I have two services communicating, messages in both ways have to be secured. Signed and encrypted but let's go step by step.
Each one has it's own private key (in the keystore), and it's public key exported into the other one's keystore. So, client signs with his own private key and encrypts with the public key of the server. The server decrypts the message using his own private key and then validates the message using client's public key in his keystore. Then server doeas just what the client did but using his keys, and that's it.
I managed to get this to work with xwss security interceptor from spring-ws 1.0.3 using some aditional code.
Tried to port it to 1.5 (just by changing jars) but it didn't work. Okay, things were changed, so what, let's make it work. But I just couldn't (even after a couple of hours in the debug mode and constantly altering the policy file), server was very persistent not wanting to validate client's signature (I left out the encryption in this scenario for simplicity's sake).
So I said, ok, let's go to wss4j interceptor. Don't know if I like the property-only configuration over xwss policy, but suppose it's easyer for beginners.
Okay, I wired in the interceptor, crypto objects, keystorehandler (yes, the new one from wss4j package), all the passwords, the keystores remained the same on both ends.
I just applied signing and verification. The exception I get is this:
Got armed with sources from everywhere so i can see code
2008.04.11 18:53:37 org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#id-19350739"
2008.04.11 18:53:37 org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException
WARNING: Could not validate request: The signature verification failed; nested exception is org.apache.ws.security.WSSecurityException: The signature verification failed
The problem is in the Reference class, where the digests (the one that came with the message and the new computed one) get compared and they were not the same.
... from org.apache.xml.security.signature.Reference.verify ()
byte elemDig = this.getDigestValue();
byte calcDig = this.calculateDigest();
boolean equal = MessageDigestAlgorithm.isEqual(elemDig, calcDig);
I did fetch the right key from the keystore since his and clients serial number are the same.
Then I read in the WS documentation that only SHA1 with RSA algorithm is supported and that's exactly the kind of keys I have (1024 bits, don't know if it's important).
And finaly, the server configuration, but I don't think that there's anything wrong here.
Any help will be greatly appreciated.
<bean class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
<bean id="signatureInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="Signature"></property>
<property name="validationSignatureCrypto" ref="serverKeystore"></property>
<bean id="serverKeystore" class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
<property name="keyStorePassword" value="store_password_server"/>
<property name="keyStoreLocation" value="classpath:/security/serverKeystore.jks"/>