Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5679

WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The signature or decryption was invalid

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.9, 2.7.10
    • Fix Version/s: 3.0, 2.7.12
    • Component/s: WS-* Components
    • Labels:
    • Estimated Complexity:
      Unknown

      Description

      After upgrading CXF from version 2.7.5 to 2.7.9 or higher, we experienced this issue. Worked well with 2.7.5 and earlier.

      Request (our business data stripped and replaced with dummy ns1):

      <soapenv:Envelope xmlns:ns1="http://example/soap"
      	xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      	<soapenv:Header>
      		<wsse:Security soapenv:mustUnderstand="1"
      			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      			xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      			<ds:Signature Id="SIG-33" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      				<ds:SignedInfo>
      					<ds:CanonicalizationMethod
      						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      						<ec:InclusiveNamespaces PrefixList="ns1 soapenv"
      							xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
      					</ds:CanonicalizationMethod>
      					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      					<ds:Reference URI="#id-22">
      						<ds:Transforms>
      							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      								<ec:InclusiveNamespaces PrefixList="ns1"
      									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
      							</ds:Transform>
      						</ds:Transforms>
      						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      						<ds:DigestValue>VF0g31FSsHWpdMN7lGVgQA1li4c=</ds:DigestValue>
      					</ds:Reference>
      					<ds:Reference URI="#TS-32">
      						<ds:Transforms>
      							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      								<ec:InclusiveNamespaces PrefixList="wsse ns1 soapenv"
      									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
      							</ds:Transform>
      						</ds:Transforms>
      						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      						<ds:DigestValue>4yW2ssYnI+QB40HBdWexy80+GNo=</ds:DigestValue>
      					</ds:Reference>
      				</ds:SignedInfo>
      				<ds:SignatureValue>QGIDsbR//zUyjUD36LtkiMJsIiT1vYionG8Y0blqif2QKrMB2AHnr9KXiYy7MbcdMaTVxn6gmKGN
      					7bRjE6MX1VVf9ZPem5SfasHYQ6wS7l/I1NGUyGw227cv1AceDPje05Wjk5vmN9G1dKvbfECJhBLA
      					7/OBAxJI+TYmYe94cu8=</ds:SignatureValue>
      				<ds:KeyInfo Id="KI-6788C4A756C88F8773139703929455550">
      					<wsse:SecurityTokenReference
      						wsu:Id="STR-6788C4A756C88F8773139703929455551">
      						<ds:X509Data>
      							<ds:X509IssuerSerial>
      								<ds:X509IssuerName>CN=clientuser</ds:X509IssuerName>
      								<ds:X509SerialNumber>1288174342</ds:X509SerialNumber>
      							</ds:X509IssuerSerial>
      						</ds:X509Data>
      					</wsse:SecurityTokenReference>
      				</ds:KeyInfo>
      			</ds:Signature>
      			<wsu:Timestamp wsu:Id="TS-32">
      				<wsu:Created>2014-04-09T10:28:14.554Z</wsu:Created>
      				<wsu:Expires>2014-04-09T10:33:14.554Z</wsu:Expires>
      			</wsu:Timestamp>
      		</wsse:Security>
      	</soapenv:Header>
      	<soapenv:Body wsu:Id="id-22"
      		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      		<ns1:hello></ns1:hello>
      	</soapenv:Body>
      </soapenv:Envelope>
      

      Response:

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      	<soap:Body>
      		<soap:Fault>
      			<faultcode
      				xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode>
      			<faultstring>The signature or decryption was invalid</faultstring>
      		</soap:Fault>
      	</soap:Body>
      </soap:Envelope>
      

      Log:

      o.a.c.w.s.wss4j.WSS4JInInterceptor - org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:19
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:12
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.jav
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.jav
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
      
      o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      

        Attachments

        1. bad-request-formatted.xml
          4 kB
          Julian Ingram
        2. bad-run.txt
          80 kB
          Julian Ingram
        3. example-test.diff
          5 kB
          Julian Ingram
        4. good-request-formatted.xml
          4 kB
          Julian Ingram
        5. log.txt
          28 kB
          Ján Ondrušek
        6. ParseBodyTest.java
          3 kB
          Akitoshi Yoshida
        7. test-soapui-project.xml
          13 kB
          Julian Ingram

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                ondrusekj Ján Ondrušek
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: