[prev in list] [next in list] [prev in thread] [next in thread]
List: jaxme-dev
Subject: [jira] [Created] (WSS-609) WS-Security Canonicalization with InclusiveNamespace
From: "Andrew Harris (JIRA)" <jira () apache ! org>
Date: 2017-07-01 7:55:01
Message-ID: JIRA.13083984.1498895695000.152079.1498895701457 () Atlassian ! JIRA
[Download RAW message or body]
Andrew Harris created WSS-609:
---------------------------------
Summary: WS-Security Canonicalization with InclusiveNamespace
Key: WSS-609
URL: https://issues.apache.org/jira/browse/WSS-609
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 2.1.9
Environment: Windows, JDK 1.8
Reporter: Andrew Harris
Assignee: Colm O hEigeartaigh
I have a SOAP WebService I need to call to get a SAML token. I am using \
javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
The WebService requires that I sign the envelope using Exclusive Canonicalization \
Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
This side of things is fine and I've got the message constructed but when I send it I \
am getting a message "An error occurred when verifying security for the message." \
which the service provider is saying because it can't verify the signature.
The problem I think is that it wants Canonicalization done including namespace \
prefixes.
So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the \
namespaces. Is this likely an issue? If not, any ideas what the issue could be?
Here is my code:
static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, \
String password, byte[] salt, X509Certificate[] certChain) { try {
WSSConfig.init();
//setSecurityHeader(soapMessage);
Merlin crypto = getCrypto(privateKey, password, salt, certChain);
Document unsignedDocument = \
soapMessage.getSOAPPart().getEnvelope().getOwnerDocument(); WSSecHeader secHeader = \
new WSSecHeader(unsignedDocument); secHeader.insertSecurityHeader();
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.setPrecisionInMilliSeconds(false);
timestamp.setTimeToLive(600);
timestamp.build(unsignedDocument, secHeader);
// Setup the signer
WSSecSignature signer = new WSSecSignature();
signer.setUserInfo("signingCert", password);
signer.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
signer.setDigestAlgo(WSConstants.SHA1);
signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
signer.setAddInclusivePrefixes(true);
signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
signer.getParts().add(new WSEncryptionPart("_5002"));
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before \
Signing...."); signer.build(unsignedDocument, crypto, secHeader);
Utils.printDocument(unsignedDocument);
Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After \
Signing....");
} catch (WSSecurityException | SOAPException ex) {
Logger.getGlobal().log(Level.SEVERE, null, ex);
}
}
This is what I am generating which doesn't work:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
xmlns:xs="http://www.w3.org/2001/XMLSchema"> <env:Header>
<wsse:Security env:mustUnderstand="true">
<wsse:BinarySecurityToken \
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" \
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" \
wsu:Id="X509-0149eec5-9c99-49a2-8b55-ee59a29f0987">***</wsse:BinarySecurityToken> \
<ds:Signature Id="SIG-9a0b5c9d-34c0-4619-9194-ece1a0b7fc47"> <ds:SignedInfo>
<ds:CanonicalizationMethod \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/> \
</ds:CanonicalizationMethod>
<ds:SignatureMethod \
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference \
URI="#TS-31668f8c-735e-4054-a13f-8078323ac14a"> <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse env"/> \
</ds:Transform> </ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>w+NfHbxUP7ccyBtOtGJ/Q1MFmgA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/> \
</ds:Transform> </ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>nQGcsMQZCqnzvJaFXuxtJi7lYUgPBysn8nfKkiPodnsIwgdzVo3oj0+ \
aBmdXlUrvvw6v7gIU+bD/GsrcUIrCzpgunGWXOtadUKzjQBCRGm2XYZRpmsNw0OlT3ZyIy0klUxAc2uRZEA+nPK8rmH+IKmYIuKng1hs4/RLdPTJAQcM=</ds:SignatureValue>
<ds:KeyInfo Id="KI-a30dfd33-f712-4a8e-af11-af2298fddd31">
<wsse:SecurityTokenReference \
wsu:Id="STR-01bb06a4-d365-42ee-bb17-4ab51cca6e44"> <wsse:Reference \
URI="#X509-0149eec5-9c99-49a2-8b55-ee59a29f0987" \
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-31668f8c-735e-4054-a13f-8078323ac14a">
<wsu:Created>2017-07-01T01:39:58Z</wsu:Created>
<wsu:Expires>2017-07-01T01:49:58Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<To xmlns="http://www.w3.org/2005/08/addressing" \
wsu:Id="_5002">https://host/service.svc</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:e3079f05-ffb2-4dcf-835d-b965ba7e4202</MessageID>
</env:Header>
<env:Body>
<RequestSecurityToken \
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">Data goes \
here</RequestSecurityToken> </env:Body>
</env:Envelope>
This is an envelope that works:
<S:Envelope
xmlns:S="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing" \
wsu:Id="_5002">https://host/service.svc </To>
<Action
xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</Action>
<ReplyTo
xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a
</MessageID>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" \
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" \
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" \
wsu:Id="_1"> <wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
<wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" \
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" \
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" \
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" \
wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
</wsse:BinarySecurityToken>
<ds:Signature
xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" \
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" \
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse \
S" /> </ds:Transform>
</ds:Transforms>
<ds:DigestMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
\
<ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue> </ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
\
<ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue> </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4 \
b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference \
URI="#uuid_14d363bc-1193-4710-8729-2674605387d6" \
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" \
/> </wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://vanguard.business.gov.au/2009/02"
xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"></RequestSecurityToken>
</S:Body>
</S:Envelope>
I notice that the Reference for the "To" element in mine is missing the "wsu" \
namespace in the PrefixList
Working:
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
Mine:
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList="wsse env"/>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic