ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Harris (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WSS-609) WS-Security Canonicalization with InclusiveNamespace
Date Sun, 02 Jul 2017 22:38:00 GMT

     [ https://issues.apache.org/jira/browse/WSS-609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Harris updated WSS-609:
------------------------------
    Description: 
I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage
to construct the message and WSS4J to sign it.

The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting
Comments (http://www.w3.org/2001/10/xml-exc-c14n#).

This side of things is fine and I've got the message constructed but when I send it I am getting
a message "An error occurred when verifying security for the message." which the service provider
is saying because it can't verify the signature.

The problem I think is that it wants Canonicalization done including namespace prefixes.

So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the namespaces.
Is this likely an issue? If not, any ideas what the issue could be?

Here is my code:

{code:java}
    static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String password,
byte[] salt, X509Certificate[] certChain) {
        try {
            WSSConfig.init();
            //setSecurityHeader(soapMessage);
            Merlin crypto = getCrypto(privateKey, password, salt, certChain);
            
            Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
            WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
            secHeader.insertSecurityHeader();    
            WSSecTimestamp timestamp = new WSSecTimestamp();
            timestamp.setPrecisionInMilliSeconds(false);
            timestamp.setTimeToLive(600);
            timestamp.build(unsignedDocument, secHeader);
            
            // Setup the signer
            WSSecSignature signer = new WSSecSignature();
            
            signer.setUserInfo("signingCert", password);
            signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
            signer.setDigestAlgo(WSConstants.SHA1);
            signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
            signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
            signer.setAddInclusivePrefixes(true);
            
            signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
            signer.getParts().add(new WSEncryptionPart("_5002"));
    
            Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing....");
            signer.build(unsignedDocument, crypto, secHeader);
            Utils.printDocument(unsignedDocument);
            Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing....");
         
        } catch (WSSecurityException | SOAPException ex) {
            Logger.getGlobal().log(Level.SEVERE, null, ex);
        }
    }
{code}

This is what I am generating which doesn't work:

{noformat}
    <env:Envelope 
        xmlns:env="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
        xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

        xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <env:Header>
            <To 
                xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
            </To>
            <Action 
                xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
            </Action>
            <ReplyTo 
                xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
            </ReplyTo>
            <MessageID 
                xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed
            </MessageID>
            <wsse:Security env:mustUnderstand="true">
                <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed ***</wsse:BinarySecurityToken>
                <ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="env"/>
                        </ds:CanonicalizationMethod>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="wsse env"/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
                        </ds:Reference>
                        <ds:Reference URI="#_5002">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="env"/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
                    <ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
                        <wsse:SecurityTokenReference wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
                            <wsse:Reference URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                </ds:Signature>
                <wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
                    <wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
                    <wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
                </wsu:Timestamp>
            </wsse:Security>
        </env:Header>
        <env:Body>
            <RequestSecurityToken 
                xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content Removed
***
            </RequestSecurityToken>
        </env:Body>
    </env:Envelope>
{noformat}

This is an envelope that works:

{noformat}
    <S:Envelope 
        xmlns:S="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

        xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
        xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
        <S:Header>
            <To 
                xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
            </To>
            <Action 
                xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
            </Action>
            <ReplyTo 
                xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
            </ReplyTo>
            <MessageID 
                xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a
            </MessageID>
            <wsse:Security S:mustUnderstand="true">
                <wsu:Timestamp 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
                    <wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
                    <wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
                </wsu:Timestamp>
                <wsse:BinarySecurityToken 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" 
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

                    wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
                </wsse:BinarySecurityToken>
                <ds:Signature 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <exc14n:InclusiveNamespaces PrefixList="wsse S" />
                        </ds:CanonicalizationMethod>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
                        <ds:Reference URI="#_1">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <exc14n:InclusiveNamespaces PrefixList="wsu wsse S"
/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
                            <ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
                        </ds:Reference>
                        <ds:Reference URI="#_5002">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <exc14n:InclusiveNamespaces PrefixList="S" />
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
                            <ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
                    <ds:KeyInfo>
                        <wsse:SecurityTokenReference>
                            <wsse:Reference URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                </ds:Signature>
            </wsse:Security>
        </S:Header>
        <S:Body>
            <RequestSecurityToken 
                xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
                xmlns:ns2="http://vanguard.business.gov.au/2009/02" 
                xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"></RequestSecurityToken>
        </S:Body>
    </S:Envelope>
{noformat}

