[ogsa-wg] Fwd: [gt-user] GSI Secure Message: Signature or decryption invalid
Alan Sill
Alan.Sill at ttu.edu
Thu Mar 1 09:11:25 CST 2007
This question goes to the core of some of what we are talking about
in the OGSA Security design team discussions and AuthN-WG work
design. Comments are welcome.
Alan
Begin forwarded message:
> From: "Kleopatra Konstanteli" <kkonst at telecom.ntua.gr>
> Date: March 1, 2007 9:07:02 AM CST
> To: <gt-user at globus.org>
> Subject: RE: [gt-user] GSI Secure Message: Signature or decryption
> invalid
>
> Hi all,
>
>
>
> Does GT4’s implementation of Secure Message interoperate with
> WSRF.NET’s one? A paper about interoperability between different
> WSRF implementation (http://www.cs.virginia.edu/~humphrey/papers/
> WSRFComparison2005.pdf) specifies that there is no interoperability
> in terms of Secure Conversation because WSRF.NET builds upon WSE.
>
> Does the same apply for Secure Message since WSE is used for this
> purpose in WSRF.NET as well? Can anyone help me please?
>
>
>
> Thank you,
>
> Kleopatra
>
>
>
> From: owner-gt-user at globus.org [mailto:owner-gt-user at globus.org] On
> Behalf Of Kleopatra Konstanteli
> Sent: Tuesday, February 27, 2007 7:08 PM
> To: gt-user at globus.org
> Subject: [gt-user] GSI Secure Message: Signature or decryption invalid
>
>
>
> Hello all,
>
>
>
> When using a WSRF.NET client to invoke a secure GT4 service using
> WS-Security (WSE 3.0) I obtain the following error:
>
>
>
> System.Web.Services.Protocols.SoapException:
>
> SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/
> oasis-200401-wss-wssecur
>
> ity-secext-1.0.xsd:FailedCheck
>
> Message: The signature or decryption was invalid
>
> in
> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse
> (SoapClie
>
> ntMessage message, WebResponse response, Stream responseStream,
> Boolean asyncCal
>
> l)
>
> in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke
> (String methodN
>
> ame, Object[] parameters)
>
> in MathService.MathServiceWse.subtract(Int32 subtractValue) in C:
> \SecurityTest\WSSecurityCertificatePolicyClient\Web References\MathSer
>
> vice\Reference.cs:riga 128
>
> in
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Run()
> in C:\SecurityTest\WSSecurityCertificatePolicyClient\WSSecurityC
>
> ertificateClient.cs:riga 110
>
> in
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Main
> (String[
>
> ] args) in C:\SecurityTest\WSSecurityCertificatePolicyClie
>
> nt\WSSecurityCertificateClient.cs:riga 66…
>
>
>
>
>
> The secure GT4 service that is used is the one included in the
> examples from the Borja Sotomayor book “Globus Toolkit 4:
> Programming Java Services”. The certificate used is issued by an
> external CA that my GT4 installation has been configured to trust.
> When using a GT4 client there is no problem.
>
>
>
> The SOAP request that the .NET client sends out is the following:
>
>
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-utility-1.0.xsd">
>
> <soap:Header>
>
> <wsa:Action wsu:Id="Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">http://
> www.globus.org/namespaces/examples/MathService_instance_4op/
> MathPortType/subtractRequest</wsa:Action>
>
> <wsa:MessageID wsu:Id="Id-ef19c334-ea85-4261-b460-
> ac626331f9d7">urn:uuid:f0b89b6c-c8b3-4f40-8c5d-1f48bfa371d0</
> wsa:MessageID>
>
> <wsa:ReplyTo wsu:Id="Id-6ee907b3-2091-4209-859e-
> f60c58c52298"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/
> addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
>
> <wsa:To wsu:Id="Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">http://
> 147.102.19.157:8080/wsrf/services/examples/security/first/
> MathService</wsa:To>
>
> <wsse:Security soap:mustUnderstand="1">
>
> <wsu:Timestamp wsu:Id="Timestamp-4ac3ee2e-906e-43de-9ecc-
> f3795aaf2c5d">
>
> <wsu:Created>2007-02-27T14:44:57Z</wsu:Created>
>
> <wsu:Expires>2007-02-27T14:49:57Z</wsu:Expires></wsu:Timestamp>
>
> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/
> 2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken-
> b7ff426b-cd9b-445f-b379-1d930ed5a40f">
>
> MIIFUjCCBDqgAwIBAgIBKjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCREUxGjAYBg
> NVBAo
>
