[ https://issues.apache.org/jira/browse/WSS-609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Harris updated WSS-609:
------------------------------
Affects Version/s: (was: 2.1.9)
2.1.10
> WS-Security Canonicalization with InclusiveNamespace
> ----------------------------------------------------
>
> Key: WSS-609
> URL: https://issues.apache.org/jira/browse/WSS-609
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.1.10
> Environment: Windows, JDK 1.8
> Reporter: Andrew Harris
> Assignee: Colm O hEigeartaigh
>
> I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
> The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
> This side of things is fine and I've got the message constructed but when I send it I am getting a message "An error occurred when verifying security for the message." which the service provider is saying because it can't verify the signature.
> The problem I think is that it wants Canonicalization done including namespace prefixes.
> So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the namespaces. Is this likely an issue? If not, any ideas what the issue could be?
> Here is my code:
> {code:java}
> static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String password, byte[] salt, X509Certificate[] certChain) {
> try {
> WSSConfig.init();
> //setSecurityHeader(soapMessage);
> Merlin crypto = getCrypto(privateKey, password, salt, certChain);
>
> Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument();
> WSSecHeader secHeader = new WSSecHeader(unsignedDocument);
> secHeader.insertSecurityHeader();
> WSSecTimestamp timestamp = new WSSecTimestamp();
> timestamp.setPrecisionInMilliSeconds(false);
> timestamp.setTimeToLive(600);
> timestamp.build(unsignedDocument, secHeader);
>
> // Setup the signer
> WSSecSignature signer = new WSSecSignature();
>
> signer.setUserInfo("signingCert", password);
> signer.setSignatureAlgorithm(WSConstants.RSA_SHA1);
> signer.setDigestAlgo(WSConstants.SHA1);
> signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
> signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
> signer.setAddInclusivePrefixes(true);
>
> signer.getParts().add(new WSEncryptionPart(timestamp.getId()));
> signer.getParts().add(new WSEncryptionPart("_5002"));
>
> Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing....");
> signer.build(unsignedDocument, crypto, secHeader);
> Utils.printDocument(unsignedDocument);
> Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing....");
>
> } catch (WSSecurityException | SOAPException ex) {
> Logger.getGlobal().log(Level.SEVERE, null, ex);
> }
> }
> {code}
> This is what I am generating which doesn't work:
> {noformat}
> xmlns:env="http://www.w3.org/2003/05/soap-envelope"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:xs="http://www.w3.org/2001/XMLSchema">
>
> xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
>
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
>
> xmlns="http://www.w3.org/2005/08/addressing">
> http://www.w3.org/2005/08/addressing/anonymous
>
> xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed
>
>
> *** Content Removed ***
>
>
>
>
>
>
>
>
>
>
>
>
>
> 4FOsUd2SzIwL+9Yz8QoYT/dChBg=
>
>
>
>
>
>
>
>
> LiNgJUCK0GyrUZ3BpbdlRbVKnfo=
>
>
> AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=
>
>
>
>
>
>
>
> 2017-07-02T22:25:27Z
> 2017-07-02T22:35:27Z
>
>
>
>
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content Removed ***
>
>
>
> {noformat}
> This is an envelope that works:
> {noformat}
> xmlns:S="http://www.w3.org/2003/05/soap-envelope"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
>
> xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc
>
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
>
> xmlns="http://www.w3.org/2005/08/addressing">
> http://www.w3.org/2005/08/addressing/anonymous
>
> xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a
>
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
> 2017-06-29T21:34:33Z
> 2017-06-29T21:39:33Z
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">***
>
> xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"
> xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
>
>
>
>
>
>
>
>
>
>
>
>
> nQeNC2NVtR9ChmXfaDKppoVAsu4=
>
>
>
>
>
>
>
>
> AAvvtxJCqfB68LHnM0xeXCYd4J8=
>
>
> SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=
>
>
>
>
>
>
>
>
>
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:ns2="http://vanguard.business.gov.au/2009/02"
> xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/">
>
>
> {noformat}
> I notice that the Reference for the "To" element in mine is missing the "wsu" namespace in the PrefixList
> Working:
>
> Mine:
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org