Why removing Transform algorithm parameter makes a difference

classic Classic list List threaded Threaded
2 messages Options
avb
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Why removing Transform algorithm parameter makes a difference

avb
This post has NOT been accepted by the mailing list yet.
Hello!

In our company we are using Metro version 2.2.1. WS client has the following configuration:

<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:Sign id='request_signature' includeTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
               
                <xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                       
                </xwss:SignatureTarget>
        </xwss:Sign>
        <xwss:Encrypt>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:KeyEncryptionMethod algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'/>
                <xwss:DataEncryptionMethod algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc'/>
               
                <xwss:EncryptionTarget type='xpath' value='.//SOAP-ENV:Body' contentOnly='true' />
        </xwss:Encrypt>
</xwss:SecurityConfiguration>

please note, that line <xwss:Transform algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> is commented out. The interesting thing is that if I uncomment this line, I get an exception "Caused by: javax.xml.ws.soap.SOAPFaultException: Invalid Security Header", debug log reveals, that signature validation fails, because

(org.jcp.xml.dsig.internal.dom) Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
(org.jcp.xml.dsig.internal.dom) isNodeSet() = true
(org.jcp.xml.dsig.internal.dom) Expected digest: 0WitBTFIQJ7VNW+8dfJxs0StpAw=
(org.jcp.xml.dsig.internal.dom) Actual digest: N8U+FrqmzWuY/9Xv/mYONoYWkPk=
(org.jcp.xml.dsig.internal.dom) Reference[#XWSSGID-1371072827792-1639295048] is valid: false
(org.jcp.xml.dsig.internal.dom) Couldn't validate the References
(com.sun.xml.wss.logging.impl.dsig) Signature failed core validation

However, if I just comment out the line with the algorithm - it works.
We used Metro version 1.5 before and didn't have such problem with this config. We didn't change server config or client  config and just upgraded the library.
avb
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why removing Transform algorithm parameter makes a difference

avb
This post has NOT been accepted by the mailing list yet.
I am sorry, formatting hide all comments

<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:Sign id='request_signature' includeTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
                <xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
I am talking about this line ---> <xwss:Transform algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                </xwss:SignatureTarget>
        </xwss:Sign>
        <xwss:Encrypt>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:KeyEncryptionMethod algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'/>
                <xwss:DataEncryptionMethod algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc'/>
                <xwss:EncryptionTarget type='xpath' value='.//SOAP-ENV:Body' contentOnly='true' />
        </xwss:Encrypt>
</xwss:SecurityConfiguration>
Loading...