ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Vladov (JIRA)" <>
Subject [jira] Commented: (WSS-198) Problem when body is signed and then an XPath is encrypted
Date Wed, 17 Jun 2009 14:32:07 GMT


Stefan Vladov commented on WSS-198:

Hi guys,

"Missing encryption result for id : http://com:name" seems like sth thrown in rampart. Rampart
would indeed require a rework in order to be able to handle that fix :) since it relies on
that id added there to verify the right element was encrypted. Essentially in case of an xpath
in the security policy what rampart does in its policy validator is to:
-> evaluate the xpath
-> get the respective element from the decrypted message
-> get it's wsu:Id
-> assert it is in the list of dataRefUris returned by the WSS4J engine results.

Btw cloning the encrypted element in the WSDataRef may result in large data being copied twice
(the whole body for example in large messages)... wouldn't it be better to put an xpath in
the WSDataRef... after all it's an xpath xpression in the policy that identifies the element
in the first place?


> Problem when body is signed and then an XPath is encrypted
> ----------------------------------------------------------
>                 Key: WSS-198
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.7
>            Reporter: Dobri Kitipov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.8
>         Attachments: send_to_server_side_before_encryption.xml, signed_doc_after_decryption.xml
> Hi everybody,
> there is a problem when when a message body is signed and then an XPath expression pointing
to a body element is encrypted.
> The problem is that the verification of the signature cannot pass. This is caused by
the fact that there is a difference between the signed body and the body used for signature
verification. The body used for signature verification is modified because after XPath element
decryption an ID is added to the element. This ID is used to verify the decryption, but changes
the original body. 
> I am doing the tests with :
> Rampart from the trunk with WSS4J 1.5.7.
> Exception thrown is:
> [WARN] Verification failed for URI "#Id-11235685"
> [WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80=
> [WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM=
> [ERROR] The signature or decryption was invalid
> org.apache.axis2.AxisFault: The signature or decryption was invalid
> 	at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(
> 	at org.apache.rampart.handler.RampartReceiver.invoke(
> 	at org.apache.axis2.engine.Phase.invoke(
> 	at org.apache.axis2.engine.AxisEngine.invoke(
> 	at org.apache.axis2.engine.AxisEngine.receive(
> 	at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(
> 	at org.apache.axis2.transport.http.AxisServlet.doPost(
> 	at com.mycompany.deployment.server.SAGAdminServlet.doPost(
> 	at javax.servlet.http.HttpServlet.service(
> 	at javax.servlet.http.HttpServlet.service(
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(
> 	at org.apache.catalina.core.StandardContextValve.invoke(
> 	at org.apache.catalina.core.StandardHostValve.invoke(
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(
> 	at org.apache.catalina.core.StandardEngineValve.invoke(
> 	at org.apache.catalina.connector.CoyoteAdapter.service(
> 	at org.apache.coyote.http11.Http11Processor.process(
> 	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(
> 	at
> 	at
> 	at org.apache.tomcat.util.threads.ThreadPool$
> 	at
> Caused by: The signature or decryption was
> 	at
> 	at
> 	at
> 	at
> 	at org.apache.rampart.RampartEngine.process(
> 	at org.apache.rampart.handler.RampartReceiver.invoke(
> 	... 22 more
> I will try to apply a patch tomorrow.
> Any comments and ideas are appreciated.
> Regards,
> Dobri

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message