From dev-return-18005-apmail-ws-dev-archive=ws.apache.org@ws.apache.org Sun Jul 2 22:40:10 2017 Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9600519525 for ; Sun, 2 Jul 2017 22:40:10 +0000 (UTC) Received: (qmail 52472 invoked by uid 500); 2 Jul 2017 22:40:10 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 52319 invoked by uid 500); 2 Jul 2017 22:40:10 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 52309 invoked by uid 99); 2 Jul 2017 22:40:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Jul 2017 22:40:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id C2F95C0D5B for ; Sun, 2 Jul 2017 22:40:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id cPgUOQ88YH7c for ; Sun, 2 Jul 2017 22:40:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 235C95F397 for ; Sun, 2 Jul 2017 22:40:06 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 60C60E0641 for ; Sun, 2 Jul 2017 22:40:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id DF2F2245DA for ; Sun, 2 Jul 2017 22:40:01 +0000 (UTC) Date: Sun, 2 Jul 2017 22:40:01 +0000 (UTC) From: "Andrew Harris (JIRA)" To: dev@ws.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (WSS-609) WS-Security Canonicalization with InclusiveNamespace MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WSS-609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Harris updated WSS-609: ------------------------------ Affects Version/s: (was: 2.1.9) 2.1.10 > WS-Security Canonicalization with InclusiveNamespace > ---------------------------------------------------- > > Key: WSS-609 > URL: https://issues.apache.org/jira/browse/WSS-609 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.1.10 > Environment: Windows, JDK 1.8 > Reporter: Andrew Harris > Assignee: Colm O hEigeartaigh > > I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it. > The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#). > This side of things is fine and I've got the message constructed but when I send it I am getting a message "An error occurred when verifying security for the message." which the service provider is saying because it can't verify the signature. > The problem I think is that it wants Canonicalization done including namespace prefixes. > So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the namespaces. Is this likely an issue? If not, any ideas what the issue could be? > Here is my code: > {code:java} > static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String password, byte[] salt, X509Certificate[] certChain) { > try { > WSSConfig.init(); > //setSecurityHeader(soapMessage); > Merlin crypto = getCrypto(privateKey, password, salt, certChain); > > Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument(); > WSSecHeader secHeader = new WSSecHeader(unsignedDocument); > secHeader.insertSecurityHeader(); > WSSecTimestamp timestamp = new WSSecTimestamp(); > timestamp.setPrecisionInMilliSeconds(false); > timestamp.setTimeToLive(600); > timestamp.build(unsignedDocument, secHeader); > > // Setup the signer > WSSecSignature signer = new WSSecSignature(); > > signer.setUserInfo("signingCert", password); > signer.setSignatureAlgorithm(WSConstants.RSA_SHA1); > signer.setDigestAlgo(WSConstants.SHA1); > signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS); > signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); > signer.setAddInclusivePrefixes(true); > > signer.getParts().add(new WSEncryptionPart(timestamp.getId())); > signer.getParts().add(new WSEncryptionPart("_5002")); > > Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing...."); > signer.build(unsignedDocument, crypto, secHeader); > Utils.printDocument(unsignedDocument); > Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing...."); > > } catch (WSSecurityException | SOAPException ex) { > Logger.getGlobal().log(Level.SEVERE, null, ex); > } > } > {code} > This is what I am generating which doesn't work: > {noformat} > xmlns:env="http://www.w3.org/2003/05/soap-envelope" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > xmlns:xs="http://www.w3.org/2001/XMLSchema"> > > xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc > > xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue > > xmlns="http://www.w3.org/2005/08/addressing"> >
http://www.w3.org/2005/08/addressing/anonymous
> > xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed > > > *** Content Removed *** > > > > > > > > > > > > > > 4FOsUd2SzIwL+9Yz8QoYT/dChBg= > > > > > > > > > LiNgJUCK0GyrUZ3BpbdlRbVKnfo= > > > AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo= > > > > > > > > 2017-07-02T22:25:27Z > 2017-07-02T22:35:27Z > > > > > xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content Removed *** > > > > {noformat} > This is an envelope that works: > {noformat} > xmlns:S="http://www.w3.org/2003/05/soap-envelope" > xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > xmlns:xs="http://www.w3.org/2001/XMLSchema" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"> > > xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc > > xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue > > xmlns="http://www.w3.org/2005/08/addressing"> >
http://www.w3.org/2005/08/addressing/anonymous
> > xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a > > > xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" > xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1"> > 2017-06-29T21:34:33Z > 2017-06-29T21:39:33Z > > xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" > xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" > wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">*** > > xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" > xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" > xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2"> > > > > > > > > > > > > > nQeNC2NVtR9ChmXfaDKppoVAsu4= > > > > > > > > > AAvvtxJCqfB68LHnM0xeXCYd4J8= > > > SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA= > > > > > > > > > > xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" > xmlns:ns2="http://vanguard.business.gov.au/2009/02" > xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"> > > > {noformat} > I notice that the Reference for the "To" element in mine is missing the "wsu" namespace in the PrefixList > Working: > > Mine: > -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional commands, e-mail: dev-help@ws.apache.org