CXF WS-Security - X509IssuerSerial validation fails -


i encountered issues while working cxf ws-security , signature verification. use wss4jininterceptor on server side in order verify signature on body element.
- when usee binarysecuritytoken (directreference) key identifier type works fine;
- when use x509issuerserial (issuerserial) key identifier type signature verfication on server side fails.
configuration on server side:

<bean id="wss4jin" class="org.apache.cxf.ws.security.wss4j.wss4jininterceptor">     <constructor-arg>         <map>             <entry key="action" value="signature" />             <entry key="signaturepropfile" value="config/security/truststore.properties" />             <entry key="signaturealgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />             <entry key="signaturekeyidentifier" value="x509issuerserial"/>             <entry key="signatureparts"                 value="{element}{http://schemas.xmlsoap.org/soap/envelope/}body" />         </map>     </constructor-arg> </bean>

if send (from client side) soapenvelope soapheader:

<soap-env:header>     <wsse:security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap-env:mustunderstand="1">         <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="sig-69c28b5e-3566-4fab-b26f-bd28e97c21e9">             <ds:signedinfo>                 <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">                     <ec:inclusivenamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" prefixlist="soap-env enc xsd xsi"/>                 </ds:canonicalizationmethod>                 <ds:signaturemethod algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>                 <ds:reference uri="#_e078e477-59bc-401d-83f5-a11925947d19">                     <ds:transforms>                         <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">                             <ec:inclusivenamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" prefixlist="enc xsd xsi"/>                         </ds:transform>                     </ds:transforms>                     <ds:digestmethod algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                     <ds:digestvalue>mmq1czwfv5zk3kmzepwybvpfas73hxieddekykjruq4=</ds:digestvalue>                 </ds:reference>             </ds:signedinfo>             <ds:signaturevalue>amn7favwhd9ra6shrj6ryf6bihdrh2n2r3wxh2+aubi3mlpstcbfa1oqbrvt3ppvts/lzrrt6afzwspp0ypjpedtudued1x8hrskbgxbt+quqfiio4wghuj4k/5b/lond9d1a48ic0plom3fsnhf+kqjeb5rpew5f8aertfbucg=</ds:signaturevalue>             <ds:keyinfo id="ki-b49617ba-b2d8-4bad-9c46-d772389537df">                 <wsse:securitytokenreference wsu:id="str-4e662377-c736-48c5-a0c1-11a1473769ee">                     <ds:x509data>                         <ds:x509issuerserial>                             <ds:x509issuername>1.2.840.113549.1.9.1=#xxx,cn=xxx,ou=xxx,o=xxx,l=xxx,st=xx,c=xx</ds:x509issuername>                             <ds:x509serialnumber>xxx</ds:x509serialnumber>                         </ds:x509issuerserial>                     </ds:x509data>                 </wsse:securitytokenreference>             </ds:keyinfo>         </ds:signature>     </wsse:security> </soap-env:header>

i soapfault:

<soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:body>     <soap:fault>         <faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:securityerror</faultcode>         <faultstring>a security error encountered when verifying message</faultstring>     </soap:fault> </soap:body>

debug log output didn't information. while debugging, discovered org.apache.wss4j.dom.processor.signatureprocessorfails @ point:

 if ((certs == null || certs.length == 0 || certs[0] == null)          && secretkey == null         && publickey == null) {         throw new wssecurityexception(wssecurityexception.errorcode.failed_check);     }

it line 197 throws exception in wss4j-ws-security-dom-2.1.0. means certificate , publickey null. drives me conclusion didn't think enough beginning - didn't realize there no certificate signature can validated against. also, conclusion in case of x509issuerserial, can verify signature in case have certificate on receiving (in case server) side.
have better explanation?


Comments

Post a Comment

Popular posts from this blog

javascript - Google App Script ContentService downloadAsFile not working -

i have web app developed using google app script htmlservice , html form, populating excel sheet in google drive using spreadsheetapp . , 1 section calling contentservice download data excel file. function doget(e) { // read excel sheet //getappfile(); // render application html template return htmlservice.createtemplatefromfile('index').evaluate() .settitle('go smart') .setsandboxmode(htmlservice.sandboxmode.iframe); } function downloaddoublequatecsvfile() { var sheetid = propertiesservice.getscriptproperties().getproperty('sheetid'); var ss = spreadsheetapp.openbyid(sheetid).getactivesheet(); //var ss = spreadsheetapp.getactivespreadsheet().getactivesheet(); var maxcolumn = ss.getlastcolumn(); var maxrow = ss.getlastrow(); var data = ss.getrange(1, 1, maxrow, maxcolumn).getvalues(); if (data.length > 1) { var csv = ""; (var row = 0; row < data.length; row++) { (var c...
Read more

javascript - Function overwritting -

is there way overwrite function or event handling in function? using addeventlistener, can have many event handlers on element want var test=document.getelementbyid("div"); test.addeventlistener("click",function(){alert("im first");},false); test.addeventlistener("click",function(){alert("im second");},false); // alerts "im first" , after "im second" but if want overwrite function/event example based on client width example this function one() { alert("first"); } function two() { alert("second"); } window.onresize = function() { var test = document.getelementbyid("div"); if (window.innerwidth > 500) { test.onclick = 1 } else { test.onclick = two; } } is possible in javascript? in case use effective little known approach. addeventlistener can accept object property handleevent event handler. in case it's easy overwr...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more