Return-Path: Delivered-To: apmail-ws-wss4j-dev-archive@www.apache.org Received: (qmail 39468 invoked from network); 24 Jun 2009 14:59:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Jun 2009 14:59:22 -0000 Received: (qmail 67542 invoked by uid 500); 24 Jun 2009 14:59:32 -0000 Delivered-To: apmail-ws-wss4j-dev-archive@ws.apache.org Received: (qmail 67441 invoked by uid 500); 24 Jun 2009 14:59:32 -0000 Mailing-List: contact wss4j-dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list wss4j-dev@ws.apache.org Received: (qmail 67279 invoked by uid 99); 24 Jun 2009 14:59:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 14:59:32 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 14:59:28 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 732E5234C045 for ; Wed, 24 Jun 2009 07:59:07 -0700 (PDT) Message-ID: <1899682865.1245855547470.JavaMail.jira@brutus> Date: Wed, 24 Jun 2009 07:59:07 -0700 (PDT) From: "Stefan Vladov (JIRA)" To: wss4j-dev@ws.apache.org Subject: [jira] Commented: (WSS-198) Problem when body is signed and then an XPath is encrypted In-Reply-To: <2007527660.1244730787418.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/WSS-198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12723590#action_12723590 ] Stefan Vladov commented on WSS-198: ----------------------------------- Hi Colm, sorry for the delay... I was busy with some other things... I did a partial merge of your fix in wss4j 1.5.4 (this is the version used with rampart 1.4) - I'm not really using the ref to the encrypted element but add an xpath to it instead (rampart does not work with axiom DOM implementation but with OMElements instead). I modified rampart, so that when verifying encrypted elements I first apply the xpath expressions from the wss4j data Refs to obtain a list of nodes that were actually decrypted, then use the xpath expressions from the policy to get the nodes that should have been encrypted, and finally do a simple ref comparison between the two lists. XPath in Rampart is handled using Jaxen and always returns references from the xml tree so this should be ok. Of course "content"/"element" modifier is also taken care of. I'm not really sure what will be the performance impact of this... Sorry for the cloning remark... I was browsing quickly through your code, noticed some clone in headers or sth and was quick to judge. I'll talk to Nandana about the required modification in rampart and will send the proposed patches... > Problem when body is signed and then an XPath is encrypted > ---------------------------------------------------------- > > Key: WSS-198 > URL: https://issues.apache.org/jira/browse/WSS-198 > Project: WSS4J > Issue Type: Bug > Affects Versions: 1.5.7 > Reporter: Dobri Kitipov > Assignee: Colm O hEigeartaigh > Fix For: 1.5.8 > > Attachments: send_to_server_side_before_encryption.xml, signed_doc_after_decryption.xml > > > Hi everybody, > there is a problem when when a message body is signed and then an XPath expression pointing to a body element is encrypted. > The problem is that the verification of the signature cannot pass. This is caused by the fact that there is a difference between the signed body and the body used for signature verification. The body used for signature verification is modified because after XPath element decryption an ID is added to the element. This ID is used to verify the decryption, but changes the original body. > I am doing the tests with : > Rampart from the trunk with WSS4J 1.5.7. > Exception thrown is: > [WARN] Verification failed for URI "#Id-11235685" > [WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80= > [WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM= > [ERROR] The signature or decryption was invalid > org.apache.axis2.AxisFault: The signature or decryption was invalid > at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172) > at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) > at org.apache.axis2.engine.Phase.invoke(Phase.java:317) > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264) > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163) > at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275) > at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133) > at com.mycompany.deployment.server.SAGAdminServlet.doPost(SAGAdminServlet.java:30) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) > at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) > at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) > at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) > at java.lang.Thread.run(Thread.java:595) > Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid > at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:527) > at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) > at org.apache.rampart.RampartEngine.process(RampartEngine.java:151) > at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > ... 22 more > I will try to apply a patch tomorrow. > Any comments and ideas are appreciated. > Regards, > Dobri -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org