[xmlsec] RE: Implementing WS-Security using XMLSec...
Venky Madireddi
venky@arvasoft.com
Tue, 3 Jun 2003 22:32:57 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_002D_01C32A20.15954510
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Aleksey,
Thanks for the reply, I am sorry about not using the mailing list, will make
sure to use it in the future.
I don't have a DTD, I am using the xmlAddID function to inform LibXML2 about
all the ID's.
Also, I am capturing the response directly from Websphere and storing it to
a file in binary mode.
Since there is no way I could get to the code of Websphere, do you have any
other suggestions on how to solve this issue?
Thanks,
Regards,
-Venky
-----Original Message-----
From: Aleksey Sanin [mailto:aleksey@aleksey.com]
Sent: Tuesday, June 03, 2003 8:29 AM
To: arvasoft@attbi.com
Cc: venky@arvasoft.com; xmlsec@aleksey.com
Subject: Re: Implementing WS-Security using XMLSec...
First of all, I would appreciate if you would use xmlsec mailing list
for any question about xmlsec library (this reply is copied to the list,
btw).
It seems that your <Reference/> element contains URI with Id attribute.
And I am not sure I understand how you got the error you describe without
a DTD.
Most likely you should have something like this instead:
func=xmlSecXPathDataExecute:file=xpath.c:line=250:obj=unknown:subj=xmlXPtrEv
al:
error=5:libxml2 library function failed:
expr=xpointer(id('wssecurity_body_id_3550107555769326699_1054623170226'))
Please read section 3.2 from the FAQ
(http://www.aleksey.com/xmlsec/faq.html)
for explanation "why".
Assuming you add a correct DTD, the signature seems to be trivial
(Reference with an ID
type URI plus one exc C14N transform) and I would be really surprised if
xmlsec does
a wrong thing here. Unfortunately, there is no easy way to determine why
digests do not
match. In xmlsec you can use '--print-all' option to get the binary stream
just before
digesting. The best you can do is to compare this data with similar ones
from WebSphere
(if you would be able to get same data from WebSphere). Read documentation
or search
mailing list. There were several similar problems before.
And if you want me to guess, I would bet that you have different digests
because
something introduced spaces and/or end of lines when you've dumped XML
document
to file.
Aleksey
arvasoft@attbi.com wrote:
Hi Alexsey,
I am implementing WS-Security using XMLSec. Currently, I am trying to
validate signatures generated by Websphere, but am running into a problem
where the Digests generated by Websphere and that by XMLSec are different.
This causes the following error
func=:file=..\src\openssl\digests.c:line=164:obj=sha1:subj=unknown:error=12:
inva
lid data:data and digest do not match
Signature is INVALID
I would really appreciate your help on resolving this issue.
Thanks,
Regards,
-Venky
PS: I am attaching the following files:
1. original Websphere signed document
2. a modified version of the xml document that I am using for the test, I
have
copied the X509 from <wsse:BinarySecurityToken> to <X509Certificate> in
<KeyInfo>.
3. cacert.pem the trusted root that I use
----------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
<wsse:BinarySecurityToken EncodingType="wsse:Base64Binary"
ValueType="wsse:X509v3"
wsu:Id="wssecurity_binary_security_token_id_3491871345588805218_105462317022
6" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference
URI="#wssecurity_body_id_3550107555769326699_1054623170226">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#wssecurity_binary_security_token_id_3491871345588805218_1054623170226"
/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="wssecurity_body_id_3550107555769326699_1054623170226"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
<getGreetingResponse xmlns="http://Sample8.wsdk.ibm.com">
<getGreetingReturn xmlns="">Hello venky. How are you?</getGreetingReturn>
</getGreetingResponse>
</soapenv:Body>
</soapenv:Envelope>
----------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=
------=_NextPart_000_002D_01C32A20.15954510
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DWindows-1252">
