Skip to content
This repository has been archived by the owner on Jan 30, 2019. It is now read-only.

signature verification failed with wss4j api (while signing soap body) #1665

Open
glassfishrobot opened this issue Jan 28, 2013 · 6 comments
Open

signature verification failed with wss4j api (while signing soap body) #1665

glassfishrobot opened this issue Jan 28, 2013 · 6 comments
Assignees
@glassfishrobot
Labels
Component: security ERR: Assignee gf4-exclude Priority: Major Type: Bug

Comments

@glassfishrobot
Copy link
Contributor

metro api does not seems to work while signing the soap body and send the request to the web service(published over metro).

client using metro api working fine when signing the soap body and it verifies the signature perfectly. But when client is using wss4j api(axis 1.1 api) or soap ui, it failed and display error that signature verification faild even works perfect with the same configuration when using metro api.

It seems that this is a compatibility issue with wss4j api(used by axis 1.1 and soap ui).

stack trace:
AxisFault
2013-01-28 20:53:29 faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}

Server
2013-01-28 20:53:29 faultSubcode:
2013-01-28 20:53:29 faultString: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 faultActor:
2013-01-28 20:53:29 faultNode:
2013-01-28 20:53:29 faultDetail:
2013-01-28 20:53:29

{http://xml.apache.org/axis/}

stackTrace: AxisFault
2013-01-28 20:53:29 faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}

Server
2013-01-28 20:53:29 faultSubcode:
2013-01-28 20:53:29 faultString: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 faultActor:
2013-01-28 20:53:29 faultNode:
2013-01-28 20:53:29 faultDetail:
2013-01-28 20:53:29
2013-01-28 20:53:29 com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:260)
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:169)
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.endElement(DeserializationContextImpl.java:1015)
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at javax.xml.parsers.SAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.parse(DeserializationContextImpl.java:242)
2013-01-28 20:53:29 at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:538)
2013-01-28 20:53:29 at org.apache.axis.Message.getSOAPEnvelope(Message.java:376)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invokeEngine(Call.java:2583)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:2553)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:1753)
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsUtils.makeMessageCall(WsUtils.java:781)
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall.webServiceCall(WsMessageCall.java:1912)
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall.access$1(WsMessageCall.java:1757)
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall$2.run(WsMessageCall.java:1702)
2013-01-28 20:53:29 at java.lang.Thread.run(Unknown Source)
2013-01-28 20:53:29
2013-01-28 20:53:29
2013-01-28 20:53:29 com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:260)
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:169)
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.endElement(DeserializationContextImpl.java:1015)
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
2013-01-28 20:53:29,775 ERROR [Flow Thread(101063087220135938660887100101)] flow com.adeptia.indigo.jelly.ActivityTag.runSync(ActivityTag.java:489) - testte|test|WsMessageCall|Failed|administrators|192168001253135900036090700008|101063087220135938660878000100|192168001253135900022968500003||admin|Error in execution for activity WsMessageCall:test:192168001253135900022968500003[com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed ]|localhost|
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 AxisFault
2013-01-28 20:53:29 at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}

Server
2013-01-28 20:53:29 at javax.xml.parsers.SAXParser.parse(Unknown Source)
2013-01-28 20:53:29 faultSubcode:
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.parse(DeserializationContextImpl.java:242)
2013-01-28 20:53:29 faultString: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:538)
2013-01-28 20:53:29 faultActor:
2013-01-28 20:53:29 at org.apache.axis.Message.getSOAPEnvelope(Message.java:376)
2013-01-28 20:53:29 faultNode:
2013-01-28 20:53:29 at org.apache.axis.client.Call.invokeEngine(Call.java:2583)
2013-01-28 20:53:29 faultDetail:
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:2553)
2013-01-28 20:53:29

{http://xml.apache.org/axis/}

stackTrace: AxisFault
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:1753)
2013-01-28 20:53:29 faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}

Server
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsUtils.makeMessageCall(WsUtils.java:781)
2013-01-28 20:53:29 faultSubcode:
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall.webServiceCall(WsMessageCall.java:1912)
2013-01-28 20:53:29 faultString: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall.access$1(WsMessageCall.java:1757)
2013-01-28 20:53:29 faultActor:
2013-01-28 20:53:29 faultNode:
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsMessageCall$2.run(WsMessageCall.java:1702)
2013-01-28 20:53:29 faultDetail:
2013-01-28 20:53:29 at java.lang.Thread.run(Unknown Source)
2013-01-28 20:53:29 com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:260)
2013-01-28 20:53:29 at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:169)
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.endElement(DeserializationContextImpl.java:1015)
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at javax.xml.parsers.SAXParser.parse(Unknown Source)
2013-01-28 20:53:29 at org.apache.axis.encoding.DeserializationContextImpl.parse(DeserializationContextImpl.java:242)
2013-01-28 20:53:29 at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:538)
2013-01-28 20:53:29 at org.apache.axis.Message.getSOAPEnvelope(Message.java:376)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invokeEngine(Call.java:2583)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:2553)
2013-01-28 20:53:29 at org.apache.axis.client.Call.invoke(Call.java:1753)
2013-01-28 20:53:29 at com.adeptia.indigo.services.webservice.WsUtils.makeMessageCall(WsUtils.java:781)

