Unable to verify signature and decrypt XML on incoming post
620363Jul 1 2008 — edited Apr 14 2009Guys,
I am able to verify signature alone using a jks keystore but when I try to do the following steps ( verify signature and then decrypt XML either separately or together as decrypt and verify signature), it fails as follows:
2008-07-01 20:50:13,826 INFO [AJPRequestHandler-HTTPThreadGroup-31] wssecurity.OSDTWSSecurity - The binary security token signature requirement false
2008-07-01 20:50:13,912 SEVERE [AJPRequestHandler-HTTPThreadGroup-31] wssecurity.OSDTWSSecurity - XML Signature verification failed
2008-07-01 20:50:13,922 WARNING [AJPRequestHandler-HTTPThreadGroup-31] wssecurity.SecurityBaseStep - Failure while applying XML Security
FAULT CODE: FailedCheck FAULT MESSAGE: XML Signature verification failed
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:525)
Here is the incoming post:
<?xml version="1.0" encoding="UTF-8" ?>
- <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://services.mycccportal.com/SOA/SalvageAssignmentStatusService" xmlns:ns1="http://www.cieca.com/BMS">
- <env:Header>
- <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
- <xenc:EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
- <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
- <wsse:SecurityTokenReference wsu:Id="_6U7iS5oyF98Uuexf0k0uXg22" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ex1TotnWQj72GE1Hb1SiYqbkn6U=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
- <xenc:CipherData>
<xenc:CipherValue>CzoiO9yBviWM3QnVeLsjOg3cncYVP94rnj2JWWeVEQ3eejDeLkG8eD3bqqWN3ygYZWL7f7EBbhApy8/mJ8nT3eVCvroi5JfpOQqUox/elrhOLyWqFg36lrktV6/voXWuLEJTlr4udiqLHHeKBrSTsN8we4JK0r+3w86tds71vNY=</xenc:CipherValue>
</xenc:CipherData>
- <xenc:ReferenceList>
<xenc:DataReference URI="#_gR8kxcBFh6m8EFm1wAbDIA22" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="z0JLsagyFrmWByYYfeiZBA22" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIGUTCCBDmgAwIBAgICAMgwDQYJKoZIhvcNAQEFBQAwgb0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEmMCQGA1UEChMdQ0NDIEluZm9ybWF0aW9uIFNlcnZpY2VzIEluYy4xHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlY3VyaXR5MSAwHgYDVQQDExdDQ0MgUm9vdCBDQSBDZXJ0aWZpY2F0ZTEgMB4GCSqGSIb3DQEJARYRdnVsbm1ndEBjY2Npcy5jb20wHhcNMDgwNjI0MTQ0NDMzWhcNMTAwNjI1MTkyNjU2WjCBmTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMSYwJAYDVQQKEx1DQ0MgSW5mb3JtYXRpb24gU2VydmljZXMgSW5jLjEcMBoGA1UECxMTQVplYmFsYS9Db3BhcnQgVGVzdDExMC8GA1UEAwwodGVzdC5jY2NfY29uc3VtZXIuY2xpZW50X2NlcnRzLmNjY2lzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgnve13tJm9xSwh5ipEQkloNfSaDDt9fAjQ+fFormXzNINjK+EfoZiH6G7Gs3+ShpsWEPlKreMyYR+67hZStw/r6sykksQKPjtQzVp0OjvWJiYWJ03SLRozxn1Z2hk4xCQACLzUeP0fA3KIMKcf30FH3g/YUztbwIo9bZwJxoTw8CAwEAAaOCAf8wggH7MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBglghkgBhvhCAQEEBAMCBaAwOwYJYIZIAYb4QgENBC4WLFdlYiBDbGllbnQgQ2VydGlmaWNhdGUgc2lnbmVkIGJ5IENDQyBSb290IENBMB0GA1UdDgQWBBT9jOsQk/Soac6ncK44l9voJShoDDCB8gYDVR0jBIHqMIHngBSg3rBf15zeSFsVEuIU+2RsZJQenKGBw6SBwDCBvTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMSYwJAYDVQQKEx1DQ0MgSW5mb3JtYXRpb24gU2VydmljZXMgSW5jLjEdMBsGA1UECxMUSW5mb3JtYXRpb24gU2VjdXJpdHkxIDAeBgNVBAMTF0NDQyBSb290IENBIENlcnRpZmljYXRlMSAwHgYJKoZIhvcNAQkBFhF2dWxubWd0QGNjY2lzLmNvbYIJAJuVUApvNNamMAkGA1UdEQQCMAAwHAYDVR0SBBUwE4ERdnVsbm1ndEBjY2Npcy5jb20wNQYJYIZIAYb4QgEEBCgWJmh0dHA6Ly93d3cuY2NjaXMuY29tL2NhY2VydC9jYWNlcnQuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQCf2Vfx2afYam5SYMPNNddh6+X+YxTSTvsI8WNUW8O9kT8AkuG29p+nzQZ8okX2/H6Z4VEDcsvDks2QFiN3kVkD3TYWj9EMKh+BTq2rQLB6EqQzJDty0E4/Zn13Kajdc989pI6gErM7rphCcgw0Y7BeesxMD0t+HtmuUdS7kPKh+nTGEVMzefsdqE/jMJ2Nh9b279R479xnSOTvkwdzqE0olIuUaBFOIaHofky5OYcLqiuCnYFtjRvYH0dmOQdLVJrDY2DId6RkluUqNyVo9rs7HW3+1O0m2IQnUQ51rLbR+0l/9fWzFd9BcB/Cjdjp9DClvBvSEXZ+h7UAYxehxOAPc6YsqNcMaVkCLQ46KRDHRtbm5DHd1nxlRJhUPnbY3oYcCwPpt5Mo1nN0NUgcSEa20I54R+Fhny4scjN9p4iSBJUMtXdb9mziVoUg5M9/Psm7pghzb74Z4RtMw7y/YX1Z3FmVmTwdLFvr6W7WlbYeSlRXpx1i/5XCTTRNKkt2CWGuwKctjf3Ai887wFOnf/2sz5gbLTDsJjchVju9YyfFupGhK30avKeKO6vew75nrzpnlIhPiIXhedE0SUBF+IjiBru3JT3nXdqTzXFHKHf6pFUeCDI4LGug81QMSyNgNdlVBi5AhPHXfZaDvg60VGhLjfKrK7JuLLM+cgSYQpxAGA==</wsse:BinarySecurityToken>
