Issue Details (XML | Word | Printable)

Key: XWSS-50
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: xwss-issues
Reporter: mikola_spb
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
xwss

Validation of Reference with STR-Transformation for request from Axis client

Created: 01/Dec/09 04:06 AM   Updated: 12/Jan/10 03:23 AM   Resolved: 12/Jan/10 03:23 AM
Component/s: www
Affects Version/s: current
Fix Version/s: milestone 1

Time Tracking:
Not Specified

File Attachments: 1. XML File BinarySecurityToken-Axis.xml (2 kB) 01/Dec/09 04:09 AM - mikola_spb
2. XML File BinarySecurityToken-Metro.xml (2 kB) 01/Dec/09 04:09 AM - mikola_spb
3. XML File soap.xml (13 kB) 01/Dec/09 04:08 AM - mikola_spb
4. Zip Archive ws-integration.zip (56 kB) 19/Dec/09 08:32 AM - mikola_spb

Environment:

Operating System: Windows XP
Platform: PC


Issuezilla Id: 50
Tags:
Participants: mikola_spb, sm228678 and xwss-issues


 Description  « Hide

Hi,

I have client application which is Axis based and WebService which is Metro 2.0.
Service has WS-Security and all request must be signed (note: but without
encryption).

In attach you can see full SOAP request from Axis client (formatted for reading).

When Metro validates incomming request I allways get an error:

01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Calculated digest value is: )}@Ц'╟2їаH~┼┴]kх▒/Ў
01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Expected digest value is: �Л4!аhqдуN?▲♂ iRPбВ"
01.12.2009 13:58:01
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
processReference
SEVERE: WSS1721: Validation of Reference with URI #STRId-1765100 failed

So ds:DigestValue for ds:Reference URI="#STRId-1765100" calculated by client
(Axis) and Metro are different.

I've found that different stream is used for calculating SHA-1 digest. See attaches.
There is only difference that XML Canonicalized by Metro doesn't contain xmlns="".

The following transformation should be used:

<ds:Reference URI="#STRId-1765100"
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"
<wsse:TransformationParameters
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"



mikola_spb added a comment - 01/Dec/09 04:08 AM

Created an attachment (id=19)
SOAP request formatted for reading


mikola_spb added a comment - 01/Dec/09 04:09 AM

Created an attachment (id=20)
Transformed XML by Axis (wss4j)


mikola_spb added a comment - 01/Dec/09 04:09 AM

Created an attachment (id=21)
Transformed XML by Metro


sm228678 added a comment - 16/Dec/09 10:53 PM

Hi, we are working on this.
Can you retest your scenario with latest metro nightly and conform whether this
problem still exists or not?


mikola_spb added a comment - 18/Dec/09 08:59 AM

Hi, I've tested with Metro 2.1 nightly build (Friday, December 18, 2009 at
2:27:41 AM) and see that problem still exists.

If you need I can attach my application which I use for test.
Here is application log.

FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17.processRequest(com.sun.xml.ws.api.message.Packet@bec35a)
18.12.2009 19:51:14
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor process
FINEST: Canonicalized Signed Info:<ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>mz5hRH8Uei3qWkE+ipomSbE+qmI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#STRId-C282FEC6E6BCB7647812611550741116">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>jqVeyjCtlIl1g2qHX9Ovax6/qlI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>xTmwKT96imbrkbRBsUQe90PMKOs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
FINE: Digest Algorithm is http://www.w3.org/2000/09/xmldsig#sha1
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
FINE: Mapped Digest Algorithm is SHA-1
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Transform transform
FINEST: WSS1757: Canonicalized target value: <wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-C282FEC6E6BCB7647812611550741114">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken>
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Calculated digest value is: «=g©
8jao‰j;­е#­
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Expected digest value is: Ћ�^К0­�‰uѓj‡_УЇkїЄR
18.12.2009 19:51:14
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
processReference
SEVERE: WSS1721: Validation of Reference with URI
#STRId-C282FEC6E6BCB7647812611550741116 failed
18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
implementation
18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
implementation
18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber __doRun
FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17 returned with
com.sun.xml.ws.api.pipe.NextAction@eab1f2
[kind=RETURN,next=null,packet=com.sun.xml.ws.api.message.Packet@bec35a,throwable=null]
18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber completionCheck
FINE: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 completed


sm228678 added a comment - 19/Dec/09 03:52 AM

Yes.Please attach a sample client and service to reproduce it on my side.


mikola_spb added a comment - 19/Dec/09 08:32 AM

Created an attachment (id=22)
Here is client and service. There is CXF client, but error is the same. Both Axis and CXF are WSS4J based.


sm228678 added a comment - 12/Jan/10 03:23 AM

we made a possible fix for the issue. Can you please try with metro 2.1 nightly
build(jan 13th) and let us know