[XWSS-50] Validation of Reference with STR-Transformation for request from Axis client Created: 01/Dec/09  Updated: 12/Jan/10  Resolved: 12/Jan/10

Status: Resolved
Project: xwss
Component/s: www
Affects Version/s: current
Fix Version/s: milestone 1

Type: Bug Priority: Major
Reporter: mikola_spb Assignee: xwss-issues
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: Windows XP
Platform: PC


Attachments: XML File BinarySecurityToken-Axis.xml     XML File BinarySecurityToken-Metro.xml     XML File soap.xml     Zip Archive ws-integration.zip    
Issuezilla Id: 50

 Description   

Hi,

I have client application which is Axis based and WebService which is Metro 2.0.
Service has WS-Security and all request must be signed (note: but without
encryption).

In attach you can see full SOAP request from Axis client (formatted for reading).

When Metro validates incomming request I allways get an error:

01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Calculated digest value is: )}@Ц'╟2їаH~┼┴]kх▒/Ў
01.12.2009 13:58:01 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Expected digest value is: �Л4!аhqдуN?▲♂ iRPбВ"
01.12.2009 13:58:01
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
processReference
SEVERE: WSS1721: Validation of Reference with URI #STRId-1765100 failed

So ds:DigestValue for ds:Reference URI="#STRId-1765100" calculated by client
(Axis) and Metro are different.

I've found that different stream is used for calculating SHA-1 digest. See attaches.
There is only difference that XML Canonicalized by Metro doesn't contain xmlns="".

The following transformation should be used:

<ds:Reference URI="#STRId-1765100"
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"
<wsse:TransformationParameters
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"



 Comments   
Comment by mikola_spb [ 01/Dec/09 ]

Created an attachment (id=19)
SOAP request formatted for reading

Comment by mikola_spb [ 01/Dec/09 ]

Created an attachment (id=20)
Transformed XML by Axis (wss4j)

Comment by mikola_spb [ 01/Dec/09 ]

Created an attachment (id=21)
Transformed XML by Metro

Comment by sm228678 [ 16/Dec/09 ]

Hi, we are working on this.
Can you retest your scenario with latest metro nightly and conform whether this
problem still exists or not?

Comment by mikola_spb [ 18/Dec/09 ]

Hi, I've tested with Metro 2.1 nightly build (Friday, December 18, 2009 at
2:27:41 AM) and see that problem still exists.

If you need I can attach my application which I use for test.
Here is application log.

FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17.processRequest(com.sun.xml.ws.api.message.Packet@bec35a)
18.12.2009 19:51:14
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor process
FINEST: Canonicalized Signed Info:<ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>mz5hRH8Uei3qWkE+ipomSbE+qmI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#STRId-C282FEC6E6BCB7647812611550741116">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod></wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>jqVeyjCtlIl1g2qHX9Ovax6/qlI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>xTmwKT96imbrkbRBsUQe90PMKOs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
FINE: Digest Algorithm is http://www.w3.org/2000/09/xmldsig#sha1
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference transform
FINE: Mapped Digest Algorithm is SHA-1
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Transform transform
FINEST: WSS1757: Canonicalized target value: <wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-C282FEC6E6BCB7647812611550741114">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken>
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Calculated digest value is: «=g©
8jao‰j;­е#­
18.12.2009 19:51:14 com.sun.xml.ws.security.opt.crypto.dsig.Reference validate
FINEST: Expected digest value is: Ћ�^К0­�‰uѓj‡_УЇkїЄR
18.12.2009 19:51:14
com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInfoProcessor
processReference
SEVERE: WSS1721: Validation of Reference with URI
#STRId-C282FEC6E6BCB7647812611550741116 failed
18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
implementation
18.12.2009 19:51:14 com.sun.xml.bind.v2.ContextFactory createContext
FINE: Property com.sun.xml.bind.XmlAccessorFactoryis not active. Using JAXB's
implementation
18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber __doRun
FINER: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2
com.sun.xml.wss.jaxws.impl.SecurityServerTube@10aeb17 returned with
com.sun.xml.ws.api.pipe.NextAction@eab1f2
[kind=RETURN,next=null,packet=com.sun.xml.ws.api.message.Packet@bec35a,throwable=null]
18.12.2009 19:51:14 com.sun.xml.ws.api.pipe.Fiber completionCheck
FINE: engine-com.sun.xml.ws.server.WSEndpointImpl@1664cdefiber-2 completed

Comment by sm228678 [ 19/Dec/09 ]

Yes.Please attach a sample client and service to reproduce it on my side.

Comment by mikola_spb [ 19/Dec/09 ]

Created an attachment (id=22)
Here is client and service. There is CXF client, but error is the same. Both Axis and CXF are WSS4J based.

Comment by sm228678 [ 12/Jan/10 ]

we made a possible fix for the issue. Can you please try with metro 2.1 nightly
build(jan 13th) and let us know

Generated at Wed May 27 06:09:54 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.