  • request using soap ui(not working):

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
soap:Header
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-21">
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-22">
ds:Transforms
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
ds:DigestValueoyxBJzxeBDE7rIpukje/SMSGi1M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
QQi/C3DrIqvuj2q5PdJ+tnZ0q9dg21AawlLq0N/tO4WiwKOc7P2RHFUc7HY2GIA07ZN+ZPIsiRdH
BK1DWGMY3um3AN1xRHqr1d/HBSq7iIdhlhOxPP5DYv4pRo1sGov3cDOY3n362R1jOLJSm2r3nMlO
IN4F7ZDsFdkr/kkFyA4=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-6436563946A2BA15B3135934748180438">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-6436563946A2BA15B3135934748180439">
ds:X509Data
ds:X509IssuerSerial
ds:X509IssuerNameC=pkcsnew,ST=pkcsnew,L=pkcsnew,O=pkcsnew,OU=pkcsnew,CN=pkcsnew</ds:X509IssuerName>
ds:X509SerialNumber1</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-22">

?
?
?

?
  • request using metro api(working):

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
SOAP-ENV:Header
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="XWSSGID-1359347423626-800223482">
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#XWSSGID-1359347423638-1043174066">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
ds:DigestValueRKScYXOHzhTQci8QTalIUGcQgd8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueglRCiqm1F/FjeAx9IXzALl4Xkrda7IcWfwl87H2WIjRDi1tBMJdF17pNNobrDYzKCqnhXOgJOpBs
qW9zK+L1wnoKmWWn/Tf1PmdTq5G7jlZvsmx4qtiW9lRMa2Orz7fPClugXJQtejovlQfD96zDqlvE
HzPFMK+a1X9x+pPSduY=</ds:SignatureValue>
ds:KeyInfo
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1359347423637198325665">
ds:X509Data
ds:X509IssuerSerial
ds:X509IssuerNameC=pkcsnew, ST=pkcsnew, L=pkcsnew, O=pkcsnew, OU=pkcsnew, CN=pkcsnew</ds:X509IssuerName>
ds:X509SerialNumber1</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1359347423638-1043174066">

Tove
Jani
Reminder

Don't forget me this weekend! ==== Received Message End ====

Please let me know if i am doing something wrong or it is an issue. This is very critical for out product so please replay ASAP.

Thanks
Vipin Kumar

Environment

jre 6 and windows 7 64 bit

Affected Versions

[2.1]
@glassfishrobot
Copy link
Contributor Author

Reported by amity.vipin

@glassfishrobot
Copy link
Contributor Author

Was assigned to symonchang

@glassfishrobot
Copy link
Contributor Author

symonchang said:
It seems that this is a wss4j issue that you use wss4j api wrongly, or there is a bug in wss4j.

One difference I found in the request message is the message body. The wss4j has:

<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-22">

?
?
?

?

While Metro has this:

<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1359347423638-1043174066">

Tove
Jani
Reminder

Don't forget me this weekend!

For debugging, please try to use identical Body, and indentical wsu:Id for both sides. It should generate the same ds:DigestValue in the ds:SignedInfo block. If wss4j does not generate the same ds:DigestValue as the Metro one, please debug into that.

@glassfishrobot
Copy link
Contributor Author

leonid.kosmylev said:
Well, this is a very old problem in WSIT. It even predates "WSIT" project name.

It was reported, maybe even multiple times. And "fixed" of course.
For example, https://java.net/jira/browse/WSIT-1544.

Come on guys, was it so difficult to search for ALL the places where an instance of SecurityRecipient class is created?!

WSS4J is correct here.
WSIT is wrong.

Until WSIT is fixed, the best that can be done is to make sure the child element of Body has nothing in it except the single child element. And I mean NOTHING, no spaces, no new lines.

In this case:

<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-22">
?
?
?

?

@glassfishrobot
Copy link
Contributor Author

leonid.kosmylev said:
Sorry, I meant "make sure Body has nothing in it except the single child element. And I mean NOTHING, no spaces, no new lines."

@glassfishrobot
Copy link
Contributor Author

This issue was imported from java.net JIRA WSIT-1665

@glassfishrobot glassfishrobot self-assigned this Apr 24, 2017
@Tomas-Kraus Tomas-Kraus mentioned this issue Jun 2, 2022
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@glassfishrobot glassfishrobot

Labels
Component: security ERR: Assignee gf4-exclude Priority: Major Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@glassfishrobot