santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43685] New: - Problem verifying signatures generated by BEA Aqualogic
Date Wed, 24 Oct 2007 07:56:04 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43685>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43685

           Summary: Problem verifying signatures generated by BEA Aqualogic
           Product: Security
           Version: Java 1.4.1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: kr@it-practice.dk
                CC: kr@it-practice.dk


I'm having trouble verifying a signature generated by BEA Aqualogic - it looks 
like the SHA-1 hash generated when verifying is not the same as specified in 
the signature.

Here is the security header, I'll attach the entire signed XML file too.

Here, both the timestamp and the body SHA-1 hash does not match, but the binary 
securitytoken is ok.

		<wsse:Security soapenv:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd">
			<wsse:BinarySecurityToken wsu:Id="bst_eYXO4naFUHt1oMiY" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-
profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-
1.0#Base64Binary">MIIE7TCCBFagAwIBAgIEQDZd9zANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEw
JESzEMMAoGA1UEChMDVERDMSIwIAYDVQQDExlUREMgT0NFUyBTeXN0ZW10ZXN0IENBIElJMB4XDTA1MT
AzMTA4MjgxOVoXDTA3MTAzMTA4NTgxOVowczELMAkGA1UEBhMCREsxIDAeBgNVBAoTF1REQyBBL1MgLy
8gQ1ZSOjE0NzczOTA4MUIwGQYDVQQDExJUREMgQS9TIC0gUElEIFRFU1QwJQYDVQQFEx5DVlI6MTQ3Nz
M5MDgtVUlEOjEwODM4Mzg5MTQzOTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKlUxEE8Miw22X
nNdMBJpkZjcvBQWBboL8N/bjKrmHyUC68PIr+OTDtlq0QcIxYwWp7iHvd/FEQBjWc09KBTpVPy23rEM3
n/0EXoBFeq0zFOrZt3eAwhY4RA4ipaW9bBjnzuhTXEQ/VJfROIcbcjORqBrJbDVpjv8Z7zzmLrQGE3Ag
MBAAGjggLAMIICvDAOBgNVHQ8BAf8EBAMCA7gwKwYDVR0QBCQwIoAPMjAwNTEwMzEwODI4MTlagQ8yMD
A3MTAzMTA4NTgxOVowRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vdGVzdC5vY3NwLm
NlcnRpZmlrYXQuZGsvb2NzcC9zdGF0dXMwggEDBgNVHSAEgfswgfgwgfUGCSkBAQEBAQEBAzCB5zAvBg
grBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRrL3JlcG9zaXRvcnkwgbMGCCsGAQUFBwICMI
GmMAoWA1REQzADAgEBGoGXVERDIFRlc3QgQ2VydGlmaWthdGVyIGZyYSBkZW5uZSBDQSB1ZHN0ZWRlcy
B1bmRlciBPSUQgMS4xLjEuMS4xLjEuMS4xLjEuMy4gVERDIFRlc3QgQ2VydGlmaWNhdGVzIGZyb20gdG
hpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjEuMS4xLjEuMS4xLjEuMS4zLjAXBglghkgBhvhCAQ
0EChYIb3JnYW5XZWIwFgYDVR0RBA8wDYELcGJ1dUB0ZGMuZGswgZYGA1UdHwSBjjCBizCBiKCBhaCBgq
RQME4xCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxIjAgBgNVBAMTGVREQyBPQ0VTIFN5c3RlbXRlc3
QgQ0EgSUkxDTALBgNVBAMTBENSTDOGLmh0dHA6Ly90ZXN0LmNybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2
Nlc3BjMy5jcmwwHwYDVR0jBBgwFoAUHJgJRxpMOLkQxQQpW/H0ToBqzH4wHQYDVR0OBBYEFOtlUEQqrO
K/XSqgOmGhs/lT4XelMAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhv
cNAQEFBQADgYEAUaMFA/2wqk8PzeNW8wHCMqDyx5G4onfRiH1lTw5v0yOC2MNgAnIN87LHrsYRx2gobU
emjajrbjA+jDC8k2sxHkFyj2vqwXqEys7coScQeeIz5J4V5pFz9YhgXrb8xAdI7YexWSAqAttz5mde7n
vHNsQ2vpWDLmjGsynNaP7avFg=</wsse:BinarySecurityToken>
			<dsig:Signature 
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
				<dsig:SignedInfo>
					<dsig:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					<dsig:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<dsig:Reference 
URI="#Timestamp_NINwvG8AFBVIRLEX">
						<dsig:Transforms>
							<dsig:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
							
	<exc14n:InclusiveNamespaces PrefixList="" 
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							</dsig:Transform>
						</dsig:Transforms>
						<dsig:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					
	<dsig:DigestValue>j6FEasOTde+K4VAIyT1AnJjj/38=</dsig:DigestValue>
					</dsig:Reference>
					<dsig:Reference URI="#Id-650323651">
						<dsig:Transforms>
							<dsig:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
							
	<exc14n:InclusiveNamespaces PrefixList="" 
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							</dsig:Transform>
						</dsig:Transforms>
						<dsig:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					
	<dsig:DigestValue>edC2luHbb+q5TSLk1XcVeiDVNb4=</dsig:DigestValue>
					</dsig:Reference>
					<dsig:Reference 
URI="#bst_eYXO4naFUHt1oMiY">
						<dsig:Transforms>
							<dsig:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
							
	<exc14n:InclusiveNamespaces PrefixList="" 
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							</dsig:Transform>
						</dsig:Transforms>
						<dsig:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					
	<dsig:DigestValue>gVM6kHVLvllHfM1wx0pXLy5fOJg=</dsig:DigestValue>
					</dsig:Reference>
				</dsig:SignedInfo>
			
	<dsig:SignatureValue>CV3lBSJ/KI8yj3ZgQdg/XLGvOhEDGYs2qu7qOn2L8e4e2t8Va9R
dZBvnZsuNpOC5b4Vkl6UQWc6HvNMrp+EjB6/PgD7D74R3CcJhpSQpLwiiwyzgOnX+AGsjh+NabWJZw8F
x8SP3tQ+TqSsF0OCy+UzJ+I9bKDaWghjUMG61xkE=</dsig:SignatureValue>
				<dsig:KeyInfo>
					<wsse:SecurityTokenReference 
wsu:Id="str_eKIZMaztAU9dy8pc">
						<wsse:Reference 
URI="#bst_eYXO4naFUHt1oMiY" ValueType="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
					</wsse:SecurityTokenReference>
				</dsig:KeyInfo>
			</dsig:Signature>
			<wsu:Timestamp wsu:Id="Timestamp_NINwvG8AFBVIRLEX">
				<wsu:Created>2007-10-10T10:23:32Z</wsu:Created>
				<wsu:Expires>2007-10-10T10:24:32Z</wsu:Expires>
			</wsu:Timestamp>
		</wsse:Security>

What looks odd to me, is the InclusiveNamespaces PrefixList which is empty - I 
do not know if this is the problem or not.

Can anyone help figure out what is going on ? I am working at a project for a 
customer where this is a critical problem and I would really appreciate if 
anyone can help me identify if it is a problem in XML-Security or in BEA's 
Aqualogic.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Mime
View raw message