- <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
- <dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <dsig:Reference URI="#18vc4q4hS6VC5rOaOOaYSA22">
- <dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>KRPxHM6IAMO2E8uMlY1gSRYaSkM=</dsig:DigestValue>
</dsig:Reference>
- <dsig:Reference URI="#z0JLsagyFrmWByYYfeiZBA22">
- <dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>4nxdbbDvrUbCC1VDOxU7nbLN/Oo=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>J6Jr8H9H5MbE4d2SXf/LDvq3ljbzK2vrwhRl3z1wgZzEtt5Di52ei3o3Q46JPwoHrrNufxAOibr0kO9LWqHnK22JKv6viw5lJdrmrFKHAVWz8W90E3oTf1rifQYlnWhFGLVKP49gZ4+1rDNaQlQ5Im3toQVBxSAwKM1G8jSvIxI=</dsig:SignatureValue>
- <dsig:KeyInfo>
- <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#z0JLsagyFrmWByYYfeiZBA22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
- <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2008-07-01T20:50:11Z</wsu:Created>
<wsu:Expires>2008-07-02T04:50:11Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
- <env:Body wsu:Id="18vc4q4hS6VC5rOaOOaYSA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
- <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Content" Id="_gR8kxcBFh6m8EFm1wAbDIA22" xmlns="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
- <xenc:CipherData>
<xenc:CipherValue>bHBGJKRC6H2mPiFblhRDKZ0lUEinHyfsX/fwgM2G45XVS62vn2TFpI1KNZYZZ3HdBnhLzO2AMO7pB4TDZ0/7vGON6CKK9G4IrZbF7tQHAaeyUiSKEFH2rX5UGC1y5OQOeMpn+xwBY9/V+sF+FaigJjjN5MzPYaQDLyyeSoGSJwGLUXTN8VFt4jNtgkHIbsUooKIrP7HR+mul9FmZlKmZuBvi3LK3Uh8vOZ9vJOiwG6O5MFwBtV6XnTy8GE25CC1+0jTiG9Kge11dmcHGYjM7/JdHFVcRp+ZiLsoF0ApRnGah9Gxz/KxOE6p44NgDJyOKnXBiHqsEgnqHIq41BR6soSSRtHpUFDD95o61XqL2nW1jaVlMND6fbJd69wQ9b8VhMB/qPw82zE60aRNAC2wo3Xg7u3r+zbsEUHrV2DfGGZZ9QavujLOdRgQftifOWD/8DBPpPuqv9Ka255GtmfnA5fnAD37cufe+ZeiHZ8jYk1OWG+OhYKGsUm1rY0W6OYu8RrmG7YgFzkusOPiZVjaGH/4vlE6TAeBuirDe4RiqiEE=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</env:Body>
</env:Envelope>
Any help would be appreciated.
Policy properties are as follows
XML Encrypt
Configure | Add Step Below | Delete
Basic Properties
Type
Default
Value
Enabled (*)
boolean
true
true
Encryption Properties
Type
Default
Value
Keystore location (*)
string
/data/ia/oracle/services/event/SOAComms/copart/copart_test.jks
Encrypt Keystore Type (*)
string
jks
jks
Keystore password
string
*******
Decryptor's public-key alias (*)
string
copart_test
Encryption Algorithm (*)
string
3DES
3DES
Key Transport Algorithm (*)
string
RSA-1_5
RSA-1_5
Encrypted Content (*)
string
BODY
ENVELOPE
Encrypt XPATH Expression
string
Encrypt XML Namespace
string[]
Sign message
Configure | Add Step Below | Delete
Basic Properties
Type
Default
Value
Enabled (*)
boolean
true
true
Signing Properties
Type
Default
Value
Keystore location (*)
string
/data/ia/oracle/services/event/SOAComms/copart/copart_test.jks
Signing Keystore Type (*)
string
jks
jks
Keystore password
string
*******
Signer's private-key alias (*)
string
ccc_consumer
Signer's private-key password
string
*******
Signature Algorithm (*)
string
RSA-SHA1
RSA-SHA1
Signed Content (*)
string
BODY
ENVELOPE
Sign XPATH Expression
string
Sign XML Namespace
string[]