<TITLE></TITLE>
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Aleksey,</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Thanks=20
for the reply, I am s</FONT></SPAN><SPAN =
class=3D653361317-03062003><FONT=20
face=3DArial color=3D#0000ff size=3D2>orry about not using the mailing =
list, will make=20
sure to use it in the future.</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>I=20
don't have a DTD, I am using the xmlAddID function to inform LibXML2 =
about all=20
the ID's.</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Also,=20
I am capturing the response directly from Websphere and storing it to a =
file in=20
binary mode.</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Since=20
there is no way I could get to the code of Websphere, do you have any =
other=20
suggestions on how to solve this issue?</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>Regards,</FONT></SPAN></DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D653361317-03062003><FONT face=3DArial color=3D#0000ff =
size=3D2>-Venky</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Aleksey Sanin=20
[mailto:aleksey@aleksey.com]<BR><B>Sent:</B> Tuesday, June 03, 2003 =
8:29=20
AM<BR><B>To:</B> arvasoft@attbi.com<BR><B>Cc:</B> venky@arvasoft.com;=20
xmlsec@aleksey.com<BR><B>Subject:</B> Re: Implementing WS-Security =
using=20
XMLSec...<BR><BR></FONT></DIV>First of all, I would appreciate if you =
would=20
use xmlsec mailing list <BR>for any question about xmlsec library =
(this reply=20
is copied to the list, btw).<BR><BR>It seems that your =
<Reference/>=20
element contains URI with Id attribute.<BR>And I am not sure I =
understand how=20
you got the error you describe without a DTD.<BR>Most likely you =
should have=20
something like this=20
=
instead:<BR><BR>func=3DxmlSecXPathDataExecute:file=3Dxpath.c:line=3D250:o=
bj=3Dunknown:subj=3DxmlXPtrEval:<BR>error=3D5:libxml2=20
library function=20
=
failed:<BR>expr=3Dxpointer(id('wssecurity_body_id_3550107555769326699_105=
4623170226'))<BR><BR>Please=20
read section 3.2 from the FAQ (<A class=3Dmoz-txt-link-freetext=20
=
href=3D"http://www.aleksey.com/xmlsec/faq.html">http://www.aleksey.com/xm=
lsec/faq.html</A>)<BR>for=20
explanation "why".<BR><BR>Assuming you add a correct DTD, the =
signature seems=20
to be trivial (Reference with an ID<BR>type URI plus one exc C14N =
transform)=20
and I would be really surprised if xmlsec does<BR>a wrong thing here.=20
Unfortunately, there is no easy way to determine why digests do not =
<BR>match.=20
In xmlsec you can use '--print-all' option to get the binary stream =
just=20
before<BR>digesting. The best you can do is to compare this data with =
similar=20
ones from WebSphere<BR>(if you would be able to get same data from =
WebSphere).=20
Read documentation or search<BR>mailing list. There were several =
similar=20
problems before.<BR><BR>And if you want me to guess, I would bet that =
you have=20
different digests because<BR>something introduced spaces and/or end of =
lines=20
when you've dumped XML document <BR>to =
file.<BR><BR><BR>Aleksey<BR><BR><BR><A=20
class=3Dmoz-txt-link-abbreviated=20
href=3D"mailto:arvasoft@attbi.com">arvasoft@attbi.com</A> wrote:<BR>
<BLOCKQUOTE cite=3Dmid000401c329d3$bff971e0$030aa8c0@corp.arvasoft.com =
type=3D"cite"><PRE wrap=3D"">Hi Alexsey,
I am implementing WS-Security using XMLSec. Currently, I am trying to
validate signatures generated by Websphere, but am running into a =
problem
where the Digests generated by Websphere and that by XMLSec are =
different.
This causes the following error
func=3D:file=3D..\src\openssl\digests.c:line=3D164:obj=3Dsha1:subj=3Dunkn=
own:error=3D12:
inva
lid <A class=3Dmoz-txt-link-freetext href=3D"data:data">data:data</A> =
and digest do not match
Signature is INVALID
I would really appreciate your help on resolving this issue.
Thanks,
Regards,
-Venky
PS: I am attaching the following files:
1. original Websphere signed document
2. a modified version of the xml document that I am using for the =
test, I
have
copied the X509 from <wsse:BinarySecurityToken> to =
<X509Certificate> in
<KeyInfo>.
