'[jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certific'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    [jira] [Comment Edited] (WSS-588) Server-side signature validation on client fail with only certific
From:       "Libois Claude (JIRA)" <jira () apache ! org>
Date:       2016-09-22 15:44:20
Message-ID: JIRA.13006858.1474556100000.639253.1474559060520 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513627#comment-15513627 \
] 

Libois Claude edited comment on WSS-588 at 9/22/16 3:43 PM:
------------------------------------------------------------

Thanks for the quick answer !
deleted previous comment cause I have checked in the specs...
To be honest I didn't do anything special to use IssuerSerial reference server side. \
Do you have any pointer to a wss4j property that would do the trick ? I think it's \
vital to not set the server certificate cause this certificate typically last one \
year while the CA last at least 5 years. I don't want that every client have to \
change their certificate every year !  


was (Author: clibois):
Thanks for the quick answer !
However I don't quite understand the need to provide the serial number as the \
complete certificate seems to be provided in the BinarySecurityToken field. Here is \
the complete soap header in case this could help: {code}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action \
xmlns="http://www.w3.org/2005/08/addressing">address</Action><MessageID \
xmlns="http://www.w3.org/2005/08/addressing" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="_a7185c7f-a787-4c30-9f65-6df6bfa674f0">urn:uuid:e5e524c5-cb0e-44b8-8424-e1d4c5821a83</MessageID><To \
xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo \
xmlns="http://www.w3.org/2005/08/addressing" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="_e27b74fd-8883-4aec-928d-79de0c485594">urn:uuid:df816004-5f3a-40a8-a6d9-d24a76169ab7</RelatesTo><wsse:Security \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
soap:mustUnderstand="1"><wsse:BinarySecurityToken \
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" \
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" \
wsu:Id="X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc">MIICyjCCAsYwggIvoAMCAQICCQCsepjmnpL \
7fjANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCQkUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMC \
UNoYXJsZXJvaTERMA8GA1UECgwITGUgRm9yZW0xDjAMBgNVBAsMBWZvcmVtMRkwFwYDVQQDDBB0ZXN0c3NsQGZ \
vcmVtLmJlMR8wHQYJKoZIhvcNAQkBFhB0ZXN0c3NsQGZvcmVtLmJlMB4XDTE2MDgwNDA3MjgwMFoXDTE3MDgwN \
DA3MjgwMFowQzELMAkGA1UEBhMCQkUxETAPBgNVBAoTCFJhbmRTdGFkMQ4wDAYDVQQLEwVGb3JlbTERMA8GA1U \
EAxMIUmFuZFN0YWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5iJr04XPZqQdxXQ4NiAcyJ4SZI725V8 \
T732eH4vtMTI/lwUiIDE1L95/29ARkn8S+g/i59pCafcjvBt07RFJ0gE6QhM2bnn8B+Zeww3AmmeXgYFUH/BKF \
fhGOXFTfjY/ysDrrpoJkj4Vcz8BOFeB2O/ye2AHQ4/nnJb2DM5QfJAgMBAAGjbzBtMAwGA1UdEwEB/wQCMAAwH \
QYDVR0OBBYEFNd2Jw262Yf3lRFGucioaR+kM6KCMAsGA1UdDwQEAwIEsDARBglghkgBhvhCAQEEBAMCBaAwHgY \
JYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQUFAAOBgQAXSOEwo3Pcz7B3145FO5H8Q \
bty3mnCkmtiezLrBx6rvPy9vBybsH+7+pBK3C8+g0a+S1BfsC8wHnTJxkke7ecW5SyE6O17YTZlBR2ZUpEHagq \
G47YBjryTkYKMDPB/bC91p9o7IRqT/2VlrbYK6g+79cENtKEPn378HZUoxbKHhQ==</wsse:BinarySecurityToken><wsu:Timestamp \
wsu:Id="TS-b343d119-3da0-4365-a923-aadb320d713b"><wsu:Created>2016-09-22T11:11:39.066Z \
</wsu:Created><wsu:Expires>2016-09-22T11:16:39.066Z</wsu:Expires></wsu:Timestamp><ds:Signature \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
Id="SIG-847e0393-6fb7-4d6c-84f1-a4837ee2e652"><ds:SignedInfo><ds:CanonicalizationMethod \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference \
URI="#TS-b343d119-3da0-4365-a923-aadb320d713b"><ds:Transforms><ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse \
soap"/></ds:Transform></ds:Transforms><ds:DigestMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>LEF5he1V9D2KeqxE2Y0K1JsRbiS5jgiOZeJ53Hu6JEA=</ds:DigestValue></ds:Reference><ds:Reference \
URI="#_47ba1428-0d7a-403d-aeed-e9a70f419345"><ds:Transforms><ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XpTNsgDOzAVM2nmQVb6FEuMg7926qWkoYFsg5WmVYLs=</ds:DigestValue></ds:Reference><ds:Reference \
URI="#_a7185c7f-a787-4c30-9f65-6df6bfa674f0"><ds:Transforms><ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XOQ/ndLAKGBMIcbhH9ZZ/3zLHBZJWBbwyzXN/vFJ/cA=</ds:DigestValue></ds:Reference><ds:Reference \
URI="#_e27b74fd-8883-4aec-928d-79de0c485594"><ds:Transforms><ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>S7+xWrZbeR5D/P2ZiRTVNq0SrbYIJaBG8xoOixa5Aow=</ds:DigestValue></ds:Reference><ds:Reference \
URI="#X509-f128d321-44e1-4a98-bb36-dd62c99ea1bc"><ds:Transforms><ds:Transform \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" \
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Hlix91X5/g8c860b0 \
BSQKZUqxQU6RnxvpNqHSTdmJMI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:Signatu \
reValue>HJNcNc58V+8215eebdjY/iE3qewmgHy8uOiTokf6nSWxeKsE65JnfK77+bO8/ITnuBzQm4Vqli0Wxi \
GP9x/5xkXxc4jdPsum84z80bXfirqtjyrm1zSwl/6Nlh1F1uHiVXwwVuFWMluPwVIScmY7rXY46RuqqpCAYgp4kqfFKEA=</ds:SignatureValue><ds:KeyInfo \
Id="KI-2f709921-6449-424f-9c30-c5a652d226bf"><wsse:SecurityTokenReference \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="STR-c2b6e796-cba1-4dc4-af4c-4d3f60050b05"><ds:X509Data><ds:X509IssuerSerial><d \
s:X509IssuerName>1.2.840.113549.1.9.1=#16107465737473736c40666f72656d2e6265,XXXXXX</ds \
:X509IssuerName><ds:X509SerialNumber>12428414237952637822</ds:X509SerialNumber></ds:X5 \
09IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
wsu:Id="_47ba1428-0d7a-403d-aeed-e9a70f419345"><PositionOpeningResult \
xmlns="http://ns.hr-xml.org/2006-02-28"><PositionRecordInfo/><ProcessDate>2016-09-22T1 \
3:11:38</ProcessDate><ProcessFileName/><Warnings/><Errors/></PositionOpeningResult></soap:Body></soap:Envelope>
 {code}
To be honest I didn't do anything special to use IssuerSerial reference. Moreover the \
issuer DN provided in the certificate should be enough to match the certificate in my \
TrustStore.