I notice that the Reference for the "To" element in mine is missing the "wsu" namespace in
the PrefixList

Working:

    <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />

Mine:

    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
env"/>

  was:
I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage
to construct the message and WSS4J to sign it.

The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting
Comments (http://www.w3.org/2001/10/xml-exc-c14n#).

This side of things is fine and I've got the message constructed but when I send it I am getting
a message "An error occurred when verifying security for the message." which the service provider
is saying because it can't verify the signature.

The problem I think is that it wants Canonicalization done including namespace prefixes.

So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the namespaces.
Is this likely an issue? If not, any ideas what the issue could be?

Here is my code:

    static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String password,
byte[] salt, X509Certificate[] certChain) {
        try {
            WSSConfig.init();
            //setSecurityHeader(soapMessage);
            Merlin crypto = getCrypto(privateKey, password, salt, certChain);
            
            Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
            WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
            secHeader.insertSecurityHeader();    
            WSSecTimestamp timestamp = new WSSecTimestamp();
            timestamp.setPrecisionInMilliSeconds(false);
            timestamp.setTimeToLive(600);
            timestamp.build(unsignedDocument, secHeader);
            
            // Setup the signer
            WSSecSignature signer = new WSSecSignature();
            
            signer.setUserInfo("signingCert", password);
            signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
            signer.setDigestAlgo(WSConstants.SHA1);
            signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
            signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
            signer.setAddInclusivePrefixes(true);
            
            signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
            signer.getParts().add(new WSEncryptionPart("_5002"));
    
            Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing....");
            signer.build(unsignedDocument, crypto, secHeader);
            Utils.printDocument(unsignedDocument);
            Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing....");
         
        } catch (WSSecurityException | SOAPException ex) {
            Logger.getGlobal().log(Level.SEVERE, null, ex);
        }
    }

This is what I am generating which doesn't work:

    <env:Envelope 
        xmlns:env="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
        xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

        xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <env:Header>
            <To 
                xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
            </To>
            <Action 
                xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
            </Action>
            <ReplyTo 
                xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
            </ReplyTo>
            <MessageID 
                xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed
            </MessageID>
            <wsse:Security env:mustUnderstand="true">
                <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed ***</wsse:BinarySecurityToken>
                <ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="env"/>
                        </ds:CanonicalizationMethod>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="wsse env"/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
                        </ds:Reference>
                        <ds:Reference URI="#_5002">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="env"/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
                    <ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
                        <wsse:SecurityTokenReference wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
                            <wsse:Reference URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                </ds:Signature>
                <wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
                    <wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
                    <wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
                </wsu:Timestamp>
            </wsse:Security>
        </env:Header>
        <env:Body>
            <RequestSecurityToken 
                xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content Removed
***
            </RequestSecurityToken>
        </env:Body>
    </env:Envelope>

This is an envelope that works:

    <S:Envelope 
        xmlns:S="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

        xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
        xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
        <S:Header>
            <To 
                xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
            </To>
            <Action 
                xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
            </Action>
            <ReplyTo 
                xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
            </ReplyTo>
            <MessageID 
                xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a
            </MessageID>
            <wsse:Security S:mustUnderstand="true">
                <wsu:Timestamp 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
                    <wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
                    <wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
                </wsu:Timestamp>
                <wsse:BinarySecurityToken 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" 
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

                    wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
                </wsse:BinarySecurityToken>
                <ds:Signature 
                    xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

