[prev in list] [next in list] [prev in thread] [next in thread]
List: wss4j-dev
Subject: FW: [jira] Commented: (WSS-178) signature verification failure of signed saml token due to The Refer
From: "Colm O hEigeartaigh" <coheigea () progress ! com>
Date: 2009-04-30 10:52:48
Message-ID: F0DCC8B456914C488ED5BBF6F185E8DF6A469A () MAIL02 ! bedford ! progress ! com
[Download RAW message or body]
Hi Nitin,
> also I had to make certain changes to
> make it work through configuration.
Can you let me know if the update I made in WSS-180 on trunk:
https://issues.apache.org/jira/browse/WSS-180
lets you do symmetric signature/encryption via configuration as well?
Thanks,
Colm.
-----Original Message-----
From: Nitin Handa (JIRA) [mailto:jira@apache.org]
Sent: 29 April 2009 18:33
To: wss4j-dev@ws.apache.org
Subject: [jira] Commented: (WSS-178) signature verification failure of
signed saml token due to The Reference for URI (bst-saml-uri) has no
XMLSignatureInput
[
https://issues.apache.org/jira/browse/WSS-178?page=com.atlassian.jira.pl
ugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704216#ac
tion_12704216 ]
Nitin Handa commented on WSS-178:
---------------------------------
Hi Colm,
I will try that fix and would let you know.
Apart from this, I am able to make signature and encryption work using
symmetric key using your fixes and also I had to make certain changes to
make it work through configuration.
I encountered 2 more minor issues that should be fixed in wss4j.. I am
going to file JIRA for them
1) xml generated by encryption using symmetric key is invalid as xenc
prefix used in ReferenceList was not declared anywhere - I fixed it
locally.
2) whenever there is default namespace added in element after signing
then wss4j is unable to verify it, although it should be OK as unused
namespaces can be ignored when using exclusive canonicalization. So
wss4j should have ignored those default namespaces added while
canonicalizing signed element.
Thanks
Nitin
> signature verification failure of signed saml token due to The
Reference for URI (bst-saml-uri) has no XMLSignatureInput
>
------------------------------------------------------------------------
------------------------------------------------
>
> Key: WSS-178
> URL: https://issues.apache.org/jira/browse/WSS-178
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Environment: Windows XP + tomcat 6x + axis 1.4 + wss4j 1.5.6
> Reporter: Nitin Handa
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j.log
>
>
> While doing interop testing with owsm, I am hitting a wss4j bug which
is hindering me in completing testing.
> OWSM is sending saml token signed with signed & encrypted body. SAML
token is referred from BST using KeyIdentifier, saml token in signed.
> At wss4j end, signature verification is failing as wss4j
WsDoAllReceiver is not able to find out reference of saml token.
> <?xml version = '1.0' encoding = 'UTF-8'?>
> <soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>soapenv:Server.generalException</faultcode>
> <faultstring>WSDoAllReceiver: security processing failed;
nested exception is:
> org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid; nested exception is:
> org.apache.xml.security.signature.XMLSignatureException: The
Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no
XMLSignatureInput
> Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI #STR-SAML-t5dWJC9BpFXwp4OjA86KMw22 has no
XMLSignatureInput
> Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: No
message with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was
discovered processing the <wsse:Security> header (Reference URI is
null)
> Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: No
message with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was
discovered processing the <wsse:Security> header (Reference URI is
null)
> Original Exception was
org.apache.xml.security.signature.XMLSignatureException: No message with
ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was
