cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF 2.3.1: Message signature doesn't get validated
Date Thu, 19 Jan 2012 10:47:06 GMT
The errors in the log indicate that the digest of the signed
references does not match the digests in the signature. Is anything
changing the SOAP Message between when the signature was created and
validated?

Have you tried with a more recent version of CXF?

Colm.

On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <pascal.alma@redstream.nl> wrote:
> The issue is this:
> I receive a signed soap message with the X509 certificate in the header (in
> the BinarySecurityToken element). I have added this certificate to my
> keystore and try to validate the signature. However the message won't be
> validated, I keep receiving:
> org.apache.xml.security.signature.Reference: Verification failed for URI
> "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
>
> I will add some more logging to the end of this post. Since I am rather new
> to this ws-security i was wondering if I am on the wrong path with this. Are
> there other issues that I have to be aware of?
>
> I must say that my set up works with messages and signatures created by
> myself, it only fails with message I get from third party.
>
> Here is my CXF config:
>  <cxf:proxy-service>
>                <cxf:inInterceptors>
>                    <spring:bean
> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
>                    <spring:bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>                        <spring:constructor-arg>
>                            <spring:map>
>                                <spring:entry key="action" value="Signature"
> />
>                                <spring:entry key="signaturePropFile"
> value="wssecurity.properties" />
>                                <spring:entry key="signatureKeyIdentifier"
> value="DirectReference" />
>                            </spring:map>
>                        </spring:constructor-arg>
>                    </spring:bean>
>                </cxf:inInterceptors>
>            </cxf:proxy-service>
>
> In my property file I have:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.password=myPassword
>
> Here is part of the logging I get:
> --------------- -----------------------
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
> enter handleMessage()
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.WSSecurityEngine: Processing WS-Security header for
> '' actor.
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.processor.SignatureProcessor: Found signature element
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Signature", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
> "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.token.SecurityTokenReference: Token reference
> uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: verify 1 References
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: I am not requested to follow
> nested Manifests
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Reference", "null")
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Transforms", "null")
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.algorithms.JCEMapper: Request for URI
> http://www.w3.org/2000/09/xmldsig#sha1
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
> create a ResourceResolver and got 1
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver:  extra resolvers to
> my existing 4 system-wide resolvers
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver: check resolvability
> by class org.apache.ws.security.message.EnvelopeIdResolver
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, look
> for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
> result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> comments:false/null
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Transform", "null")
> WARN  2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Reference: Verification failed for URI
> "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: The Reference has Type
> WARN  2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
>        at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
>        at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>        at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>        at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
>        at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
>        at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
>        at
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
>        at
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
>        at
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
>        at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
>        at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
>        at org.mule.work.WorkerContext.run(WorkerContext.java:310)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>        at java.lang.Thread.run(Thread.java:662)
> WARN  2012-01-18 17:38:18,897
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> {http://support.cxf.module.mule.org/}ProxyService has thrown exception,
> unwinding now
> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> invalid
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
>        at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
>        at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
>        at
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
>        at
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
>        at
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
>        at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
>        at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
>        at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
>        at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
>        at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
>        at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
>        at org.mule.work.WorkerContext.run(WorkerContext.java:310)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>        at java.lang.Thread.run(Thread.java:662)
> Caused by: org.apache.ws.security.WSSecurityException: The signature or
> decryption was invalid
>        at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
>        at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>        at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>        at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>        at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
>        ... 26 more
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> Sent from the cxf-user mailing list archive at Nabble.com.



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message