The signature or decryption was invalid when verifying with cxf

6.8k views Asked by At

I am following cxf sample to verify the signature, unfortunately I got following error " org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid"

I've tried many days and don't find any solution.

spring configuration:

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:int="http://www.springframework.org/schema/integration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:jaxrs="http://cxf.apache.org/jaxrs"

xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration-3.0.xsd
    http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

<import resource="classpath*:META-INF/cxf/cxf.xml" />
<!-- <import resource="classpath*:META-INF/cxf/cxf-extension-soap.xml" /> -->
<!-- <import resource="classpath*:META-INF/cxf/cxf-servlet.xml" /> -->


<jaxws:endpoint id="billingWs"
    implementor="com.npp.ws.soap.BillingWS" address="/BillingWs">
    <jaxws:features>
        <bean class="org.apache.cxf.feature.LoggingFeature" />
    </jaxws:features>
    <jaxws:inInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                <map>
                    <entry key="action" value="Signature Timestamp" />
                    <entry key="signaturePropFile" value="server_sign.properties" />
                    <entry key="passwordCallbackClass" value="server.ServerPasswordCallback" />
                </map>
            </constructor-arg>
        </bean>
        <bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker" />
    </jaxws:inInterceptors>

</jaxws:endpoint>

pom

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.samples.service.service</groupId>
<artifactId>cxftest</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>

<properties>

    <!-- Generic properties -->
    <java.version>1.6</java.version>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <servlet.version>2.5</servlet.version>
    <!-- Spring -->
    <spring-framework.version>3.2.3.RELEASE</spring-framework.version>
    <logback.version>1.0.13</logback.version>
    <slf4j.version>1.7.5</slf4j.version>
    <cxf.version>3.1.1</cxf.version>
</properties>
<dependencies>
    <!-- Logging with SLF4J & LogBack -->
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>${slf4j.version}</version>
        <scope>compile</scope>
    </dependency>
    <dependency>
        <groupId>ch.qos.logback</groupId>
        <artifactId>logback-classic</artifactId>
        <version>${logback.version}</version>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
        <version>${spring-framework.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-frontend-jaxws</artifactId>
        <version>${cxf.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-transports-http</artifactId>
        <version>${cxf.version}</version>
    </dependency>

    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-ws-security</artifactId>
        <version>${cxf.version}</version>
    </dependency>

</dependencies>

and the saop request

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
    <wsse:Security soap:mustUnderstand="1"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:Signature Id="Signature-377" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
                <ds:Reference URI="#id-378">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>1ZFZORXkYPbowBDc3Lg+Netl2hU=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#Timestamp-376">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>bMO8RXVgtRWyxyoxyY1IwHKY3Z8=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>QbizkdCQosjgfy2HUhX7LqxsIEQiDAGgamNfZTGFHPvqyynJ1Tm9iA==</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-F19E25F47A63BAEC351364893623867377">
                <wsse:SecurityTokenReference
                    wsu:Id="STRId-F19E25F47A63BAEC351364893623867378"
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                    <ds:X509Data>
                        <ds:X509IssuerSerial>
                            <ds:X509IssuerName>CN=localhost,OU=Eng,O=G,L=Boulder,ST=CO,C=US</ds:X509IssuerName>
                            <ds:X509SerialNumber>1317155816</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                    </ds:X509Data>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
        <wsu:Timestamp wsu:Id="Timestamp-376"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2013-04-02T09:07:03.867Z</wsu:Created>
            <wsu:Expires>2013-04-02T09:17:03.867Z</wsu:Expires>
        </wsu:Timestamp>
    </wsse:Security>
</soap:Header>
<soap:Body wsu:Id="id-378"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <ns1:Echo xmlns:ns1="http://www.test.com/billing">
        <parameters>
            <Version>3</Version>
            <CorrelationId>b9da054b2f0c493e9633fc527de7055a</CorrelationId>
            <Message>Hello user.</Message>
        </parameters>
    </ns1:Echo>
</soap:Body>

2

There are 2 answers

0
Colm O hEigeartaigh On

Enable debug logging - it will tell you exactly where signature validation failed.

0
reinier On

I suggest you to enable debugging with

System.setProperty("javax.net.debug","ssl");

... or in your call to the vm with -Djavax.net.debug=ssl

That way you will see the exact point where the signature failed