discovered processing the <wsse:Security> header (Reference URI is
null)
> Original Exception was
org.apache.xml.security.transforms.TransformationException: No message
with ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was
discovered processing the <wsse:Security> header (Reference URI is
null)
> Original Exception was
org.apache.xml.security.c14n.CanonicalizationException: No message with
ID "WS Security Exception" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity". Original Exception was a
org.apache.ws.security.WSSecurityException and message An error was
discovered processing the <wsse:Security> header (Reference URI is
null)
> Original Exception was org.apache.ws.security.WSSecurityException: An
error was discovered processing the <wsse:Security> header (Reference
URI is null)</faultstring>
> <detail>
> <ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/">nihanda-pc</ns1:hostname>
> </detail>
> </soapenv:Fault>
> </soapenv:Body>
> </soapenv:Envelope>
> SOAP Message that is received by wss4j is (i.e. sent from owsm):-
> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://stock.samples"
xmlns:ns1="http://127.0.0.1:8080/axis/services/urn:xmltoday-delayed-quot
es"><env:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd" env:mustUnderstand="1"><wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
ap-message-security-1.0#Base64Binary"
wsu:Id="BST-Upx5ivaWcOwLOBmjTbOkDg22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd">MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzM
QswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTa
G9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3Z
WJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTM
RMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEC
hMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GC
SqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHA
uQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2
GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGS
Ib3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHl
R6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelf
pxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><x
enc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><dsig:Digest
Method Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod
><dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenRefer
ence
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"
URI="#BST-Upx5ivaWcOwLOBmjTbOkDg22"/></wsse:SecurityTokenReference></dsi
g:KeyInfo><xenc:CipherData><xenc:CipherValue
xmlns:xmime="http://www.w3.org/2005/05/xmlmime"
xmime:contentType="application/octet-stream">XTrrhXY7BdieWf1Q72nGVx7DkuT
jf0sSW9ls76snQTBHS19i7dAh3d3IRM5APCGnuVy7FgiqUIiG
>
Zjcfgf+yBC0pRpFOTAJicqYiSjviHIICWSJhNTaJNmUNeMfpiM+q2T0uOoFNh5GmI3/Z0pbd
t9oy
>
s4I7cYhqHHdBVNo8e9I=</xenc:CipherValue></xenc:CipherData><xenc:Reference
List><xenc:DataReference
URI="#_10E1CqVVROnD2w8SWvT5ew22"/></xenc:ReferenceList></xenc:EncryptedK
ey><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:C
anonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMeth
od
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference
URI="#Timestamp-O11YJRXoOgF1kGei120b6w22"><dsig:Transforms><dsig:Transfo
rm
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><
dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>BK
xsCSZfUq1RWr6Y9PU8Rr/Vs/g=</dsig:DigestValue></dsig:Reference><dsig:Refe
rence
URI="#STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"><dsig:Transforms><dsig:Transfor
m
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
message-security-1.0#STR-Transform"><wsse:TransformationParameters
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></wsse:Transformati
onParameters></dsig:Transform></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>fa
ishbjLkuXbNz9Jx9Nxo8Monk4=</dsig:DigestValue></dsig:Reference><dsig:Refe
rence
URI="#Body-LnMti7MrAJ3hLRqqWoN0Mg22"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><
dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>/X
