Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.1.10
-
None
-
None
-
Windows, JDK 1.8
Description
I have a SOAP WebService I need to call to get a SAML token. I am using javax.xml.soap.SOAPMessage to construct the message and WSS4J to sign it.
The WebService requires that I sign the envelope using Exclusive Canonicalization Omitting Comments (http://www.w3.org/2001/10/xml-exc-c14n#).
This side of things is fine and I've got the message constructed but when I send it I am getting a message "An error occurred when verifying security for the message." which the service provider is saying because it can't verify the signature.
The problem I think is that it wants Canonicalization done including namespace prefixes.
So I have set setAddInclusivePrefixes(true) but the PrefixList is missing some of the namespaces. Is this likely an issue? If not, any ideas what the issue could be?
Here is my code:
static void signSoapMessage(SOAPMessage soapMessage, PrivateKey privateKey, String password, byte[] salt, X509Certificate[] certChain) { try { WSSConfig.init(); //setSecurityHeader(soapMessage); Merlin crypto = getCrypto(privateKey, password, salt, certChain); Document unsignedDocument = soapMessage.getSOAPPart().getEnvelope().getOwnerDocument(); WSSecHeader secHeader = new WSSecHeader(unsignedDocument); secHeader.insertSecurityHeader(); WSSecTimestamp timestamp = new WSSecTimestamp(); timestamp.setPrecisionInMilliSeconds(false); timestamp.setTimeToLive(600); timestamp.build(unsignedDocument, secHeader); // Setup the signer WSSecSignature signer = new WSSecSignature(); signer.setUserInfo("signingCert", password); signer.setSignatureAlgorithm(WSConstants.RSA_SHA1); signer.setDigestAlgo(WSConstants.SHA1); signer.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS); signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); signer.setAddInclusivePrefixes(true); signer.getParts().add(new WSEncryptionPart(timestamp.getId())); signer.getParts().add(new WSEncryptionPart("_5002")); Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "Before Signing...."); signer.build(unsignedDocument, crypto, secHeader); Utils.printDocument(unsignedDocument); Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, "After Signing...."); } catch (WSSecurityException | SOAPException ex) { Logger.getGlobal().log(Level.SEVERE, null, ex); } }
This is what I am generating which doesn't work:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <env:Header> <To xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc </To> <Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </Action> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> </ReplyTo> <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:61acc133-863e-4fd5-bc06-55dbae17beed </MessageID> <wsse:Security env:mustUnderstand="true"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8">*** Content Removed ***</wsse:BinarySecurityToken> <ds:Signature Id="SIG-68adfb61-c715-4925-9778-9e4b07350ec3"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="env"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#TS-6429ca59-aec2-4639-a37c-0f38e3012ab8"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="wsse env"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>4FOsUd2SzIwL+9Yz8QoYT/dChBg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_5002"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="env"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LiNgJUCK0GyrUZ3BpbdlRbVKnfo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>AY02PPr8QfqgG/HVfsBlCjBrYXkn21SdOT5NYWnHDFYigft0GTPJA1UTUr5s501CPTyc6rr6PLiC/NJI7Sn3kYPeJ860aYYlcCueZ6mBQeTWhC1F3WN6ullh1jCrLVk3y4YyL/aENjyiCJtyIRN4SCBhSsA4wMK9ZXqGMdORxQo=</ds:SignatureValue> <ds:KeyInfo Id="KI-3911029c-0313-44d8-8967-ee401575f848"> <wsse:SecurityTokenReference wsu:Id="STR-811d3ff8-ebb2-4539-96b2-0cf76bb49b5e"> <wsse:Reference URI="#X509-d2431cd8-4b02-4d6d-b802-00e9338f78c8" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="TS-6429ca59-aec2-4639-a37c-0f38e3012ab8"> <wsu:Created>2017-07-02T22:25:27Z</wsu:Created> <wsu:Expires>2017-07-02T22:35:27Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header> <env:Body> <RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">*** Content Removed *** </RequestSecurityToken> </env:Body> </env:Envelope>
This is an envelope that works:
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"> <S:Header> <To xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://host/service.svc </To> <Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </Action> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> </ReplyTo> <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:c3b514af-d630-48aa-861e-77902a4ab16a </MessageID> <wsse:Security S:mustUnderstand="true"> <wsu:Timestamp xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1"> <wsu:Created>2017-06-29T21:34:33Z</wsu:Created> <wsu:Expires>2017-06-29T21:39:33Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="uuid_14d363bc-1193-4710-8729-2674605387d6">*** </wsse:BinarySecurityToken> <ds:Signature xmlns:ns18="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <exc14n:InclusiveNamespaces PrefixList="wsse S" /> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_1"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>nQeNC2NVtR9ChmXfaDKppoVAsu4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_5002"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <exc14n:InclusiveNamespaces PrefixList="S" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>AAvvtxJCqfB68LHnM0xeXCYd4J8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAt3BmSXHU2w6fN5xREtXEHI/tZwp9M3dHFbRmMhgJZPPx4b+jZngndep7XsYuXJ3fNggFH082WVhN0CuqV1DknAMq/dUF7k12dj+z+eAeAwrBS25EflyzLgcTa75ZQn9IFNCfd2X5I9PPOrQoQBQwNf14hV8BThReQn2qa0wrA=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#uuid_14d363bc-1193-4710-8729-2674605387d6" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body> <RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://vanguard.business.gov.au/2009/02" xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/"></RequestSecurityToken> </S:Body> </S:Envelope>
I notice that the Reference for the "To" element in mine is missing the "wsu" namespace in the PrefixList
Working:
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
Mine:
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse env"/>