JRDM0MDAwMTAwMDMzNTNFSDE0NEFQMSQwIgYDVQQLExtDUFMgLSB3d3cudW5pcGFzcy5jby51ay9jcHMxNTAzBgNVBAsTLFdhcm5pbmcvVGVybXMgb2YgVXNlIC0gd3d3LnVuaXBhc3MuY28udWsvdG91MSEwHwYDVQQLFBhFb XBsb3llZUlEMDExMDAwMTAwMDAwNTYxEzARBgNVBAsUCldTLUEgT3JpZ28xEzARBgNVBAsUCkJQRUgxNCA0QVAxFDASBgNVBAMTC0dlb3JnZSBDb3dlMSYwJAYJKoZIhvcNAQkBFhdnY293ZUBvcmlnb3NlcnZpY2VzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDGhPEjVhQZEAmSJd6hAqUuD8qgD5p3EuwNKam6CDdrpgaMBN2Qhug64wUL6XnbSWGC3dQUflOlTK8gQy/VkL4zAgMBAAGjggH2MIIB8jAJBgNVHRMEAjAAMGgGA1UdHwRhMF8wXaBboFmGV2h0dHA6Ly9vbnNpdGVjcmwudHJ1c3R3aXNlLmNvbS9Pcmlnb1NlY3VyZUludGVybmV0U2VydmljZXNMdGRPU0lTQ3VzdG9tZXIvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBAMCBaAwggEaBgNVHSAEggERMIIBDTCCAQkGCSqGO gACjKV6ATCB+zApBggrBgEFBQcCARYdaHR0cHM6Ly93d3cudW5pcGFzcy5jby51ay9jcHMwgc0GCCsGAQUFBwICMIHAGoG9V2FybmluZzogRG8gbm90IHVzZSB0aGlzIGNlcnRpZmljYXRlIHVubGVzcyB5b3UgYXJlIGEgbWVtYmVyIG9mIHRoZSBVbmlwYXNzriBDb21tdW5pdHkuIE9TSVMgYWNjZXB0cyBubyBsaWFiaWxpdHkgZm9yIHVuYXV0aG9yaXNlZCB1c2UuIFlvdSBNVVNUIHJlYWQgd3d3LnVuaXBhc3MuY28udWsvdG91IGZvciBtb3JlIGRldGFpbHMuMBEGCWCGSAGG+EIBAQQEAwIHgDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly91bmlwYXNzLW9jc3AudHJ1c3R3aXNlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBBxy4EK/MHVIzSCv4vALHLFBmcUddMA tqIoNEAITrVzOTeqt+3FkgNajh5FheMQ9o7o6vpTSC4xxJuTJ4+RbaUWJ6WVJql0BTJOCyLLxFyVYW26AUwbuyzbz9XPoU+JRSFOcPvPKMnQzomEs5yz5ecBD9WJBevi3bytA3zTXwz/A==</wsse:BinarySecurityToken><ds:Signature Id="Signature-11546362" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-22522451"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>RhtkjcDP70Cs9dAwBaDGCgVsSkY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> lkzsvOIkVjm4VcJAJ49K7L2cDrynUgSEXcFHCFERGHUEljvc18ivhVqyoIbBIAMRxrUfEfX5zLP7 w6KT+qQpoQ== </ds:SignatureValue> <ds:KeyInfo Id="KeyId-795840"> <wsse:SecurityTokenReference wsu:Id="STRId-29232906" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsse:Reference URI="#CertId-31473332" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature></wsse:Security></soapenv:Header><soapenv:Body wsu:Id="id-22522451" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><ce:ce_bond_single_contract_request xmlns:ce="http://www.origostandards.com/schema/ce/v2";> <ce:b_control> <ce:contract_enquiry_reference>CE123456</ce:contract_enquiry_reference> </ce:b_control> <ce:intermediary> <ce:company_name>IFA Company Ltd</ce:company_name> <ce:contact_details> <ce:name>Mr Fred Smith</ce:name> <ce:telephone_number>0131 523 4480</ce:telephone_number> </ce:contact_details> </ce:intermediary> <ce:request_scope> <ce:contract_details_required_ind>No</ce:contract_details_required_ind> <ce:valuation_currency>GBP</ce:valuation_currency> <ce:fund_code_type_required>SEDOL</ce:fund_code_type_required> </ce:request_scope> <ce:contract> <ce:contract_reference_number>A-284762-01</ce:contract_reference_number> </ce:contract> </ce:ce_bond_single_contract_request></soapenv:Body></soapenv:Envelope> b) dev-wss4j-signed-request.xml - the signed request from the "WSS4J only" client <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; encodingStyle="http://schemas.xmlsoap.org/soap/envelope/";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="CertId-31473332">MIIEnjCCBAegAwIBAgIQY8QNnVXYrW61t/kNhUAbszANBgkqhkiG9w0BAQQFADBJMSwwKgYDVQQKEyNPcmlnbyBTZWN1cmUgSW50ZXJuZXQgU2VydmljZXMgTHRkLjEZMBcGA1UEAxMQT1NJUyBDdXN0b21lciBDQTAeFw0wNjEwMjAwMDAwMDBaFw0wNzA0MTgyMzU5NTlaMIIBGjELMAkGA1UEBhMCR0IxIzAhBgNVBAoUGkZpcm1JRDM0MDAwMTAwMDMzNTNFSDE0NEFQMSQwIgYDVQQLExtDUFMgLSB3d3cudW5pcGFzcy5jby51ay9jcHMxNTAzBgNVBAsTLFdhcm5pbmcvVGVybXMgb2YgVXNlIC0gd3d3LnVuaXBhc3MuY28udWsvdG91MSEwHwYDVQQLFBhFbXBsb3llZUlEMDExMDAwMTAwMDAwNTYxEzARBgNVBAsUCldTLUEgT3JpZ28xEzARBgNVBAs UCkJQRUgxNCA0QVAxFDASBgNVBAMTC0dlb3JnZSBDb3dlMSYwJAYJKoZIhvcNAQkBFhdnY293ZUBvcmlnb3NlcnZpY2VzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDGhPEjVhQZEAmSJd6hAqUuD8qgD5p3EuwNKam6CDdrpgaMBN2Qhug64wUL6XnbSWGC3dQUflOlTK8gQy/VkL4zAgMBAAGjggH2MIIB8jAJBgNVHRMEAjAAMGgGA1UdHwRhMF8wXaBboFmGV2h0dHA6Ly9vbnNpdGVjcmwudHJ1c3R3aXNlLmNvbS9Pcmlnb1NlY3VyZUludGVybmV0U2VydmljZXNMdGRPU0lTQ3VzdG9tZXIvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBAMCBaAwggEaBgNVHSAEggERMIIBDTCCAQkGCSqGOgACjKV6ATCB+zApBggrBgEFBQcCARYdaHR0cHM6Ly93d3cudW5pcGFzcy5jby51ay9jcHM wgc0GCCsGAQUFBwICMIHAGoG9V2FybmluZzogRG8gbm90IHVzZSB0aGlzIGNlcnRpZmljYXRlIHVubGVzcyB5b3UgYXJlIGEgbWVtYmVyIG9mIHRoZSBVbmlwYXNzriBDb21tdW5pdHkuIE9TSVMgYWNjZXB0cyBubyBsaWFiaWxpdHkgZm9yIHVuYXV0aG9yaXNlZCB1c2UuIFlvdSBNVVNUIHJlYWQgd3d3LnVuaXBhc3MuY28udWsvdG91IGZvciBtb3JlIGRldGFpbHMuMBEGCWCGSAGG+EIBAQQEAwIHgDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly91bmlwYXNzLW9jc3AudHJ1c3R3aXNlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBBxy4EK/MHVIzSCv4vALHLFBmcUddMAtqIoNEAITrVzOTeqt+3FkgNajh5FheMQ9o7o6vpTSC4xxJuTJ4+RbaUWJ6WVJql0BTJOCy LLxFyVYW26AUwbuyzbz9XPoU+JRSFOcPvPKMnQzomEs5yz5ecBD9WJBevi3bytA3zTXwz/A==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-29132923"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod> <ds:Reference URI="#id-25589390"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>/yl+BNbZzLD10nQvUA1psdZyzCM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> MZmHCpuj0qes6chJphgh6556hciBgUwWEXKWXA/Litp4q+XsiN42v7dQqO3gwE8sx27IfaMUEt1m mVfj5jiopw== </ds:SignatureValue> <ds:KeyInfo Id="KeyId-23503403"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-4667711"><wsse:Reference URI="#CertId-31473332" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";></wsse:Reference></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature></wsse:Security></soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-25589390"> <ce:ce_bond_single_contract_request xmlns:ce="http://www.origostandards.com/schema/ce/v2"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <ce:b_control> <ce:contract_enquiry_reference>CE123456</ce:contract_enquiry_reference> </ce:b_control> <ce:intermediary> <ce:company_name>IFA Company Ltd</ce:company_name> <ce:contact_details> <ce:name>Mr Fred Smith</ce:name> <ce:telephone_number>0131 523 4480</ce:telephone_number> </ce:contact_details> </ce:intermediary> <ce:request_scope> <ce:contract_details_required_ind>No</ce:contract_details_required_ind> <ce:valuation_currency>GBP</ce:valuation_currency> <ce:fund_code_type_required>SEDOL</ce:fund_code_type_required> <ce:valuation_request type="Current"></ce:valuation_request> <ce:valuation_request type="Surrender"></ce:valuation_request> </ce:request_scope> <ce:contract> <ce:contract_reference_number>A-284762-01</ce:contract_reference_number> </ce:contract> </ce:ce_bond_single_contract_request> </soapenv:Body> </soapenv:Envelope> Thanks George -----Original Message----- From: George Cowe [mailto:[EMAIL PROTECTED] Sent: 27 March 2007 11:29 To: [email protected] Subject: wss4j without Axis Signature verification problem Hi I have used Axis 1.3 and WSS4J 1.5.1 to create a secure web service running on Tomcat. The web service requires messages to be signed with an x509 certificates private key. When using an Axis 1.3 and WSS4J 1.5.1 client to sign the message everything works ok - no interoperability issues. However when I attempt to use only the WSS4J 1.5.1 APIs (no Axis) at the client side, the signature fails to verify correctly on the server side and produces this warning. WARN org.apache.xml.security.signature.Reference - Verification failed for URI "#id-25589390" Obviously this is something to do with the fact that I'm not using Axis to construct the SOAP message at the client! This is the WSS4J API client code snippet which starts with a Document representing the SOAP Envelope (doc) // add ws security header WSSecHeader secHeader = new WSSecHeader(); secHeader.setMustUnderstand(false); secHeader.insertSecurityHeader(doc); // sign with client private key WSSecSignature signer = new WSSecSignature(); signer.setUserInfo("55ce69717372baf27f2862857a9dd2db_50e417e0-e461-474b-96e2-077b80325612", "george"); signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); signer.setSignatureAlgorithm(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1); Document signDoc = signer.build(doc, crypto, secHeader); // put signDoc into a SOAPMessage MessageFactory factory = MessageFactory.newInstance(); ByteArrayOutputStream out = new ByteArrayOutputStream(); XMLUtils.outputDOM(signDoc, out, true); ByteArrayInputStream in = new ByteArrayInputStream(out.toString().getBytes()); SOAPMessage outMessage = factory.createMessage(null, in); // save the request message to a file OutputStream req = new FileOutputStream(new File(requestFile)); outMessage.writeTo(req); req.close(); //Send the message response = connection.call(outMessage, targetURL); I send the same XML message from both clients and save the signed request SOAP messages for comparison. The messages both look similar with the exception of the DigestValue and SignatureValue elements and some namespaces use. Is there a better way to build the SOAPMessage to be sent in the snippet of code above which preserves the signed message? It looks like the construction of the SOAPMessage is modifying the signed content in some way which prevents verification from succeeding. I've attached two example client SOAP message request files which have been signed - a) dev-axis-wss4j-signed-request.xml - the signed request from the Axis/WSS4J client b) dev-wss4j-signed-request.xml - the signed request from the "WSS4J only" client Any help would be much appreciated. Thanks George -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.18/734 - Release Date: 26/03/2007 14:31 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
