axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akkachotu <akkach...@gmail.com>
Subject intermediary adding soap header element breaking signature verification
Date Sun, 13 Aug 2006 04:49:47 GMT
Here is the soap message after it is signed using AXIS 1.4, WSS4J 1.5:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
		xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
		xmlns:xsd="http://www.w3.org/2001/XMLSchema"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soapenv:Header>
		<wsse:Security
					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<wsse:BinarySecurityToken
						ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
						elementEncoding="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
						wsu:Id="binarytoken">
					123MIIB5jCCAU8CBEQyyzkwDQYJKoZIhvcNAQEFBQAwOjELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEFN
			</wsse:BinarySecurityToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
					<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<ds:Reference URI="#Body">
						<ds:Transforms>
							<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>EwE9/d/aFPCf7CpqoKdbHSrhNN0=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>
    				lCIbgyn1nzA/7Y2tAVQ+WuVTX/WoOKE0Xv1dOTDBJ+BIY1w6ulg17apQ2taLmfDHGEFtLOCO
    				TKdvhev5CMNCvmsbZQVv5Mli+ttFSpumNf8yOkf0BwDCcSyTVbuiotJJXOFVGRTXB5oxIv8q
    				UqY5QO3lZkO790OmUyBlpgWaWAE=
  				</ds:SignatureValue>
				<ds:KeyInfo>
					<wsse:SecurityTokenReference>
						<wsse:Reference
							URI="#binarytoken"
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body Id="Body">
		<getHolidays xmlns="http://transfer.as.com">
			<request>
				<ns3:regionID xmlns:ns3="http://shr.ws.com" xsi:nil="true"/>
				<cardNumber>4444</cardNumber>
			</request>
		</getHolidays>
	</soapenv:Body>
</soapenv:Envelope>





Say if I use AXIS + WSS4J on bother sender side and receiver side and
say if an intermediary adds an element

<intermediary:ProxyID
wsu:Id="6767">0d88d3e0-0e2c-489d-a682-da14b8fec3d7</intermediary:ProxyID>


to the soap header and after adding this element the complete soap
message looks like below:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
		xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
		xmlns:xsd="http://www.w3.org/2001/XMLSchema"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:intermediary="http://www.intermediary.com/proxy/2424.2424s">
	<soapenv:Header>
		<intermediary:ProxyID
wsu:Id="6767">0d88d3e0-0e2c-489d-a682-da14b8fec3d7</intermediary:ProxyID>
		<wsse:Security
					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<wsse:BinarySecurityToken
						ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
						elementEncoding="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
						wsu:Id="binarytoken">
					123MIIB5jCCAU8CBEQyyzkwDQYJKoZIhvcNAQEFBQAwOjELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEFN
			</wsse:BinarySecurityToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
					<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<ds:Reference URI="#Body">
						<ds:Transforms>
							<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>EwE9/d/aFPCf7CpqoKdbHSrhNN0=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>
    				lCIbgyn1nzA/7Y2tAVQ+WuVTX/WoOKE0Xv1dOTDBJ+BIY1w6ulg17apQ2taLmfDHGEFtLOCO
    				TKdvhev5CMNCvmsbZQVv5Mli+ttFSpumNf8yOkf0BwDCcSyTVbuiotJJXOFVGRTXB5oxIv8q
    				UqY5QO3lZkO790OmUyBlpgWaWAE=
  				</ds:SignatureValue>
				<ds:KeyInfo>
					<wsse:SecurityTokenReference>
						<wsse:Reference
							URI="#binarytoken"
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body Id="Body">
		<getHolidays xmlns="http://transfer.as.com">
			<request>
				<ns3:regionID xmlns:ns3="http://shr.ws.com" xsi:nil="true"/>
				<cardNumber>4444</cardNumber>
			</request>
		</getHolidays>
	</soapenv:Body>
</soapenv:Envelope>


After the intermediary adds its element hopefully without altering the
signature and when I try to validate the signature on the provider end
I get signature verification failed. Now my question is, is it
expected behaviour that adding elements to the header by
intermediaries (ofcourse without modifying the signature) will break
the signature verification. Does canonicalization here will fail ? If
I dont have this intermediary then signature verification is
successfull. please suggest how to get around this problem.



Thanks in advance for your time and reply.

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message