                    xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

                    xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <exc14n:InclusiveNamespaces PrefixList="wsse S" />
                        </ds:CanonicalizationMethod>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
                        <ds:Reference URI="#_1">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <exc14n:InclusiveNamespaces PrefixList="wsu wsse S"
/>
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
                            <ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
                        </ds:Reference>
                        <ds:Reference URI="#_5002">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <exc14n:InclusiveNamespaces PrefixList="S" />
                                </ds:Transform>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
                            <ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
                    <ds:KeyInfo>
                        <wsse:SecurityTokenReference>
                            <wsse:Reference URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                </ds:Signature>
            </wsse:Security>
        </S:Header>
        <S:Body>
            <RequestSecurityToken 
                xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
                xmlns:ns2="http://vanguard.business.gov.au/2009/02" 
                xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"></RequestSecurityToken>
        </S:Body>
    </S:Envelope>

I notice that the Reference for the "To" element in mine is missing the "wsu" namespace in
the PrefixList

Working:

    <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />

Mine:

    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
env"/>


> WS-Security Canonicalization with InclusiveNamespace
> ----------------------------------------------------
>
>                 Key: WSS-609
>                 URL: https://issues.apache.org/jira/browse/WSS-609
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.9
>         Environment: Windows, JDK 1.8
>            Reporter: Andrew Harris
>            Assignee: Colm O hEigeartaigh
>
> I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage
to construct the message and WSS4J to sign it.
> The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting
Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
> This side of things is fine and I've got the message constructed but when I send it I
am getting a message "An error occurred when verifying security for the message." which the
service provider is saying because it can't verify the signature.
> The problem I think is that it wants Canonicalization done including namespace prefixes.
> So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the
namespaces. Is this likely an issue? If not, any ideas what the issue could be?
> Here is my code:
> {code:java}
>     static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String
password, byte[] salt, X509Certificate[] certChain) {
>         try {
>             WSSConfig.init();
>             //setSecurityHeader(soapMessage);
>             Merlin crypto = getCrypto(privateKey, password, salt, certChain);
>             
>             Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
>             WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
>             secHeader.insertSecurityHeader();    
>             WSSecTimestamp timestamp = new WSSecTimestamp();
>             timestamp.setPrecisionInMilliSeconds(false);
>             timestamp.setTimeToLive(600);
>             timestamp.build(unsignedDocument, secHeader);
>             
>             // Setup the signer
>             WSSecSignature signer = new WSSecSignature();
>             
>             signer.setUserInfo("signingCert", password);
>             signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
>             signer.setDigestAlgo(WSConstants.SHA1);
>             signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
>             signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
>             signer.setAddInclusivePrefixes(true);
>             
>             signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
>             signer.getParts().add(new WSEncryptionPart("_5002"));
>     
>             Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing....");
>             signer.build(unsignedDocument, crypto, secHeader);
>             Utils.printDocument(unsignedDocument);
>             Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing....");
>          
>         } catch (WSSecurityException | SOAPException ex) {
>             Logger.getGlobal().log(Level.SEVERE, null, ex);
>         }
>     }
> {code}
> This is what I am generating which doesn't work:
> {noformat}
>     <env:Envelope 
>         xmlns:env="http://www.w3.org/2003/05/soap-envelope" 
>         xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
>         xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
>         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

