WSS4J on Websphere 7

[staringclown]

Hi All,

I have implemented a WSS4J client and server on WAS 7 and I cannot validate the signature.

I get the following error:
Could not validate request: The signature or decryption was invalid; nested exception is org.apache.ws.security.WSSecurityException: The signature or decryption was invalid

The same code works on tomcat perfectly well.

The problem seems to be the canonicalization of the SignedInfo. This is the signingInfo from the signing operation.

Code:

Canonicalized SignedInfo:
[12/18/12 17:00:29:738 EST] 00000028  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 2]
          <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#id-29"><ds:Transforms><ds:Transform Algorit
hm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http
://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>er0JY1hbu31Jei0LlckfGJ/Y6jU=</ds:DigestValue></ds:Reference></ds:SignedInfo>
[12/18/12 17:00:29:738 EST] 00000028  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 2]

Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVz
aXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJzb2FwZW5jIHNvYXBlbnYgeHNkIHhzaSI+PC9lYzpJbmNsdXNpdmVOYW1lc3BhY2VzPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ
29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIj48L2RzOlNpZ25hdHVyZU1ldGhvZD48ZHM6UmVmZXJlbmNlIFVSST0iI2lkLTI5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG
4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJzb2FwZW5jIHhzZCB4c2kiPjwvZWM6SW5jbHVzaXZlTmFtZXNwYWNlcz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGh
vZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+ZXIwSlkxaGJ1MzFKZWkwTGxja2ZHSi9ZNmpVPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPg==

and this is the signedInfo from the verification of the signature:

Code:

Canonicalized SignedInfo:
[12/18/12 17:00:29:910 EST] 00000026  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 0]
          <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns
:xsi="http://www.w3.org/2001/XMLSchema-instance"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xs
i"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#id-29"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>er0JY1hbu31Jei0LlckfGJ/Y6jU=</ds:DigestValue></ds:Reference></ds:SignedInfo>
[12/18/12 17:00:29:910 EST] 00000026  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 0]
          Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnNvYXBlbmM9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW5jb2RpbmcvIiB4bWxuczpzb2FwZW52PSJodHRwOi8vc2NoZW1hcy54
bWxzb2FwLm9yZy9zb2FwL2VudmVsb3BlLyIgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczL
m9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InNvYXBlbmMgc29hcGVudiB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM+PC9kczpDYW5vbmljYW
xpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQtMjkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJ
odHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InNvYXBlbmMgeHNkIHhzaSI+PC9lYzpJbmNsdXNpdmVOYW1lc3BhY2VzPjwvZHM6VHJh
bnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5lcjBKWTFoYnUzMUplaTBMbGNrZkdKL1k2alU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZ
mVyZW5jZT48L2RzOlNpZ25lZEluZm8+

The actual and expected digests are identical on WAS7.

I am using PARENT-LAST classloading for the xerces, xalan and xml-sec libraries.

The configuration for my spring-ws

Code:

  <bean id="crypto"  class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
       <property name="keyStorePassword" value="Password1"/>
	   <property name="keyStoreLocation" value="classpath:/signing.jks"/>
   </bean>
   
   <bean id="wsSecDigSign" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
		<property name="securementActions" value="Signature"/>
		<property name="securementSignatureKeyIdentifier" value="DirectReference"/>
		<property name="securementUsername" value="signing"/>
		<property name="securementPassword" value="Password1"/>
		<property name="securementSignatureCrypto" ref="crypto"/>
   </bean>
   
   <sws:interceptors>
      <bean id="wsSecDigSignValidator" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
		<property name="validationActions" value="Signature"/>
		<property name="validationSignatureCrypto" ref="crypto"/>
	</bean>
   </sws:interceptors>
    
   <bean id="externalWebServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
    	<constructor-arg ref="messageFactory"/>
        <property name="marshaller" ref="jaxbMarshaller"/>
        <property name="unmarshaller" ref="jaxbMarshaller"/>
        <property name="defaultUri" value="https://server:9443/Security/idmWebServices"/>
        <property name="interceptors">   
            <list>
               <ref bean="wsSecDigSign"/> 
            </list>
   	</property>
    </bean>
    
    <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
      
    <sws:static-wsdl id="idmWebServices" location="/WEB-INF/idm.wsdl"/>
    
    <bean id="proxy" class="au.gov.customs.idmWebService.IdmWebServiceProxy"/>

Using the following libraries:

aopalliance-1.0.jar
log4j-1.2.16.jar
org.springframework.transaction-3.0.5.RELEASE.jar
spring-security-core-3.0.5.RELEASE.jar
asm-3.3.jar
opensaml-2.5.1-1.jar
org.springframework.web-3.0.5.RELEASE.jar
spring-security-ldap-3.0.5.RELEASE.jar
openws-1.4.2-1.jar
org.springframework.web.servlet-3.0.5.RELEASE.jar
spring-security-taglibs-3.0.5.RELEASE.jar
cglib-2.2.jar
org.springframework.aop-3.0.5.RELEASE.jar
spring-security-web-3.0.5.RELEASE.jar
com.ibm.ws.webservices.thinclient_7.0.0.jar
org.springframework.asm-3.0.5.RELEASE.jar
serializer-2.7.1.jar
spring-ws-2.1.0.RELEASE-all.jar
org.springframework.beans-3.0.5.RELEASE.jar
spring-ldap-1.3.0.RELEASE-all.jar
stax-1.2.0.jar
commons-configuration-1.6.jar
org.springframework.context-3.0.5.RELEASE.jar
spring-ldap-core-1.3.0.RELEASE.jar
stax-api-1.0.1.jar
commons-dbutils-1.3.jar
org.springframework.context.support-3.0.5.RELEASE.jar
spring-ldap-core-tiger-1.3.0.RELEASE.jar
wss4j-1.6.8.jar
commons-fileupload-1.2.2.jar
org.springframework.core-3.0.5.RELEASE.jar
spring-ldap-test-1.3.0.RELEASE.jar
xalan-2.7.1.jar
commons-io-2.0.1.jar
org.springframework.expression-3.0.5.RELEASE.jar
spring-modules-validation.jar
xercesImpl-2.9.1.jar
commons-lang-2.3.jar
org.springframework.jdbc-3.0.5.RELEASE.jar
spring-security-acl-3.0.5.RELEASE.jar
xml-apis-1.3.04.jar
commons-logging-1.1.1.jar
org.springframework.oxm-3.0.5.RELEASE.jar
spring-security-aspects-3.0.5.RELEASE.jar
xmlsec-1.5.3.jar
commons-pool-1.3.jar
org.springframework.test-3.0.0.M3.jar
spring-security-cas-client-3.0.5.RELEASE.jar
xmltooling-1.3.2-1.jar
joda-time-1.6.2.jar
org.springframework.test-3.0.5.RELEASE.jar
spring-security-config-3.0.5.RELEASE.jar

Has anyone run into any similar issue? Am I missing something simple?