Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-198

Problem when body is signed and then an XPath is encrypted

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.5.7
    • 1.5.8, 1.6
    • None
    • None

    Description

      Hi everybody,
      there is a problem when when a message body is signed and then an XPath expression pointing to a body element is encrypted.
      The problem is that the verification of the signature cannot pass. This is caused by the fact that there is a difference between the signed body and the body used for signature verification. The body used for signature verification is modified because after XPath element decryption an ID is added to the element. This ID is used to verify the decryption, but changes the original body.

      I am doing the tests with :

      Rampart from the trunk with WSS4J 1.5.7.

      Exception thrown is:

      [WARN] Verification failed for URI "#Id-11235685"
      [WARN] Expected Digest: o0jyc1pJHEawRaLNry+cnYeCc80=
      [WARN] Actual Digest: VMEF6KgvE6t3PNLlYR49LGEW+xM=
      [ERROR] The signature or decryption was invalid
      org.apache.axis2.AxisFault: The signature or decryption was invalid
      at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172)
      at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
      at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
      at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
      at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
      at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133)
      at com.mycompany.deployment.server.SAGAdminServlet.doPost(SAGAdminServlet.java:30)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
      at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
      at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
      at java.lang.Thread.run(Thread.java:595)
      Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
      at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:527)
      at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
      at org.apache.rampart.RampartEngine.process(RampartEngine.java:151)
      at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
      ... 22 more

      I will try to apply a patch tomorrow.

      Any comments and ideas are appreciated.

      Regards,
      Dobri

      Attachments

        1. send_to_server_side_before_encryption.xml
          3 kB
          Dobri Emilov Kitipov
        2. signed_doc_after_decryption.xml
          5 kB
          Dobri Emilov Kitipov
        3. wss4j.patch
          6 kB
          Stefan Vladov
        4. rampart.patch
          12 kB
          Stefan Vladov

        Issue Links

          Activity

            People

              coheigea Colm O hEigeartaigh
              dobri Dobri Emilov Kitipov
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: