[ogsa-wg] Fwd: [gt-user] GSI Secure Message: Signature or decryption invalid

Thu Mar 1 09:11:25 CST 2007

This question goes to the core of some of what we are talking about  
in the OGSA Security design team discussions and AuthN-WG work  
design.  Comments are welcome.

Alan

Begin forwarded message:

> From: "Kleopatra Konstanteli" <kkonst at telecom.ntua.gr>
> Date: March 1, 2007 9:07:02 AM CST
> To: <gt-user at globus.org>
> Subject: RE: [gt-user] GSI Secure Message: Signature or decryption  
> invalid
>
> Hi all,
>
>
>
> Does GT4’s implementation of Secure Message interoperate with  
> WSRF.NET’s one? A paper about interoperability between different  
> WSRF implementation (http://www.cs.virginia.edu/~humphrey/papers/ 
> WSRFComparison2005.pdf) specifies that there is no interoperability  
> in terms of Secure Conversation because WSRF.NET builds upon WSE.
>
> Does the same apply for Secure Message since WSE is used for this  
> purpose in WSRF.NET as well? Can anyone help me please?
>
>
>
> Thank you,
>
> Kleopatra
>
>
>
> From: owner-gt-user at globus.org [mailto:owner-gt-user at globus.org] On  
> Behalf Of Kleopatra Konstanteli
> Sent: Tuesday, February 27, 2007 7:08 PM
> To: gt-user at globus.org
> Subject: [gt-user] GSI Secure Message: Signature or decryption invalid
>
>
>
> Hello all,
>
>
>
> When using a WSRF.NET client to invoke a secure GT4 service using  
> WS-Security (WSE 3.0) I obtain the following error:
>
>
>
> System.Web.Services.Protocols.SoapException:
>
> SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/ 
> oasis-200401-wss-wssecur
>
> ity-secext-1.0.xsd:FailedCheck
>
> Message: The signature or decryption was invalid
>
>    in  
> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse 
> (SoapClie
>
> ntMessage message, WebResponse response, Stream responseStream,  
> Boolean asyncCal
>
> l)
>
>    in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke 
> (String methodN
>
> ame, Object[] parameters)
>
>    in MathService.MathServiceWse.subtract(Int32 subtractValue) in C: 
> \SecurityTest\WSSecurityCertificatePolicyClient\Web References\MathSer
>
> vice\Reference.cs:riga 128
>
>    in  
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Run()  
> in C:\SecurityTest\WSSecurityCertificatePolicyClient\WSSecurityC
>
> ertificateClient.cs:riga 110
>
>    in  
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Main 
> (String[
>
> ] args) in C:\SecurityTest\WSSecurityCertificatePolicyClie
>
> nt\WSSecurityCertificateClient.cs:riga 66…
>
>
>
>
>
> The secure GT4 service that is used is the one included in the  
> examples from the Borja Sotomayor book “Globus Toolkit 4:  
> Programming Java Services”. The certificate used is issued by an  
> external CA that my GT4 installation has been configured to trust.  
> When using a GT4 client there is no problem.
>
>
>
> The SOAP request that the .NET client sends out is the following:
>
>
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> wssecurity-utility-1.0.xsd">
>
> <soap:Header>
>
> <wsa:Action wsu:Id="Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">http:// 
> www.globus.org/namespaces/examples/MathService_instance_4op/ 
> MathPortType/subtractRequest</wsa:Action>
>
> <wsa:MessageID wsu:Id="Id-ef19c334-ea85-4261-b460- 
> ac626331f9d7">urn:uuid:f0b89b6c-c8b3-4f40-8c5d-1f48bfa371d0</ 
> wsa:MessageID>
>
> <wsa:ReplyTo wsu:Id="Id-6ee907b3-2091-4209-859e- 
> f60c58c52298"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/ 
> addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
>
> <wsa:To wsu:Id="Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">http:// 
> 147.102.19.157:8080/wsrf/services/examples/security/first/ 
> MathService</wsa:To>
>
> <wsse:Security soap:mustUnderstand="1">
>
> <wsu:Timestamp wsu:Id="Timestamp-4ac3ee2e-906e-43de-9ecc- 
> f3795aaf2c5d">
>
> <wsu:Created>2007-02-27T14:44:57Z</wsu:Created>
>
> <wsu:Expires>2007-02-27T14:49:57Z</wsu:Expires></wsu:Timestamp>
>
> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/ 
> 2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- 
> wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken- 
> b7ff426b-cd9b-445f-b379-1d930ed5a40f">
>
> MIIFUjCCBDqgAwIBAgIBKjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCREUxGjAYBg 
