xwss
  1. xwss
  2. XWSS-50

Validation of Reference with STR-Transformation for request from Axis client

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: current
    • Fix Version/s: milestone 1
    • Component/s: www
    • Labels:
      None
    • Environment:

      Operating System: Windows XP
      Platform: PC

    • Issuezilla Id:
      50

      Description

      Hi,

      I have client application which is Axis based and WebService which is Metro 2.0.
      Service has WS-Security and all request must be signed (note: but without
      encryption).

      In attach you can see full SOAP request from Axis client (formatted for reading).

      When Metro validates incomming request I allways get an error:

      01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
      FINEST: Calculated digest value is: )}@Ц'╟2їаH~┼┴]kх▒/Ў
      01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
      FINEST: Expected digest value is: �Л4!аhqдуN?▲♂ iRPбВ"
      01.12.2009 13:58:01
      com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
      processReference
      SEVERE: WSS1721: Validation of Reference with URI #STRId-1765100 failed

      So ds:DigestValue for ds:Reference URI="#STRId-1765100" calculated by client
      (Axis) and Metro are different.

      I've found that different stream is used for calculating SHA-1 digest. See attaches.
      There is only difference that XML Canonicalized by Metro doesn't contain xmlns="".

      The following transformation should be used:

      <ds:Reference URI="#STRId-1765100"
      <ds:Transform
      Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"
      <wsse:TransformationParameters
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"

      1. BinarySecurityToken-Axis.xml
        2 kB
        mikola_spb
      2. BinarySecurityToken-Metro.xml
        2 kB
        mikola_spb
      3. soap.xml
        13 kB
        mikola_spb

        Activity

        Hide
        mikola_spb added a comment -

        Created an attachment (id=19)
        SOAP request formatted for reading

        Show
        mikola_spb added a comment - Created an attachment (id=19) SOAP request formatted for reading
        Hide
        mikola_spb added a comment -

        Created an attachment (id=20)
        Transformed XML by Axis (wss4j)

        Show
        mikola_spb added a comment - Created an attachment (id=20) Transformed XML by Axis (wss4j)
        Hide
        mikola_spb added a comment -

        Created an attachment (id=21)
        Transformed XML by Metro

        Show
        mikola_spb added a comment - Created an attachment (id=21) Transformed XML by Metro
        Hide
        sm228678 added a comment -

        Hi, we are working on this.
        Can you retest your scenario with latest metro nightly and conform whether this
        problem still exists or not?

        Show
        sm228678 added a comment - Hi, we are working on this. Can you retest your scenario with latest metro nightly and conform whether this problem still exists or not?
        Hide
        mikola_spb added a comment -

        Hi, I've tested with Metro 2.1 nightly build (Friday, December 18, 2009 at
        2:27:41 AM) and see that problem still exists.

        If you need I can attach my application which I use for test.
        Here is application log.

        FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
        com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17.processRequest(com.sun.xml.ws.api.message.Packet@bec35a)
        18.12.2009 19:51:14
        com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor process
        FINEST: Canonicalized Signed Info:<ds:SignedInfo
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
        <ds:SignatureMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
        <ds:Reference URI="#id-6">
        <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>mz5hRH8Uei3qWkE+ipomSbE+qmI=</ds:DigestValue>
        </ds:Reference>
        <ds:Reference URI="#STRId-C282FEC6E6BCB7647812611550741116">
        <ds:Transforms>
        <ds:Transform
        Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
        <wsse:TransformationParameters
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters>
        </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>jqVeyjCtlIl1g2qHX9Ovax6/qlI=</ds:DigestValue>
        </ds:Reference>
        <ds:Reference URI="#Timestamp-4">
        <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>xTmwKT96imbrkbRBsUQe90PMKOs=</ds:DigestValue>
        </ds:Reference>
        </ds:SignedInfo>
        18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
        FINE: Digest Algorithm is http://www.w3.org/2000/09/xmldsig#sha1
        18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
        FINE: Mapped Digest Algorithm is SHA-1
        18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Transform transform
        FINEST: WSS1757: Canonicalized target value: <wsse:BinarySecurityToken
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="CertId-C282FEC6E6BCB7647812611550741114">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken>
        18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
        FINEST: Calculated digest value is: «=g©
        8jao‰j;­е#­
        18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
        FINEST: Expected digest value is: Ћ�^К0­�‰uѓj‡_УЇkїЄR
        18.12.2009 19:51:14
        com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
        processReference
        SEVERE: WSS1721: Validation of Reference with URI
        #STRId-C282FEC6E6BCB7647812611550741116 failed
        18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
        FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
        implementation
        18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
        FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
        implementation
        18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber __doRun
        FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
        com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17 returned with
        com.sun.xml.ws.api.pipe.NextAction@eab1f2
        [kind=RETURN,next=null,packet=com.sun.xml.ws.api.message.Packet@bec35a,throwable=null]
        18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber completionCheck
        FINE: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 completed

        Show
        mikola_spb added a comment - Hi, I've tested with Metro 2.1 nightly build (Friday, December 18, 2009 at 2:27:41 AM) and see that problem still exists. If you need I can attach my application which I use for test. Here is application log. FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17.processRequest(com.sun.xml.ws.api.message.Packet@bec35a) 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor process FINEST: Canonicalized Signed Info:<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#id-6"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>mz5hRH8Uei3qWkE+ipomSbE+qmI=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#STRId-C282FEC6E6BCB7647812611550741116"> <ds:Transforms> <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <wsse:TransformationParameters xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>jqVeyjCtlIl1g2qHX9Ovax6/qlI=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>xTmwKT96imbrkbRBsUQe90PMKOs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform FINE: Digest Algorithm is http://www.w3.org/2000/09/xmldsig#sha1 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform FINE: Mapped Digest Algorithm is SHA-1 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Transform transform FINEST: WSS1757: Canonicalized target value: <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-C282FEC6E6BCB7647812611550741114">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken> 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate FINEST: Calculated digest value is: «=g© 8jao‰j;­е#­ 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate FINEST: Expected digest value is: Ћ�^К0­�‰uѓj‡_УЇkїЄR 18.12.2009 19:51:14 com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor processReference SEVERE: WSS1721: Validation of Reference with URI #STRId-C282FEC6E6BCB7647812611550741116 failed 18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's implementation 18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's implementation 18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber __doRun FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17 returned with com.sun.xml.ws.api.pipe.NextAction@eab1f2 [kind=RETURN,next=null,packet=com.sun.xml.ws.api.message.Packet@bec35a,throwable=null] 18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber completionCheck FINE: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 completed
        Hide
        sm228678 added a comment -

        Yes.Please attach a sample client and service to reproduce it on my side.

        Show
        sm228678 added a comment - Yes.Please attach a sample client and service to reproduce it on my side.
        Hide
        mikola_spb added a comment -

        Created an attachment (id=22)
        Here is client and service. There is CXF client, but error is the same. Both Axis and CXF are WSS4J based.

        Show
        mikola_spb added a comment - Created an attachment (id=22) Here is client and service. There is CXF client, but error is the same. Both Axis and CXF are WSS4J based.
        Hide
        sm228678 added a comment -

        we made a possible fix for the issue. Can you please try with metro 2.1 nightly
        build(jan 13th) and let us know

        Show
        sm228678 added a comment - we made a possible fix for the issue. Can you please try with metro 2.1 nightly build(jan 13th) and let us know

          People

          • Assignee:
            xwss-issues
            Reporter:
            mikola_spb
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: