So, I’ve been struggling with WS-Security for some time, slowly moving forward. First let me briefly describe my installation. I have a Java application running in tomcat that offers a webservice endpoint (using Spring). I want incoming messages to be signed. I am testing SoapUI. So after a long struggle, I got a server, checking incoming messages for signature, and I also got SoapUI to sign outgoing messages. However, the server continues to reject the certificate, and I'm not sure that I am doing something wrong, that is, I am sending incorrect certificate information with my test requests or if I do not support the correct certificate in a trusted store. The following is an example query:
<soapenv:Envelope xmlns="http://movilitas.com/movilizer/v7" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsu:Timestamp wsu:Id="Timestamp-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-06-30T12:51:33.407Z</wsu:Created> <wsu:Expires>2011-06-30T12:53:13.407Z</wsu:Expires> </wsu:Timestamp> <ds:Signature Id="Signature-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-2"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>OiRQ2oXbajnnrSGsbOALT2i6brs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> fmtFMSccFcwEfL1M8qgQ... </ds:SignatureValue> <ds:KeyInfo Id="KeyId-C3B38A939F7D63D51F13094382933988"> <wsse:SecurityTokenReference wsu:Id="STRId-C3B38A939F7D63D51F13094382933989" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier"> MIICbzCCAdgCAQEwDQ... </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> [...] </soapenv:Body> </soapenv:Envelope>
Now the content that I have is the same as the one I get when I export a certificate from my trust store (encoded version with a base64 certificate). The error I get when sending the request is as follows:
Jul 5, 2011 4:42:23 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolve SEVERE: WSS1353: Error occurred while resolving key information com.sun.xml.wss.XWSSecurityException: No Matching public key for MIICbzCCAdgCAQEwDQ... subject key identifier found at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:617) at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolve(KeySelectorImpl.java:385) at com.sun.xml.wss.impl.dsig.KeySelectorImpl.select(KeySelectorImpl.java:232) ...
Am I missing something? Is something big? Or little? Is this what I actually have to send as a KeyIdentifier? Any help would be appreciated!
source share