> NVBAo
>
> TEVRlc3RiZWQgU3R1dHRnYXJ0MREwDwYDVQQLEwhBa29ncmltbzEUMBIGA1UEAxMLQWtvZ 
> 3JpbW
>
> 8gQ0ExLjAsBgkqhkiG9w0BCQEWH0RhdmlkLkx1dHpAcnVzLnVuaS1zdHV0dGdhcnQuZGUw 
> HhcNM
>
> DcwMjI3MTE0OTE2WhcNMDcwOTE1MTE0OTE2WjBQMQswCQYDVQQGEwJERTERMA8GA1UEChM 
> IQWtv
>
> Z3JpbW8xETAPBgNVBAsTCEludGVybmV0MQ4wDAYDVQQDEwVDUk1QQTELMAkGA1UEBRMCND 
> IwgZ8
>
> wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0jTULOpwcOF1hftFfAn/ 
> x1kUkprDk6VfELzGKTAT
>
> i+1pF0hJXV1JLOvS8XknOwRxdIaxU/0hirXS47OEf2OF2/ 
> ezw8WPHWgCeC2ELCf5FCgOd1qn7F9
>
> dXDrHrOzvCz6WF9tD0QOcPS 
> +xIg7tl8SqJX36dDwSA0WTb3nKg67wNXAgMBAAGjggKGMIICgjAJ
>
> BgNVHRMEAjAAMEgGA1UdIARBMD8wBgYEKgMDBDAGBgQqAwMFMC0GBCoDAwYwJTAjBggrBg 
> EFBQc
>
> CARYXaHR0cDovL3NvbWUudXJsLm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdD 
> wQEAw
>
> IE8DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwKwYJYIZI 
> AYb4Q
>
> gENBB4WHFVzZXIgQ2VydGlmaWNhdGUgb2YgQWtvZ3JpbW8wHQYDVR0OBBYEFFxon/ 
> CS0QHegAmT
>
> oJTkBG5OfJLUMIG3BgNVHSMEga8wgayAFK1nDk0hJbjJ6B1HIXe+ox6Sv3/ 
> UoYGIpIGFMIGCMQs
>
> wCQYDVQQGEwJERTEaMBgGA1UEChMRVGVzdGJlZCBTdHV0dGdhcnQxETAPBgNVBAsTCEFrb 
> 2dyaW
>
> 1vMRQwEgYDVQQDEwtBa29ncmltbyBDQTEuMCwGCSqGSIb3DQEJARYfRGF2aWQuTHV0ekBy 
> dXMud
>
> W5pLXN0dXR0Z2FydC5kZYIJAPlPMFjLt4H/ 
> MCEGA1UdEQQaMBiBFm5yb21hbm9AY3JtcGEudW5p
>
> c2EuaXQwKgYDVR0SBCMwIYEfRGF2aWQuTHV0ekBydXMudW5pLXN0dXR0Z2FydC5kZTAoBg 
> lghkg
>
> BhvhCAQQEGxYZaHR0cDovLy9wdWIvY3JsL2NhY3JsLmNybDAoBglghkgBhvhCAQMEGxYZa 
> HR0cD
>
> ovLy9wdWIvY3JsL2NhY3JsLmNybDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vMTkyLjEw 
> OC4zN
>
> y43OC9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAL0EcHCpi3Nv 
> +2HoRPGkq
>
> EJM2SWKLgU92t86NFNIEXeq3zfVYcoosUxTrQIi9USunofBz73ZOWG4DCMSiCfCMREnImi 
> /MeSI
>
> ZWbWeo34nv1JlP4VwlOyl0bheb5Sjml9hHtmKozvBkjLhwtW/gzUHlqHyVs9vV0Xc/ 
> 5CyPPyRIU
>
> GDFOLALCehxrNCFEqsz6eNcYi2HG07tVCNLbcNGNQqtqc511c94SLQOMCL6TyEMHjulyhW 
> xmwi4
>
> SSBxSik9rYHm889GSslrcdsz+Jz2jnJmGVtDXMQueZPOkD9ez7ch0wspiW1/ 
> wb09wNWUBk6nAr1
>
> ACsXMnh7yaRUMtD1WLV3ZQ==</wsse:BinarySecurityToken><Signature  
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml- 
> exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- 
> sha1"/>
>
> <Reference URI="#Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>3jg0oLM2rgwkCPp3/UEMzAJ0xqE=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-ef19c334-ea85-4261-b460-ac626331f9d7">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>kT5HUy3NKW7LxbJqw9KYysZ4WGc=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-6ee907b3-2091-4209-859e-f60c58c52298">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>9rjmjy+UPKyirXwsgowC448djOU=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>hJ43DwpWlARhRsF3lgrscIuVmFw=</DigestValue></Reference>
>
> <Reference URI="#Timestamp-4ac3ee2e-906e-43de-9ecc-f3795aaf2c5d">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>eGBpSN1gHvqLW99W/8qkWf7hchI=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-7748d805-ccf9-4da8-b80b-855d9be2360f">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>fcVl/3wkgtUHIpAt3b+IMC8HXCY=</DigestValue>
>
> </Reference></SignedInfo>
>
> <SignatureValue>It06wTUqrTtjkWmX8RKeQSPOgMyOiuE6hYlIKSHDVOBEzDeJnPCVsc 
> kp3hYg2r74rSczGAxxeh8/AjTvBXF9GKvZhfeid4jLTOP8P/4M32M/4qg8ZApIkk 
> +65KvKJiREdYxzJCOAP4MLhU19/+vlLmV+WuaPbusK86EfJMJPivU=</ 
> SignatureValue>
>
> <KeyInfo><wsse:SecurityTokenReference><wsse:Reference  
> URI="#SecurityToken-b7ff426b-cd9b-445f-b379-1d930ed5a40f"  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ 
> KeyInfo>
>
> </Signature></wsse:Security>
>
> </soap:Header><soap:Body wsu:Id="Id-7748d805-ccf9-4da8- 
> b80b-855d9be2360f">
>
> <subtract xmlns="http://www.globus.org/namespaces/examples/ 
> MathService_instance_4op"><subtractValue xmlns="">3</ 
> subtractValue></subtract>
>
> </soap:Body></soap:Envelope>
>
>
>
> The error message is very vague. To the best of my knowledge, there  
> is no problem with the certificate but with the signature. For some  
> reason the reconstructed message doesn’t have the form that it  
> should have
>
> and the signature check fails.
>
>
>
> Can anyone help me?
>
>
>
> Thank you in advance,
>
> Kleopatra
>
>

Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================