Hi Nitin, > also I had to make certain changes to > make it work through configuration.
Can you let me know if the update I made in WSS-180 on trunk: https://issues.apache.org/jira/browse/WSS-180 lets you do symmetric signature/encryption via configuration as well? Thanks, Colm. -----Original Message----- From: Nitin Handa (JIRA) [mailto:[email protected]] Sent: 29 April 2009 18:33 To: [email protected] Subject: [jira] Commented: (WSS-178) signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput [ https://issues.apache.org/jira/browse/WSS-178?page=com.atlassian.jira.pl ugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704216#ac tion_12704216 ] Nitin Handa commented on WSS-178: --------------------------------- Hi Colm, I will try that fix and would let you know. Apart from this, I am able to make signature and encryption work using symmetric key using your fixes and also I had to make certain changes to make it work through configuration. I encountered 2 more minor issues that should be fixed in wss4j.. I am going to file JIRA for them 1) xml generated by encryption using symmetric key is invalid as xenc prefix used in ReferenceList was not declared anywhere - I fixed it locally. 2) whenever there is default namespace added in element after signing then wss4j is unable to verify it, although it should be OK as unused namespaces can be ignored when using exclusive canonicalization. So wss4j should have ignored those default namespaces added while canonicalizing signed element. Thanks Nitin > signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput > ------------------------------------------------------------------------ ------------------------------------------------ > > Key: WSS-178 > URL: https://issues.apache.org/jira/browse/WSS-178 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 1.5.7 > Environment: Windows XP + tomcat 6x + axis 1.4 + wss4j 1.5.6 > Reporter: Nitin Handa > Assignee: Colm O hEigeartaigh > Priority: Blocker > Fix For: 1.5.8, 1.6 > > Attachments: wss4j.log > > > While doing interop testing with owsm, I am hitting a wss4j bug which is hindering me in completing testing. > OWSM is sending saml token signed with signed & encrypted body. SAML token is referred from BST using KeyIdentifier, saml token in signed. > At wss4j end, signature verification is failing as wss4j WsDoAllReceiver is not able to find out reference of saml token. > <?xml version = '1.0' encoding = 'UTF-8'?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Body> > <soapenv:Fault> > <faultcode>soapenv:Server.generalException</faultcode> > <faultstring>WSDoAllReceiver: security processing failed; nested exception is: > org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is: > org.apache.xml.security.signature.XMLSignatureException: The Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput > Original Exception was org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no XMLSignatureInput > Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: No message with ID "WS Security Exception" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a org.apache.ws.security.WSSecurityException and message An error was discovered processing the <wsse:Security> header (Reference URI is null) > Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: No message with ID "WS Security Exception" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a org.apache.ws.security.WSSecurityException and message An error was discovered processing the <wsse:Security> header (Reference URI is null) > Original Exception was org.apache.xml.security.signature.XMLSignatureException: No message with ID "WS Security Exception" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a org.apache.ws.security.WSSecurityException and message An error was discovered processing the <wsse:Security> header (Reference URI is null) > Original Exception was org.apache.xml.security.transforms.TransformationException: No message with ID "WS Security Exception" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a org.apache.ws.security.WSSecurityException and message An error was discovered processing the <wsse:Security> header (Reference URI is null) > Original Exception was org.apache.xml.security.c14n.CanonicalizationException: No message with ID "WS Security Exception" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a org.apache.ws.security.WSSecurityException and message An error was discovered processing the <wsse:Security> header (Reference URI is null) > Original Exception was org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header (Reference URI is null)</faultstring> > <detail> > <ns1:hostname xmlns:ns1="http://xml.apache.org/axis/";>nihanda-pc</ns1:hostname> > </detail> > </soapenv:Fault> > </soapenv:Body> > </soapenv:Envelope> > SOAP Message that is received by wss4j is (i.e. sent from owsm):- > <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:ns0="http://stock.samples"; xmlns:ns1="http://127.0.0.1:8080/axis/services/urn:xmltoday-delayed-quot es"><env:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" env:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" wsu:Id="BST-Upx5ivaWcOwLOBmjTbOkDg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd">MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzM QswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTa G9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3Z WJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTM RMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEC hMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GC SqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHA uQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2 GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGS Ib3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHl R6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelf pxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><x enc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";><dsig:Digest Method Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod ><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenRefer ence xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd"><wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" URI="#BST-Upx5ivaWcOwLOBmjTbOkDg22"/></wsse:SecurityTokenReference></dsi g:KeyInfo><xenc:CipherData><xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime"; xmime:contentType="application/octet-stream">XTrrhXY7BdieWf1Q72nGVx7DkuT jf0sSW9ls76snQTBHS19i7dAh3d3IRM5APCGnuVy7FgiqUIiG > Zjcfgf+yBC0pRpFOTAJicqYiSjviHIICWSJhNTaJNmUNeMfpiM+q2T0uOoFNh5GmI3/Z0pbd t9oy > s4I7cYhqHHdBVNo8e9I=</xenc:CipherValue></xenc:CipherData><xenc:Reference List><xenc:DataReference URI="#_10E1CqVVROnD2w8SWvT5ew22"/></xenc:ReferenceList></xenc:EncryptedK ey><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><dsig:SignedInfo><dsig:C anonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMeth od Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#Timestamp-O11YJRXoOgF1kGei120b6w22"><dsig:Transforms><dsig:Transfo rm Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms>< dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>BK xsCSZfUq1RWr6Y9PU8Rr/Vs/g=</dsig:DigestValue></dsig:Reference><dsig:Refe rence URI="#STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"><dsig:Transforms><dsig:Transfor m Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- message-security-1.0#STR-Transform"><wsse:TransformationParameters xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd"><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></wsse:Transformati onParameters></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>fa ishbjLkuXbNz9Jx9Nxo8Monk4=</dsig:DigestValue></dsig:Reference><dsig:Refe rence URI="#Body-LnMti7MrAJ3hLRqqWoN0Mg22"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms>< dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>/X 73mkutNvEF10D8lIDutYGoisA=</dsig:DigestValue></dsig:Reference></dsig:Sig nedInfo><dsig:SignatureValue>YKNB+6O3FJjWCj2fqDkvfVJXlJkRo0XcoMO5PHqyoCd KCs81cmKXlcUcg8cn+rwwMg29ysfkPg+Wgv2d3CwyA7Fhd+6kC1099ZqEtB/ptnIR/RxoZL+ 2RXVholPz+Z7niGQM38YZlmdsoqgEyzbDH0u71GWYL6HFUfRAAcZRfb4=</dsig:Signatur eValue><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; Id="KeyInfo-vJF2TIW0vRU50vjXKuQuuw22"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd"><wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" URI="#BST-aiNal7jotn6Hmf9xN2JQhA22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></dsig:KeyInfo> </dsig:Signature><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" wsu:Id="STR-SAML-t5dWJC9BpFXwp4OjA86KMw22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd"><wsse:KeyIdentifier xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .0#SAMLAssertionID">SAML-Q1uTD1fnXqIpGqOFv7BMXQ22</wsse:KeyIdentifier></ wsse:SecurityTokenReference><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" wsu:Id="Timestamp-O11YJRXoOgF1kGei120b6w22"><wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:37:1 9Z</wsu:Created><wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-26T16:42:1 9Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" wsu:Id="BST-aiNal7jotn6Hmf9xN2JQhA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd">MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzM QswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTa G9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3Z WJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTM RMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEC hMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GC SqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHA uQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2 GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGS Ib3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHl R6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelf pxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><s aml:Assertion MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="SAML-Q1uTD1fnXqIpGqOFv7BMXQ22" IssueInstant="2009-04-26T16:37:19Z" Issuer="www.oracle.com"><saml:Conditions NotBefore="2009-04-26T16:37:19Z" NotOnOrAfter="2009-04-26T16:42:19Z"/><saml:AuthenticationStatement AuthenticationInstant="2009-04-26T16:37:19Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Sub ject><saml:NameIdentifier Format="UNSPECIFIED">wss4j</saml:NameIdentifier><saml:SubjectConfirmatio n><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></sa ml:AuthenticationStatement></saml:Assertion></wsse:Security></env:Header ><env:Body wsu:Id="Body-LnMti7MrAJ3hLRqqWoN0Mg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Content"; Id="_10E1CqVVROnD2w8SWvT5ew22"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><xenc:CipherDat a><xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime"; xmime:contentType="application/octet-stream">19sJqHGIJkmZDXTwkBs0uZLQQgh PZwQBp/zGnGsveJfoZTtgSX0rdw0MbCOO4eaWnAQkM6p3SSEi > ugtmvtLqPA5Q3rGWOEifij+WBnZ0tmTeunN6aEUJ7EdplJHv65URyBcfjGPHFLaWt5bRaJef eccf > 2sX45d7pZSKzAjC8+Or3o8QpH1sWpc0XPdM18KIwHNigsZhbnTqiftTsPjuDz+GiRVtB1+ni MAz5 > SkK86dtki1ThwnWEbMZBmlVC7fJrTT+knjH7FfdLBG5I7K/Wd9R2Tc5IngJ0Ru2GXD/a8kz4 m2j8 > y/5RemSNl1uXch+8LAZCzx8aF4JuJbp2rSK9/0aQMer0kPF1cCju1GSBmiV6aV1rSwUK1GA2 uSa/ > 5wp3vWZXvEb58jHr+ib/bfSbFxpzQMAKzKF44eJfG6NPnfQ0znBAa7gl7dfNzoE7OqzcL/ku IQH7 > rAHALuVZ17/Up5roTjpVA7YE8CBK2DSD4c0sbfkM3MGzCFx+NCK//nuyPVaQEgcNq/W5WpjU Fg+B > C9Gvc5NDchMG2BADKMoS5N8MRRdkGkk6KbH1e+rirT8HQsqFvPwyHDOHNfBdCiaLJsMb1lkF xcFa > 3f/C35RcxWK6QtwH7LLtmNMJS8Ryf/ijBcFnx/ous+jGKVx7IriNrCuz/pS4XS1RCaDCGHcH 6v4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body ></env:Envelope> -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
