axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jamie Lyon" ...@it-innovation.soton.ac.uk>
Subject RE: [Rampart/C] Generating incorrect digests?
Date Wed, 01 Aug 2007 09:25:37 GMT
This works perfectly, thanks very much!

Cheers,
Jamie

> -----Original Message-----
> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
> Sent: 01 August 2007 06:30
> To: Apache AXIS C Developers List
> Subject: Re: [Rampart/C] Generating incorrect digests?
> 
> Hi Jamie,
> It appears to me that the tcp log and the server log don't tally.
> The tcp-log shows attribute in Timestamp as u:Id whilst the server-log
> shows wsu:Id.
> May be the server expects attribute to be with wsu: prefix.
> Could you please try this...
> 1. Open RAMPART/src/util/rampart_signature.c
> 2. Change line(273) to
>     oxs_axiom_add_attribute(env, node_to_sign, RAMPART_WSU,
> RAMPART_WSU_XMLNS,OXS_ATTR_ID, id);
>     See that I've changed prefix, from "u:" to "wsu:"
> Let me know if this works with Axis1. If not we might have to dig
> further into the problem :).
> Cheers,
> Kaushalye
> 
> Jamie Lyon wrote:
> > Replies inline:
> >
> >
> >>> I've successfully got Rampart/C set up, and have the client
signing
> >>> messages, however the digests are failing to verify for all items
> >>> apart from the Body.
> >>>
> >>>
> >> You mean the digest of the body is verified but not for other
parts?
> >>
> >
> > It appears to be that way, yes. At least, the Axis1/Java isn't
throwing
> > any verification failed errors for the Body.
> >
> >
> >>> It might also be of interest that even with just <sp:Body/> in the
> >>> SignedParts, the timestamp is still signed, so I can't test to see
> >>>
> > if
> >
> >>> the message is accepted when only the Body is signed (is there a
way
> >>> to turn this off?). There is also the message "No Signed parts
> >>> specified. Using the body." when only the body is specified.
> >>>
> >>>
> >> The behavior is, if a Timestamp is present Rampart/C signs it as
per
> >>
> > the
> >
> >> WS-Security Policy Specification(Section 7.2).
> >> So if signing is enabled, and there is a Timestamp, Rampart/C signs
> >>
> > it.
> >
> > Okay, this is fine, I would want to sign it eventually anyway, I was
> > just curious as to whether there was a way to disable it for testing
> > purposes.
> >
> >
> >>> An error that might be significant is: "OXS ERROR [x509.c:385 in
> >>> openssl_x509_get_subject_key_identifier] oxs defualt error , The
> >>> extenension index of NID_subject_key_identifier is not valid"
> >>> (spelling mistakes in original error message).
> >>>
> >>>
> >> Did you get this error in the client side? (Since you are using
> >> Rampart/C client against WSS4J )
> >>
> >
> > Yes, that's from the client with Axis2/C|Rampart/C, it can be seen
in
> > the debug.log I included with the last message, just above the first
> > c14n debug output, but it's also printed to the screen when running.
> >
> >
> >> The reference belongs to the Timestamp element, in which the digest
> >> verification fails. But the problem is how the Body signature was
> >> verified? (please confirm this).
> >> Have you tried to use Rampart/C for the verification of a message
> >>
> > signed
> >
> >> by WSS4J?
> >> BTW, Rampart/C interop with Rampart/Java, which uses WSS4J. :)
> >>
> >
> > I've attached the Axis logs for messages with and without a
timestamp.
> > It appears to me as though the one without the timestamp is being
> > verified correctly, although it then of course returns to me a
> > 'timestamp missing' error.
> >
> > Could the problem be that the c14n transforms are not working
correctly?
> > I'm currently trying to get axis/java to output the xml that it is
> > producing a digest on, to make sure that they match.
> >
> > Thanks,
> > Jamie
> >
> >
------------------------------------------------------------------------
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-c-dev-help@ws.apache.org
> 
> 
> --
> http://kaushalye.blogspot.com/
> http://wso2.org/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-dev-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message