I use WSO2 to digitally sign and encrypt a message:
The web service is deployed on weblogic and is expecting a SAML token, and the body and headers and to be signed and ecrypted.
Scenario 1 : Use stand along axis api's (1.6.2 +) to generate a web service client for the wsdl with a policy expecting SAML token. The code generates a digitally signed and encrypted SOAP envelop, hits the endpoint and the result is returned successfully.
<ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsu soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lWQgTrlIVeFKWqT1ktPs0/kK3tQ=</ds:DigestValue>
</ds:Reference>
Scenario 2: Use the same code from Scenario 1 from within WSO2 ESB 4.7, the above client goes as a class mediator and WSO2 ESB jars are used. The request SOAP envelope is perfectly signed and ecrypted except a change in XML syntax.
<ds:Reference URI="#Id-2003921168">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=</ds:DigestValue>
</ds:Reference>
There seems to be a difference in the signatures generated in the two scenarios. Is WSO2 ESB implementation of XML security different from that of standalone apache XML security implementation ?
The SOAP envelope generated from scenario fails to get validated for this signature at the weblogic webserver and throws SOAP fault with the following stack trace:
<?xml version="1.0" encoding="utf-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Failed to validate signature.</faultstring><detail><bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
Caused by: weblogic.xml.crypto.wss.WSSecurityException: No token handler found for null
at weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
at weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)
at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)
The web service policy file used is:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:All>
<ns1:AsymmetricBinding
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:IssuedToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<ns2:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
</Address>
</ns2:Issuer>
<ns2:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:1.0:assertion
</t:TokenType>
</ns2:RequestSecurityTokenTemplate>
<wsp:Policy>
<ns2:RequireInternalReference />
</wsp:Policy>
</ns2:IssuedToken>
</wsp:Policy>
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
<!--
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
-->
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns3:MustSupportRefKeyIdentifier />
<ns3:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns3:Wss10>
<ns4:EncryptedParts
xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body />
</ns4:EncryptedParts>
<ns5:SignedParts
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns5:Body />
</ns5:SignedParts>
</wsp:All>
</wsp:Policy>
Thanks.