73mkutNvEF10D8lIDutYGoisA=</dsig:DigestValue></dsig:Reference></dsig:Sig
nedInfo><dsig:SignatureValue>YKNB+6O3FJjWCj2fqDkvfVJXlJkRo0XcoMO5PHqyoCd
KCs81cmKXlcUcg8cn+rwwMg29ysfkPg+Wgv2d3CwyA7Fhd+6kC1099ZqEtB/ptnIR/RxoZL+
2RXVholPz+Z7niGQM38YZlmdsoqgEyzbDH0u71GWYL6HFUfRAAcZRfb4=</dsig:Signatur
eValue><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
Id="KeyInfo-vJF2TIW0vRU50vjXKuQuuw22"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd" URI="#BST-aiNal7jotn6Hmf9xN2JQhA22"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></dsig:KeyInfo>
</dsig:Signature><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd" wsu:Id="STR-SAML-t5dWJC9BpFXwp4OjA86KMw22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><wsse:KeyIdentifier
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1
.0#SAMLAssertionID">SAML-Q1uTD1fnXqIpGqOFv7BMXQ22</wsse:KeyIdentifier></
wsse:SecurityTokenReference><wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
wsu:Id="Timestamp-O11YJRXoOgF1kGei120b6w22"><wsu:Created
ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-26T16:37:1
9Z</wsu:Created><wsu:Expires
ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-26T16:42:1
9Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
ap-message-security-1.0#Base64Binary"
wsu:Id="BST-aiNal7jotn6Hmf9xN2JQhA22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd">MIICXTCCAcagAwIBAgIESfBXtTANBgkqhkiG9w0BAQUFADBzM
QswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxMOUmVkd29vZCBTa
G9yZXMxEzARBgNVBAoTCk9yYWNsZSBJbmMxDjAMBgNVBAsTBVNvYVFhMREwDwYDVQQDEwh3Z
WJsb2dpYzAeFw0wOTA0MjMxMTU3NDFaFw0wOTA3MjIxMTU3NDFaMHMxCzAJBgNVBAYTAlVTM
RMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczETMBEGA1UEC
hMKT3JhY2xlIEluYzEOMAwGA1UECxMFU29hUWExETAPBgNVBAMTCHdlYmxvZ2ljMIGfMA0GC
SqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYApBX9X5rkfJhbYrRKfoXZn0ndi8B+DPY598yaoHA
uQweEWNbFJ+hkoUgx9loTrvyNdoczPOu+ktjmzI4wR7LUGDUO1iKVZom9Cpzl+NT3CIGL4I2
GU31fxuQkrfx6Qba8dLNtOVGqk1fBSDPV9Y1rMbfGljwe/TGA1lVh+HiQIDAQABMA0GCSqGS
Ib3DQEBBQUAA4GBAEdRfHCehtVMMF/LdA8rJMm9lnofA8Z4sRamdxnRjVzIz4owWKBvslAHl
R6FG3/3Ue+iuoQALSNHaeRrPOb/plWyU+yNZZjJ3q9qrPqrQSmBZjomwRsjZskOjnm+9eelf
pxqm5+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken><s
aml:Assertion MajorVersion="1" MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="SAML-Q1uTD1fnXqIpGqOFv7BMXQ22"
IssueInstant="2009-04-26T16:37:19Z"
Issuer="www.oracle.com"><saml:Conditions
NotBefore="2009-04-26T16:37:19Z"
NotOnOrAfter="2009-04-26T16:42:19Z"/><saml:AuthenticationStatement
AuthenticationInstant="2009-04-26T16:37:19Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Sub
ject><saml:NameIdentifier
Format="UNSPECIFIED">wss4j</saml:NameIdentifier><saml:SubjectConfirmatio
n><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></sa
ml:AuthenticationStatement></saml:Assertion></wsse:Security></env:Header
><env:Body wsu:Id="Body-LnMti7MrAJ3hLRqqWoN0Mg22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Content"
Id="_10E1CqVVROnD2w8SWvT5ew22"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><xenc:CipherDat
a><xenc:CipherValue xmlns:xmime="http://www.w3.org/2005/05/xmlmime"
xmime:contentType="application/octet-stream">19sJqHGIJkmZDXTwkBs0uZLQQgh
PZwQBp/zGnGsveJfoZTtgSX0rdw0MbCOO4eaWnAQkM6p3SSEi
>
ugtmvtLqPA5Q3rGWOEifij+WBnZ0tmTeunN6aEUJ7EdplJHv65URyBcfjGPHFLaWt5bRaJef
eccf
>
2sX45d7pZSKzAjC8+Or3o8QpH1sWpc0XPdM18KIwHNigsZhbnTqiftTsPjuDz+GiRVtB1+ni
MAz5
>
SkK86dtki1ThwnWEbMZBmlVC7fJrTT+knjH7FfdLBG5I7K/Wd9R2Tc5IngJ0Ru2GXD/a8kz4
m2j8
>
y/5RemSNl1uXch+8LAZCzx8aF4JuJbp2rSK9/0aQMer0kPF1cCju1GSBmiV6aV1rSwUK1GA2
uSa/
>
5wp3vWZXvEb58jHr+ib/bfSbFxpzQMAKzKF44eJfG6NPnfQ0znBAa7gl7dfNzoE7OqzcL/ku
IQH7
>
rAHALuVZ17/Up5roTjpVA7YE8CBK2DSD4c0sbfkM3MGzCFx+NCK//nuyPVaQEgcNq/W5WpjU
Fg+B
>
C9Gvc5NDchMG2BADKMoS5N8MRRdkGkk6KbH1e+rirT8HQsqFvPwyHDOHNfBdCiaLJsMb1lkF
xcFa
>
3f/C35RcxWK6QtwH7LLtmNMJS8Ryf/ijBcFnx/ous+jGKVx7IriNrCuz/pS4XS1RCaDCGHcH
6v4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body
></env:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic