[jira] [Created] (CXF-8586) Signatures created with CXF are sometimes rejected by third party system

Wed, 25 Aug 2021 10:05:06 -0700 

Tor Ranfelt created CXF-8586:
--------------------------------

             Summary: Signatures created with CXF are sometimes rejected by 
third party system
                 Key: CXF-8586
                 URL: https://issues.apache.org/jira/browse/CXF-8586
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 3.4.4
            Reporter: Tor Ranfelt


I make soap-requests to a system which sometimes will reject my requests due to 
"The signature verification failed". When this happens it goes on for a long 
while (maybe a whole day), and then suddenly it will work again. - The cause is 
probably in the other system, but just maybe there is something about CXF 3.4.4 
that could cause this.

So between it working and not working the certificates haven't changed, and the 
only thing having changed about the body getting signatured is 
"<TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>" - 
"TransaktionTid" means "transaction-time"

 

Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version 
1.8.0.282) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
org.apache.cxf:cxf-rt-ws-security:3.3.7
org.apache.cxf:cxf-rt-transports-http:3.3.7
org.apache.cxf:cxf-rt-features-logging:3.3.7


When the issue appeared I was running with CXF 3.4.4 on Java 11 (version 
11.0.11.0.9) with the following CXF dependencies:
org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
org.apache.cxf:cxf-rt-ws-security:3.4.4
org.apache.cxf:cxf-rt-transports-http:3.4.4
org.apache.cxf:cxf-rt-features-logging:3.4.4

In order to run CXF on Java 11 I also needed the following dependencies 
(because they no longer are part of JRE):
javax.xml.ws:jaxws-api:2.3.1
javax.jws:javax.jws-api:1.1
com.sun.xml.messaging.saaj:saaj-impl:1.5.3


An example of a rejected request and the response informing me of the rejection 
(some information has been replaced with "MANUALLY-REMOVED"):

Request:
 Address: MANUALLY-REMOVED
 HttpMethod: POST
 Content-Type: text/xml
 ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
 ServiceName: PersonKontrolOplysningHentService
 PortName: PersonKontrolOplysningHentService
 PortTypeName: PersonKontrolOplysningHentServicePortType
 Headers: \{SOAPAction="", Accept=*/*}
 Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
 <soap:Header>
 <wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 soap:mustUnderstand="1">
 <wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
 <wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
 <wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
 </wsu:Timestamp>
 <wsse:BinarySecurityToken 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; 
PrefixList="soap"/>
 </ds:CanonicalizationMethod>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
 <ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 
<ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
 <ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
 <wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
 <wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 </ds:Signature>
 </wsse:Security>
 </soap:Header>
 <soap:Body 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
 <ns4:PersonKontrolOplysningHent_I 
xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/"; 
xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/";
 xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/"; 
xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/"; 
xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/"; 
xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/"; 
xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0" 
xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/"; 
xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/"; 
xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/"; 
xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/"; 
xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/"; 
xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/"; 
xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0" 
xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/";
 
xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/";
 xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/"; 
xmlns:ns8="urn:oio:skat:personskat:1.0.0" 
xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/";>
 <HovedOplysninger>
 
<TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
 <TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
 </HovedOplysninger>
 <ns4:PersonAar>
 
<ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
 <ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
 </ns4:PersonAar>
 </ns4:PersonKontrolOplysningHent_I>
 </soap:Body>
</soap:Envelope>

 

Response:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault 
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><faultcode 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver:
 security processing failed; nested exception is:
 org.apache.ws.security.WSSecurityException: The signature verification 
failed</faultstring><detail><ns1:hostname 
xmlns:ns1="http://xml.apache.org/axis/";>SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>

Any thought about what might be the cause?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to