axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaushalye Kapuruge <kausha...@wso2.com>
Subject Re: [Rampart/C] Generating incorrect digests?
Date Tue, 31 Jul 2007 11:18:12 GMT
Hi,
See my comments in-line...
Cheers,
Kaushalye

Jamie Lyon wrote:
>
> Hi,
>
> I’m trying to get a client signing messages to work with a server 
> using Axis1/WSS4J.
>
> I’ve successfully got Rampart/C set up, and have the client signing 
> messages, however the digests are failing to verify for all items 
> apart from the Body.
>
You mean the digest of the body is verified but not for other parts?
>
> It might also be of interest that even with just <sp:Body/> in the 
> SignedParts, the timestamp is still signed, so I can’t test to see if 
> the message is accepted when only the Body is signed (is there a way 
> to turn this off?). There is also the message “No Signed parts 
> specified. Using the body.” when only the body is specified.
>
The behavior is, if a Timestamp is present Rampart/C signs it as per the 
WS-Security Policy Specification(Section 7.2).
So if signing is enabled, and there is a Timestamp, Rampart/C signs it.
>
> An error that might be significant is: “OXS ERROR [x509.c:385 in 
> openssl_x509_get_subject_key_identifier] oxs defualt error , The 
> extenension index of NID_subject_key_identifier is not valid” 
> (spelling mistakes in original error message).
>
Did you get this error in the client side? (Since you are using 
Rampart/C client against WSS4J )
>
> I’ve included the policy.xml and axis2.xml files, as well as the .cpp 
> file I’m using, and the debug.log (axis2/c log) and tcplog.log 
> (tcpmon’s log).
>
> Finally, here is debug output from tomcat (there will be more 
> verification failed for URI if I tell rampart/c to sign more elements):
>
> 2007-07-31 10:30:42,989 WARN 
> [org.apache.xml.security.signature.Reference] 
> (http-8080-Processor25:?:?) Verification failed for URI 
> "#SigID-b547854a-3f48-1dc1"
>
> org.apache.ws.security.WSSecurityException: The signature verification 
> failed
>
> at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:327)
>
> at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:79)
>
The reference belongs to the Timestamp element, in which the digest 
verification fails. But the problem is how the Body signature was 
verified? (please confirm this).
Have you tried to use Rampart/C for the verification of a message signed 
by WSS4J?
BTW, Rampart/C interop with Rampart/Java, which uses WSS4J. :)
>
> Thanks,
>
> Jamie
>
> ------------------------------------------------------------------------
>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                 <wsp:Policy>
>                     <sp:InitiatorToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorToken>
>                     <sp:RecipientToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientToken>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <sp:Basic256Rsa15/>
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Strict/>
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:IncludeTimestamp/>
>                     <!--sp:EncryptSignature/-->
>                     <!--sp:EncryptBeforeSigning/-->
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                 <wsp:Policy>
>                     <sp:MustSupportRefKeyIdentifier/>
>                     <sp:MustSupportRefEmbeddedToken/>
>                     <sp:MustSupportRefIssuerSerial/>
>                 </wsp:Policy>
>             </sp:Wss10>
>             <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                 <sp:Body/>
> 		<!--sp:Header Namespace="http://www.w3.org/2005/08/addressing"/-->
>             </sp:SignedParts>
>             <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
>                 <rampc:ReceiverCertificate>/home/jl/cacert.pem</rampc:ReceiverCertificate>
>                 <rampc:Certificate>/home/jl/mycert.pem</rampc:Certificate>
>                 <rampc:PrivateKey>/home/jl/mykey.pem</rampc:PrivateKey>
>             </rampc:RampartConfig>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>   
> ------------------------------------------------------------------------
>
> <axisconfig name="Axis2/C">
>     <!-- ================================================= -->
>     <!-- Parameters -->
>     <!-- ================================================= -->
>     <!-- Uncomment following to enable MTOM support -->
>     <!--parameter name="enableMTOM" locked="false">true</parameter-->
>     <parameter name="enableREST" locked="false">true</parameter>
>
>     <!-- Uncomment following to persist op_ctx, useful with RM -->
>     <!--parameter name="persistOperationContext" locked="false">true</parameter-->