>         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

>         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

>         xmlns:xs="http://www.w3.org/2001/XMLSchema">
>         <env:Header>
>             <To 
>                 xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
>             </To>
>             <Action 
>                 xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
>             </Action>
>             <ReplyTo 
>                 xmlns="http://www.w3.org/2005/08/addressing">
>                 <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>             </ReplyTo>
>             <MessageID 
>                 xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed
>             </MessageID>
>             <wsse:Security env:mustUnderstand="true">
>                 <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed ***</wsse:BinarySecurityToken>
>                 <ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3">
>                     <ds:SignedInfo>
>                         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                             <ec:InclusiveNamespaces PrefixList="env"/>
>                         </ds:CanonicalizationMethod>
>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                         <ds:Reference URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
>                             <ds:Transforms>
>                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                     <ec:InclusiveNamespaces PrefixList="wsse env"/>
>                                 </ds:Transform>
>                             </ds:Transforms>
>                             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                             <ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue>
>                         </ds:Reference>
>                         <ds:Reference URI="#_5002">
>                             <ds:Transforms>
>                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                     <ec:InclusiveNamespaces PrefixList="env"/>
>                                 </ds:Transform>
>                             </ds:Transforms>
>                             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                             <ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue>
>                         </ds:Reference>
>                     </ds:SignedInfo>
>                     <ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue>
>                     <ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848">
>                         <wsse:SecurityTokenReference wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e">
>                             <wsse:Reference URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                         </wsse:SecurityTokenReference>
>                     </ds:KeyInfo>
>                 </ds:Signature>
>                 <wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8">
>                     <wsu:Created>2017-07-02T22:25:27Z</wsu:Created>
>                     <wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires>
>                 </wsu:Timestamp>
>             </wsse:Security>
>         </env:Header>
>         <env:Body>
>             <RequestSecurityToken 
>                 xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content
Removed ***
>             </RequestSecurityToken>
>         </env:Body>
>     </env:Envelope>
> {noformat}
> This is an envelope that works:
> {noformat}
>     <S:Envelope 
>         xmlns:S="http://www.w3.org/2003/05/soap-envelope" 
>         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"

>         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

>         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

>         xmlns:xs="http://www.w3.org/2001/XMLSchema" 
>         xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
>         xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
>         <S:Header>
>             <To 
>                 xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
>             </To>
>             <Action 
>                 xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
>             </Action>
>             <ReplyTo 
>                 xmlns="http://www.w3.org/2005/08/addressing">
>                 <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>             </ReplyTo>
>             <MessageID 
>                 xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a
>             </MessageID>
>             <wsse:Security S:mustUnderstand="true">
>                 <wsu:Timestamp 
>                     xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

>                     xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

>                     xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
>                     <wsu:Created>2017-06-29T21:34:33Z</wsu:Created>
>                     <wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires>
>                 </wsu:Timestamp>
>                 <wsse:BinarySecurityToken 
>                     xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

>                     xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

>                     xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" 
>                     ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

>                     EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

>                     wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
>                 </wsse:BinarySecurityToken>
>                 <ds:Signature 
>                     xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"

>                     xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"

>                     xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
>                     <ds:SignedInfo>
>                         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                             <exc14n:InclusiveNamespaces PrefixList="wsse S" />
>                         </ds:CanonicalizationMethod>
>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
>                         <ds:Reference URI="#_1">
>                             <ds:Transforms>
>                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                     <exc14n:InclusiveNamespaces PrefixList="wsu wsse
S" />
>                                 </ds:Transform>
>                             </ds:Transforms>
>                             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
>                             <ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue>
>                         </ds:Reference>
>                         <ds:Reference URI="#_5002">
>                             <ds:Transforms>
>                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                     <exc14n:InclusiveNamespaces PrefixList="S" />
>                                 </ds:Transform>
>                             </ds:Transforms>
>                             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
>                             <ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue>
>                         </ds:Reference>
>                     </ds:SignedInfo>
>                     <ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue>
>                     <ds:KeyInfo>
>                         <wsse:SecurityTokenReference>
>                             <wsse:Reference URI="#uuid_14d363bc-1193-4710-8729-2674605387d6"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
>                         </wsse:SecurityTokenReference>
>                     </ds:KeyInfo>
>                 </ds:Signature>
>             </wsse:Security>
>         </S:Header>
>         <S:Body>
>             <RequestSecurityToken 
>                 xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
>                 xmlns:ns2="http://vanguard.business.gov.au/2009/02" 
>                 xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"></RequestSecurityToken>
>         </S:Body>
>     </S:Envelope>
> {noformat}
> I notice that the Reference for the "To" element in mine is missing the "wsu" namespace
in the PrefixList
> Working:
>     <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
> Mine:
>     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
env"/>



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message