Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4C4A8944C for ; Thu, 19 Jan 2012 10:47:09 +0000 (UTC) Received: (qmail 93901 invoked by uid 500); 19 Jan 2012 10:47:08 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 93794 invoked by uid 500); 19 Jan 2012 10:47:07 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 93785 invoked by uid 99); 19 Jan 2012 10:47:07 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2012 10:47:07 +0000 Received: from localhost (HELO mail-qw0-f41.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2012 10:47:07 +0000 Received: by qadc11 with SMTP id c11so1654091qad.0 for ; Thu, 19 Jan 2012 02:47:06 -0800 (PST) MIME-Version: 1.0 Received: by 10.224.98.2 with SMTP id o2mr26412319qan.74.1326970026181; Thu, 19 Jan 2012 02:47:06 -0800 (PST) Reply-To: coheigea@apache.org Received: by 10.224.197.138 with HTTP; Thu, 19 Jan 2012 02:47:06 -0800 (PST) In-Reply-To: <1326904983828-5155316.post@n5.nabble.com> References: <1326904983828-5155316.post@n5.nabble.com> Date: Thu, 19 Jan 2012 10:47:06 +0000 Message-ID: Subject: Re: CXF 2.3.1: Message signature doesn't get validated From: Colm O hEigeartaigh To: users@cxf.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The errors in the log indicate that the digest of the signed references does not match the digests in the signature. Is anything changing the SOAP Message between when the signature was created and validated? Have you tried with a more recent version of CXF? Colm. On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma wro= te: > The issue is this: > I receive a signed soap message with the X509 certificate in the header (= in > the BinarySecurityToken element). I have added this certificate to my > keystore and try to validate the signature. However the message won't be > validated, I keep receiving: > org.apache.xml.security.signature.Reference: Verification failed for URI > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030" > > I will add some more logging to the end of this post. Since I am rather n= ew > to this ws-security i was wondering if I am on the wrong path with this. = Are > there other issues that I have to be aware of? > > I must say that my set up works with messages and signatures created by > myself, it only fails with message I get from third party. > > Here is my CXF config: > =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 class=3D"org.apache.cxf.interceptor.LoggingInInterceptor" /> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 class=3D"org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 value=3D"wssecurity.properties" /> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 value=3D"DirectReference" /> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 =A0 > > In my property file I have: > org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.component= s.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=3DJKS > org.apache.ws.security.crypto.merlin.file=3Dc:\\develop\\KeyStores\\myKey= store.jks > org.apache.ws.security.crypto.merlin.keystore.password=3DmyPassword > > Here is part of the logging I get: > --------------- ----------------------- > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7 > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001 > DEBUG 2012-01-18 17:38:18,850 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on > interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76 > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor: > enter handleMessage() > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader() > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.WSSecurityEngine: Processing WS-Security header fo= r > '' actor. > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.processor.SignatureProcessor: Found signature elem= ent > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("Signature", "null= ") > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", "nul= l") > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod", > "null") > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null") > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.message.token.SecurityTokenReference: Token refere= nce > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45 > DEBUG 2012-01-18 17:38:18,866 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.signature.Manifest: verify 1 References > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.signature.Manifest: I am not requested to follow > nested Manifests > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("Reference", "null= ") > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("Transforms", "nul= l") > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.algorithms.JCEMapper: Request for URI > http://www.w3.org/2000/09/xmldsig#sha1 > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to > create a ResourceResolver and got 1 > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.resolver.ResourceResolver: =A0extra resolve= rs to > my existing 4 system-wide resolvers > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.resolver.ResourceResolver: check resolvabil= ity > by class org.apache.ws.security.message.EnvelopeIdResolver > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, l= ook > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve, > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null > comments:false/null > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.utils.ElementProxy: setElement("Transform", "null= ") > WARN =A02012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.signature.Reference: Verification failed for URI > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d" > DEBUG 2012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.xml.security.signature.Manifest: The Reference has Type > WARN =A02012-01-18 17:38:18,881 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: > org.apache.ws.security.WSSecurityException: The signature or decryption w= as > invalid > =A0 =A0 =A0 =A0at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(Si= gnatureProcessor.java:529) > =A0 =A0 =A0 =A0at > org.apache.ws.security.processor.SignatureProcessor.handleToken(Signature= Processor.java:97) > =A0 =A0 =A0 =A0at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE= ngine.java:326) > =A0 =A0 =A0 =A0at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE= ngine.java:243) > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn= Interceptor.java:215) > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn= Interceptor.java:81) > =A0 =A0 =A0 =A0at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorCh= ain.java:255) > =A0 =A0 =A0 =A0at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiatio= nObserver.java:113) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInbou= ndMessageProcessor.java:296) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageP= rocessor.java:137) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowCo= nfiguringMessageProcessor.java:50) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMe= ssageProcessorChain.java:99) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(Inte= rceptingChainLifecycleWrapper.java:56) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(Interc= eptingChainLifecycleWrapper.java:87) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMe= ssageProcessorChain.java:99) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(Inte= rceptingChainLifecycleWrapper.java:56) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(Interc= eptingChainLifecycleWrapper.java:87) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:195) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:163) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:150) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMess= ageReceiver.java:299) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(Htt= pMessageReceiver.java:258) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageRec= eiver.java:163) > =A0 =A0 =A0 =A0at org.mule.work.WorkerContext.run(WorkerContext.java:310) > =A0 =A0 =A0 =A0at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor= .java:886) > =A0 =A0 =A0 =A0at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.jav= a:908) > =A0 =A0 =A0 =A0at java.lang.Thread.run(Thread.java:662) > WARN =A02012-01-18 17:38:18,897 > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06] > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for > {http://support.cxf.module.mule.org/}ProxyService has thrown exception, > unwinding now > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > invalid > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4J= InInterceptor.java:654) > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn= Interceptor.java:275) > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn= Interceptor.java:81) > =A0 =A0 =A0 =A0at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorCh= ain.java:255) > =A0 =A0 =A0 =A0at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiatio= nObserver.java:113) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInbou= ndMessageProcessor.java:296) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageP= rocessor.java:137) > =A0 =A0 =A0 =A0at > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowCo= nfiguringMessageProcessor.java:50) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMe= ssageProcessorChain.java:99) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(Inte= rceptingChainLifecycleWrapper.java:56) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(Interc= eptingChainLifecycleWrapper.java:87) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMe= ssageProcessorChain.java:99) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(Inte= rceptingChainLifecycleWrapper.java:56) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMe= ssageProcessorChain.java:66) > =A0 =A0 =A0 =A0at > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(Interc= eptingChainLifecycleWrapper.java:87) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:195) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:163) > =A0 =A0 =A0 =A0at > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageRe= ceiver.java:150) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMess= ageReceiver.java:299) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(Htt= pMessageReceiver.java:258) > =A0 =A0 =A0 =A0at > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageRec= eiver.java:163) > =A0 =A0 =A0 =A0at org.mule.work.WorkerContext.run(WorkerContext.java:310) > =A0 =A0 =A0 =A0at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor= .java:886) > =A0 =A0 =A0 =A0at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.jav= a:908) > =A0 =A0 =A0 =A0at java.lang.Thread.run(Thread.java:662) > Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid > =A0 =A0 =A0 =A0at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(Si= gnatureProcessor.java:529) > =A0 =A0 =A0 =A0at > org.apache.ws.security.processor.SignatureProcessor.handleToken(Signature= Processor.java:97) > =A0 =A0 =A0 =A0at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE= ngine.java:326) > =A0 =A0 =A0 =A0at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityE= ngine.java:243) > =A0 =A0 =A0 =A0at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JIn= Interceptor.java:215) > =A0 =A0 =A0 =A0... 26 more > > -- > View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-M= essage-signature-doesn-t-get-validated-tp5155316p5155316.html > Sent from the cxf-user mailing list archive at Nabble.com. --=20 Colm O hEigeartaigh Talend Community Coder http://coders.talend.com