>
>     <!--if you want to extract the service archive file and work with that please
uncomment this-->
>     <!--else , it wont extract archive file or does not take into consideration if
someone drop-->
>     <!--exploded directory into /service directory-->
>     <!--<parameter name="extractServiceArchive" locked="false">true</parameter>-->
>
>
>     <!-- ================================================= -->
>     <!-- Message Receivers -->
>     <!-- ================================================= -->
>     <!-- This is the Deafult Message Receiver for the Request Response style Operations
-->
>     <!--messageReceiver mep="INOUT" class="axis2_receivers"/-->
>
>     <!-- ================================================= -->
>     <!-- Transport Ins -->
>     <!-- ================================================= -->
>     <transportReceiver name="http" class="axis2_http_receiver">
>         <parameter name="port" locked="false">6060</parameter>
>     </transportReceiver>
>
>     <!-- ================================================= -->
>     <!-- Transport Outs -->
>     <!-- ================================================= -->
>
>     <transportSender name="http" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>         <!--parameter name="Transfer-Encoding">chunked</parameter-->
>         <!--parameter name="PROXY" proxy_host="127.0.0.1" proxy_port="8080" locked="true"/-->
>     </transportSender>
>     <!-- Uncomment this one with the appropriate papameters to enable the XMPP transport
Sender-->
>     <!--transportSender name="xmpp" class="axis2_xmpp_sender">
>         <parameter name="PROTOCOL" locked="false">XMPP</parameter>
>     </transportSender-->
>     <!-- Uncomment this one with the appropriate papameters to enable the TCP transport
Sender-->
>     <!--transportSender name="tcp" class="axis2_tcp_sender">
>         <parameter name="PROTOCOL" locked="false">TCP</parameter>
>     </transportSender-->
>
>     <!--
>     <transportSender name="https" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>     </transportSender>
>     <parameter name="SERVER_CERT">/path/to/ca/certificate</parameter>
>     <parameter name="KEY_FILE">/path/to/client/certificate/chain/file</parameter>
>     <parameter name="SSL_PASSPHRASE">passphrase</parameter>
>     -->
>
>
>     <!-- ================================================= -->
>     <!-- Global Modules  -->
>     <!-- ================================================= -->
>     <!-- Comment this to disable Addressing -->
>     <module ref="addressing"/>
>     <module ref="rampart"/>
>
>
>     <!--Configuring module , providing paramters for modules whether they refer or
not-->
>     <!--<moduleConfig name="addressing">-->
>     <!--<parameter name="addressingPara" locked="false">N/A</parameter>-->
>     <!--</moduleConfig>-->
>
>     <!-- ================================================= -->
>     <!-- Phases  -->
>     <!-- ================================================= -->
>     <phaseOrder type="inflow">
>         <!-- System pre defined phases       -->
>         <phase name="Transport"/>
>         <phase name="PreDispatch"/>
>         <phase name="Dispatch"/>
>         <phase name="PostDispatch"/>
>         <!-- End system pre defined phases       -->
>         <!-- After PostDispatch phase, module or service author can add any phase
as required  -->
>         <!-- User defined phases could be added here -->
>         <!--phase name="userphase1"/-->
>         <!--phase name="RMPhase"/-->
>         <!--phase name="SavanPhase"/-->
>     </phaseOrder>
>     <phaseOrder type="outflow">
>         <!-- User defined phases could be added here -->
>         <!--phase name="RMPhase"/-->
>         <!--phase name="SavanPhase"/-->
>         <!--phase name="userphase1"/-->
>         <!--system predefined phase-->
>         <phase name="MessageOut"/>
>     </phaseOrder>
>     <phaseOrder type="INfaultflow">
>         <!-- User defined phases could be added here -->
>         <!--phase name="userphase1"/-->
>         <!--phase name="RMPhase"/-->
>         <!--phase name="SavanPhase"/-->
>     </phaseOrder>
>     <phaseOrder type="Outfaultflow">
>         <!-- User defined phases could be added here -->
>         <!--phase name="RMPhase"/-->
>         <!--phase name="SavanPhase"/-->
>         <!--phase name="userphase1"/-->
>         <phase name="MessageOut"/>
>     </phaseOrder>
> </axisconfig>
>
>   
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-dev-help@ws.apache.org


-- 
http://kaushalye.blogspot.com/
http://wso2.org/


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message