3. cacert.pem the trusted root that I use
</PRE><PRE wrap=3D""><HR width=3D"90%" SIZE=3D4>
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<soapenv:Envelope xmlns:soapenv=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://schemas.xmlsoap.org/soap/envelope/">"http://schemas.xmlsoa=
p.org/soap/envelope/"</A> xmlns:xsd=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2001/XMLSchema">"http://www.w3.org/2001/XMLSche=
ma"</A> xmlns:xsi=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/200=
1/XMLSchema-instance"</A>>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand=3D"1" xmlns:wsse=3D<A =
class=3Dmoz-txt-link-rfc2396E =
href=3D"http://schemas.xmlsoap.org/ws/2002/07/secext">"http://schemas.xml=
soap.org/ws/2002/07/secext"</A>>
<wsse:BinarySecurityToken EncodingType=3D"wsse:Base64Binary" =
ValueType=3D"wsse:X509v3" =
wsu:Id=3D"wssecurity_binary_security_token_id_3491871345588805218_1054623=
170226" xmlns:wsu=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xm=
lsoap.org/ws/2002/07/utility"</A>>
=
MIIDwjCCAyugAwIBAgICUAcwDQYJKoZIhvcNAQEEBQAwaDELMAkGA1UEBhMCVVMxFjAU
=
BgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFzb2Z0IFByaW1hcnkgQ0Ex
=
IzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMB4XDTAzMDUyMjE2NTQ1
=
MVoXDTA0MDUyMTE2NTQ1MVowgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAG
=
A1UEBxMJU2FuIFJhbW9uMRYwFAYDVQQKEw1BcnZhc29mdCwgSW5jMRwwGgYDVQQLExNB
=
cnZhc29mdCBQcmltYXJ5IENBMRgwFgYDVQQDEw9XZWJzcGhlcmUgVGVzdDExIzAhBgkq
=
hkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
=
ADCBiQKBgQC+U+xYlYjrxUXUnEWh/k3TdDT3B2+bTQ/Uqcaayj/1oyKCVuiRzd5gYolx
=
aCkUEPRGwbe4ZkzDfBuAy38uV9KyfOoc5SxzHpUcnQSTCH2fxGhYbzOBAfC3DXOQRagj
=
eMnFBaBADMrfYMlyEQOqI+faW+0920bZ6/FuHrurbFGjCQIDAQABo4IBPTCCATkwCQYD
=
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMgYJYIZIAYb4QgENBCUWI0NlcnRpZmlj
=
YXRlIGlzc3VlZCBieSBBcnZhc29mdCwgSW5jMB0GA1UdDgQWBBRmZnJHx2GUWyIckvup
=
FvjVP3CkjTCBkgYDVR0jBIGKMIGHgBRBK48bKkx6NoJ2JVo47clzdvNhkaFspGowaDEL
=
MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUFydmFzb2Z0LCBJbmMxHDAaBgNVBAsTE0FydmFz
=
b2Z0IFByaW1hcnkgQ0ExIzAhBgkqhkiG9w0BCQEWFGNhYWRtaW5AYXJ2YXNvZnQuY29t
=
ggEAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vd3d3LmFydmFzb2Z0LmNvbS9jYS1jcmwu
=
cGVtMA0GCSqGSIb3DQEBBAUAA4GBAArehDZer5IGiB+NboI2TN6NkKT/qKJVd3xGCiPi
=
QwfbFzAjgESCON7Dr6Eszn2+mLItIBE/yfX0ukZDFD4h82KWUJygRAL0LMvYSa8f1O1T
FVScAEFGaaI69+2ynFq3o0bByg9/L/i4xfFvdtUwlEvrbJomsa4nx5NbwWmTw583
</wsse:BinarySecurityToken>
<Signature xmlns=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xm=
ldsig#"</A>>
<SignedInfo>
<CanonicalizationMethod Algorithm=3D<A =
class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/=
10/xml-exc-c14n#"</A>/>
<SignatureMethod Algorithm=3D<A =
class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/20=
00/09/xmldsig#rsa-sha1"</A>/>
<Reference =
URI=3D"#wssecurity_body_id_3550107555769326699_1054623170226">
<Transforms>
<Transform Algorithm=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2001/10/xml-exc-c14n#">"http://www.w3.org/2001/=
10/xml-exc-c14n#"</A>/>
</Transforms>
<DigestMethod Algorithm=3D<A =
class=3Dmoz-txt-link-rfc2396E =
href=3D"http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/0=
9/xmldsig#sha1"</A>/>
=
<DigestValue>5zj77bM9zGNVvLBIdy6yho/IZ+g=3D</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
=
vU35ynJzQdJ7zu09Gitf4hcsoG6OT/qYW1MTcvAigjNxKfgdZYN90BASwwpPN5LxaL
=
sEi+f8OXpAYM5aPMlLH1rht+es1xPkq6lrG5JbGcUJtNbSG0LfLhcoWfV4aak1pXdC
vczRurJyoDEpImeYNsFr6ItLaRciTTTA7qaSCKw=3D
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference =
URI=3D"#wssecurity_binary_security_token_id_3491871345588805218_105462317=
0226"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body =
wsu:Id=3D"wssecurity_body_id_3550107555769326699_1054623170226" =
xmlns:wsu=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://schemas.xmlsoap.org/ws/2002/07/utility">"http://schemas.xm=
lsoap.org/ws/2002/07/utility"</A>>
<getGreetingResponse xmlns=3D<A class=3Dmoz-txt-link-rfc2396E =
href=3D"http://Sample8.wsdk.ibm.com">"http://Sample8.wsdk.ibm.com"</A>>=
;
<getGreetingReturn xmlns=3D"">Hello venky. How are =
you?</getGreetingReturn>
</getGreetingResponse>
</soapenv:Body>
</soapenv:Envelope></PRE><PRE wrap=3D""><HR width=3D"90%" =
SIZE=3D4>
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<soapenv:Envelope =
xmlns:soapenv=3D</PRE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_002D_01C32A20.15954510--