> TEVRlc3RiZWQgU3R1dHRnYXJ0MREwDwYDVQQLEwhBa29ncmltbzEUMBIGA1UEAxMLQWtvZ
> 3JpbW
>
> 8gQ0ExLjAsBgkqhkiG9w0BCQEWH0RhdmlkLkx1dHpAcnVzLnVuaS1zdHV0dGdhcnQuZGUw
> HhcNM
>
> DcwMjI3MTE0OTE2WhcNMDcwOTE1MTE0OTE2WjBQMQswCQYDVQQGEwJERTERMA8GA1UEChM
> IQWtv
>
> Z3JpbW8xETAPBgNVBAsTCEludGVybmV0MQ4wDAYDVQQDEwVDUk1QQTELMAkGA1UEBRMCND
> IwgZ8
>
> wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0jTULOpwcOF1hftFfAn/
> x1kUkprDk6VfELzGKTAT
>
> i+1pF0hJXV1JLOvS8XknOwRxdIaxU/0hirXS47OEf2OF2/
> ezw8WPHWgCeC2ELCf5FCgOd1qn7F9
>
> dXDrHrOzvCz6WF9tD0QOcPS
> +xIg7tl8SqJX36dDwSA0WTb3nKg67wNXAgMBAAGjggKGMIICgjAJ
>
> BgNVHRMEAjAAMEgGA1UdIARBMD8wBgYEKgMDBDAGBgQqAwMFMC0GBCoDAwYwJTAjBggrBg
> EFBQc
>
> CARYXaHR0cDovL3NvbWUudXJsLm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdD
> wQEAw
>
> IE8DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwKwYJYIZI
> AYb4Q
>
> gENBB4WHFVzZXIgQ2VydGlmaWNhdGUgb2YgQWtvZ3JpbW8wHQYDVR0OBBYEFFxon/
> CS0QHegAmT
>
> oJTkBG5OfJLUMIG3BgNVHSMEga8wgayAFK1nDk0hJbjJ6B1HIXe+ox6Sv3/
> UoYGIpIGFMIGCMQs
>
> wCQYDVQQGEwJERTEaMBgGA1UEChMRVGVzdGJlZCBTdHV0dGdhcnQxETAPBgNVBAsTCEFrb
> 2dyaW
>
> 1vMRQwEgYDVQQDEwtBa29ncmltbyBDQTEuMCwGCSqGSIb3DQEJARYfRGF2aWQuTHV0ekBy
> dXMud
>
> W5pLXN0dXR0Z2FydC5kZYIJAPlPMFjLt4H/
> MCEGA1UdEQQaMBiBFm5yb21hbm9AY3JtcGEudW5p
>
> c2EuaXQwKgYDVR0SBCMwIYEfRGF2aWQuTHV0ekBydXMudW5pLXN0dXR0Z2FydC5kZTAoBg
> lghkg
>
> BhvhCAQQEGxYZaHR0cDovLy9wdWIvY3JsL2NhY3JsLmNybDAoBglghkgBhvhCAQMEGxYZa
> HR0cD
>
> ovLy9wdWIvY3JsL2NhY3JsLmNybDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vMTkyLjEw
> OC4zN
>
> y43OC9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAL0EcHCpi3Nv
> +2HoRPGkq
>
> EJM2SWKLgU92t86NFNIEXeq3zfVYcoosUxTrQIi9USunofBz73ZOWG4DCMSiCfCMREnImi
> /MeSI
>
> ZWbWeo34nv1JlP4VwlOyl0bheb5Sjml9hHtmKozvBkjLhwtW/gzUHlqHyVs9vV0Xc/
> 5CyPPyRIU
>
> GDFOLALCehxrNCFEqsz6eNcYi2HG07tVCNLbcNGNQqtqc511c94SLQOMCL6TyEMHjulyhW
> xmwi4
>
> SSBxSik9rYHm889GSslrcdsz+Jz2jnJmGVtDXMQueZPOkD9ez7ch0wspiW1/
> wb09wNWUBk6nAr1
>
> ACsXMnh7yaRUMtD1WLV3ZQ==</wsse:BinarySecurityToken><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
> exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
> sha1"/>
>
> <Reference URI="#Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>3jg0oLM2rgwkCPp3/UEMzAJ0xqE=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-ef19c334-ea85-4261-b460-ac626331f9d7">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>kT5HUy3NKW7LxbJqw9KYysZ4WGc=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-6ee907b3-2091-4209-859e-f60c58c52298">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>9rjmjy+UPKyirXwsgowC448djOU=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>hJ43DwpWlARhRsF3lgrscIuVmFw=</DigestValue></Reference>
>
> <Reference URI="#Timestamp-4ac3ee2e-906e-43de-9ecc-f3795aaf2c5d">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>eGBpSN1gHvqLW99W/8qkWf7hchI=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-7748d805-ccf9-4da8-b80b-855d9be2360f">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>fcVl/3wkgtUHIpAt3b+IMC8HXCY=</DigestValue>
>
> </Reference></SignedInfo>
>
> <SignatureValue>It06wTUqrTtjkWmX8RKeQSPOgMyOiuE6hYlIKSHDVOBEzDeJnPCVsc
> kp3hYg2r74rSczGAxxeh8/AjTvBXF9GKvZhfeid4jLTOP8P/4M32M/4qg8ZApIkk
> +65KvKJiREdYxzJCOAP4MLhU19/+vlLmV+WuaPbusK86EfJMJPivU=</
> SignatureValue>
>
> <KeyInfo><wsse:SecurityTokenReference><wsse:Reference
> URI="#SecurityToken-b7ff426b-cd9b-445f-b379-1d930ed5a40f"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></
> KeyInfo>
>
> </Signature></wsse:Security>
>
> </soap:Header><soap:Body wsu:Id="Id-7748d805-ccf9-4da8-
> b80b-855d9be2360f">
>
> <subtract xmlns="http://www.globus.org/namespaces/examples/
> MathService_instance_4op"><subtractValue xmlns="">3</
> subtractValue></subtract>
>
> </soap:Body></soap:Envelope>
>
>
>
> The error message is very vague. To the best of my knowledge, there
> is no problem with the certificate but with the signature. For some
> reason the reconstructed message doesn’t have the form that it
> should have
>
> and the signature check fails.
>
>
>
> Can anyone help me?
>
>
>
> Thank you in advance,
>
> Kleopatra
>
>
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
More information about the ogsa-wg
mailing list