> Server-side signature validation on client fail with only certificate CA is in the \
>                 client truststore
> ----------------------------------------------------------------------------------------------------
>  
> Key: WSS-588
> URL: https://issues.apache.org/jira/browse/WSS-588
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.0.4
> Environment: Servicemix server using cxf+wss4j for WS-Security purpose
> Reporter: Libois Claude
> Assignee: Colm O hEigeartaigh
> Labels: easyfix
> 
> I have a webservices which is secured by WS-Security+Policy.
> I currently use Signature only for server response.
> However I keep having the same error on client side:
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The signature or \
> decryption was invalid  at \
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)  at \
> com.sun.proxy.$Proxy34.submit(Unknown Source)  at \
> client.OffresEmploiClientUserToken.doCall(OffresEmploiClientUserToken.java:93)  at \
> client.OffresEmploiClientUserToken.main(OffresEmploiClientUserToken.java:63)  at \
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)  at \
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)  at \
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:606)
> 	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or \
> decryption was invalid  at \
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:194)
>   at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428)
>   at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278)
>   at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
>   at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:129)
>   at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
>   at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
>   at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645)
>   at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)
>   at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)
>   at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
>   at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
> 	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> 	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)
> 	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>   at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
>   at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
> 	... 8 more
> {code}
> My client truststore is set so that I only have the signer CA.
> *I have noticed that if I set the signer certificate in the client truststore, it \
> works !* I did a wireshark snoop and found that in the response part coming from \
> the server: {code}
> <ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>1.2.840.113549.1.9.1=#161074657 \
> 37473736c40666f72656d2e6265,CN=XXXXX</ds:X509IssuerName><ds:X509SerialNumber>12428414237952637822</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data>
>  {code}
> The problem is that  12428414237952637822 isn't the CA(issuer) serial number but \
> the signer serial number ! I have digged a little bit into the code I have found \
> something that looks weird to me in the WSSecSignature class : {code}
> case WSConstants.ISSUER_SERIAL:
> String issuer = certs[0].getIssuerX500Principal().getName();
> java.math.BigInteger serialNumber = certs[0].getSerialNumber();
> {code}
> i'm wondering why in the last line we don't take the issuer serial number ????  ->
> {code} java.math.BigInteger serialNumber = \
> certs[0].getIssuerX500Principal().getSerialNumber();{code} I can't see how this can \
> work since the client compare the serial number provided with the serial number of \
> the CA in the Merlin class: {code}
> if (x509cert.getSerialNumber().compareTo(serialNumber) == 0)
> {code}
> Hope I was clear enough.
> I have checked in the latest version of the WSSecSignature and I still see the same \
> line... Best Regards,
> Claude



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic