[jira] Updated: (WSS-198) Problem when body is signed and then an XPath is encrypted

Tue, 16 Jun 2009 01:30:41 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dobri Kitipov updated WSS-198:
------------------------------

    Description: 
Hi everybody,
there is a problem when when a message body is signed and then an XPath 
expression pointing to a body element is encrypted.
The problem is that the verification of the signature cannot pass. This is 
caused by the fact that there is a difference between the signed body and the 
body used for signature verification. The body used for signature verification 
is modified because after XPath element decryption an ID is added to the 
element. This ID is used to verify the decryption, but changes the original 
body. 

I am doing the tests with :

Rampart from the trunk with WSS4J 1.5.7.

Exception thrown is:

[WARN] Verification failed for URI "#Id-11235685"
[WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80=
[WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM=
[ERROR] The signature or decryption was invalid
org.apache.axis2.AxisFault: The signature or decryption was invalid
        at 
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172)
        at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
        at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
        at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
        at 
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
        at 
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133)
        at 
com.mycompany.deployment.server.SAGAdminServlet.doPost(SAGAdminServlet.java:30)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
        at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.ws.security.WSSecurityException: The signature or 
decryption was invalid
        at 
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:527)
        at 
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
        at org.apache.rampart.RampartEngine.process(RampartEngine.java:151)
        at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
        ... 22 more

I will try to apply a patch tomorrow.

Any comments and ideas are appreciated.

Regards,
Dobri



  was:
Hi everybody,
there is a problem when when a message body is signed and then an XPath 
expression pointing to a body element is encrypted.
The problem is that the verification of the signature cannot pass. This is 
caused by the fact that there is a difference between the signed body and the 
body used for signature verification. The body used for signature verification 
is modified because after XPath element decryption an ID is added to the 
element. This ID is used to verify the decryption, but changes the original 
body. 

I am doing the tests with :

Rampart from the trunk with WSS4J 1.5.7.

Exception thrown is:

[WARN] Verification failed for URI "#Id-11235685"
[WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80=
[WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM=
[ERROR] The signature or decryption was invalid
org.apache.axis2.AxisFault: The signature or decryption was invalid
        at 
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172)
        at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
        at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
        at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
        at 
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
        at 
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133)
        at 
com.softwareag.wsstack.deployment.server.SAGAdminServlet.doPost(SAGAdminServlet.java:30)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
        at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.ws.security.WSSecurityException: The signature or 
decryption was invalid
        at 
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:527)
        at 
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
        at org.apache.rampart.RampartEngine.process(RampartEngine.java:151)
        at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
        ... 22 more

I will try to apply a patch tomorrow.

Any comments and ideas are appreciated.

Regards,
Dobri




> Problem when body is signed and then an XPath is encrypted
> ----------------------------------------------------------
>
>                 Key: WSS-198
>                 URL: https://issues.apache.org/jira/browse/WSS-198
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.7
>            Reporter: Dobri Kitipov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.8
>
>         Attachments: send_to_server_side_before_encryption.xml, 
> signed_doc_after_decryption.xml
>
>
> Hi everybody,
> there is a problem when when a message body is signed and then an XPath 
> expression pointing to a body element is encrypted.
> The problem is that the verification of the signature cannot pass. This is 
> caused by the fact that there is a difference between the signed body and the 
> body used for signature verification. The body used for signature 
> verification is modified because after XPath element decryption an ID is 
> added to the element. This ID is used to verify the decryption, but changes 
> the original body. 
> I am doing the tests with :
> Rampart from the trunk with WSS4J 1.5.7.
> Exception thrown is:
> [WARN] Verification failed for URI "#Id-11235685"
> [WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80=
> [WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM=
> [ERROR] The signature or decryption was invalid
> org.apache.axis2.AxisFault: The signature or decryption was invalid
>       at 
> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172)
>       at 
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
>       at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
>       at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
>       at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
>       at 
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
>       at 
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133)
>       at 
> com.mycompany.deployment.server.SAGAdminServlet.doPost(SAGAdminServlet.java:30)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>       at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
>       at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>       at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>       at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
>       at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>       at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>       at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
>       at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
>       at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
>       at 
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
>       at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
>       at 
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
>       at 
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
>       at java.lang.Thread.run(Thread.java:595)
> Caused by: org.apache.ws.security.WSSecurityException: The signature or 
> decryption was invalid
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:527)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>       at org.apache.rampart.RampartEngine.process(RampartEngine.java:151)
>       at 
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>       ... 22 more
> I will try to apply a patch tomorrow.
> Any comments and ideas are appreciated.
> Regards,
> Dobri

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to