Spring WS Security Signature Failure
Greetings,
I'm trying to implement Spring WS Security using XwsSecurityInterceptor on both the server side and the client side. The problem that I'm having is with signature verification. The xws-security module seems to be coming up with different signatures for the exact same data, and I can't figure out why.
Here is the pertinent data from the client side logs:
Pertinent data from the server side logsCode:FINE: Signing with key: Sun RSA private CRT key, 2048 bits modulus: 19268414009502364593678986386433586776907709821264660524153781172975472972207456682483320344847922946655155846923457222890512204327581069998869532217887521958508953168422488512183934812306862130899629280095407354530830174738673481767970812931311831879386096632467492430834216304085848620060515985079968223162475157644796292656455916409552929593908423569994810400253145749522191964980336626587754739064026982785315902053983259119689746579083631716740830039981900775688008702517471154260085543730481638958321469421419773859825545544699030152481044315791041714040827876531613935266855562745706615880237808103211630866303 public exponent: 65537 FINE: Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp ZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v cmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRz OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNY V1NTR0lELTEyMzgwOTc4ODM3MTQyMTkwMTEyNzMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRo b2Q+PGRzOkRpZ2VzdFZhbHVlPlZXK0NPS0xQUzlYQ0FkaGNFNGlaL1pCL1BUTT08L2RzOkRpZ2Vz dFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz4= ... <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>VW+COKLPS9XCAdhcE4iZ/ZB/PTM=</ds:DigestValue>
As you can see, it seems both the client and the server, digest the exact same data and come up with different results. Both sides of this message are using the exact same libraries. I'm sure I'm missing something, I just can't tell what it is I'm missing.Code:FINE: verifying with key: Sun RSA public key, 2048 bits modulus: 19268414009502364593678986386433586776907709821264660524153781172975472972207456682483320344847922946655155846923457222890512204327581069998869532217887521958508953168422488512183934812306862130899629280095407354530830174738673481767970812931311831879386096632467492430834216304085848620060515985079968223162475157644796292656455916409552929593908423569994810400253145749522191964980336626587754739064026982785315902053983259119689746579083631716740830039981900775688008702517471154260085543730481638958321469421419773859825545544699030152481044315791041714040827876531613935266855562745706615880237808103211630866303 public exponent: 65537 ... ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#XWSSGID-1238097883714219011273"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>VW+COKLPS9XCAdhcE4iZ/ZB/PTM=</ds:DigestValue></ds:Reference></ds:SignedInfo> ... FINE: Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp ZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v cmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRz OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNY V1NTR0lELTEyMzgwOTc4ODM3MTQyMTkwMTEyNzMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRo b2Q+PGRzOkRpZ2VzdFZhbHVlPlZXK0NPS0xQUzlYQ0FkaGNFNGlaL1pCL1BUTT08L2RzOkRpZ2Vz dFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz4= ... INE: Expected digest: VW+COKLPS9XCAdhcE4iZ/ZB/PTM= Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMReference validate FINE: Actual digest: xkXPBLrSLsh+93gH83x+ttM2WII= Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate FINE: Reference[#XWSSGID-1238097883714219011273] is valid: false Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate FINE: Couldn't validate the References
Here's my securityPolicy.xmls
Here's the pertinent info from the applicationContexts:Code:Client: <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Sign includeTimestamp="false"/> </xwss:SecurityConfiguration> Server: <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:RequireSignature requireTimestamp="false"/> </xwss:SecurityConfiguration>
Code:SERVER side: <bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler"> <property name="keyStore" ref="keyStore"/> <property name="trustStore" ref="trustStore"/> <!-- This is only required if I'm encrypting or signing messages --> <property name="privateKeyPassword" value="1qaz!QAZ"/> </bean> <bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean"> <property name="location" value="classpath:/TrustStore"/> <property name="password" value="1qaz!QAZ"/> </bean> <bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean"> <property name="location" value="classpath:/ACSServerStore"/> <property name="password" value="1qaz!QAZ"/> </bean> <bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor"> <property name="policyConfiguration" value="classpath:/securityPolicy.xml"/> <property name="callbackHandlers"> <list> <ref bean="keyStoreHandler"/> <ref bean="springSecurityCertificateHandler"/> </list> </property> </bean> CLIENT SIDE: <bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate"> <constructor-arg ref="messageFactory"/> <property name="defaultUri" value="https://johna.ccbill.com:8443/AuthControlService/"/> <property name="marshaller" ref="marshaller"/> <property name="unmarshaller" ref="marshaller"/> <property name="interceptors"> <list> <ref bean="securityInterceptor"/> </list> </property> <property name="messageSender"> <bean class="org.springframework.ws.transport.http.CommonsHttpMessageSender"> </bean> </property> </bean> <bean id="securityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor"> <property name="policyConfiguration" value="classpath:/com/ccbill/acs/tests/securityPolicy.xml"/> <property name="callbackHandlers"> <list> <ref bean="keyStoreHandler"/> </list> </property> </bean> <bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler"> <property name="keyStore" ref="keyStore"/> <property name="trustStore" ref="trustStore"/> <property name="privateKeyPassword" value="1qaz!QAZ"/> <property name="defaultAlias" value="dbclient"/> </bean> <bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean"> <property name="location" value="classpath:/com/ccbill/acs/tests/DBClientStore"/> <property name="password" value="1qaz!QAZ"/> </bean> <bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean"> <property name="location" value="classpath:/TrustStore"/> <property name="password" value="1qaz!QAZ"/> </bean>
Any help or ideas is appreciated.
Reply With Quote