[ogsa-wg] Fwd: [gt-user] GSI Secure Message: Signature or decryption invalid

Sat Mar 3 08:33:44 CST 2007

Kleopatra et. al.,

Short answer is yes. We can submit jobs to GT4 via WSRF.NET clients. We can
submit jobs to WSRF.NET via a GT4 client. Each server can understand the
other's client's WS-Security-framed message (presumably username/password
works, but we don't use it -- we only use X.509).

Regarding SecureConversation, you're referring to the following statement in
the paper you reference (HPDC 2005):

"However, WSRF.NET's implementation of Secure Conversation will not
interoperate with the other three systems' SecureConversation
implementations because WSRF.NET inherits its SecureConversation from WSE.
While the SecureConversation spec defines message formats for the exchange
of cryptographic data necessary to establish a secure session, it does not
define a single algorithm for computing that data, and WSE and
GT4/pyGridWare implement different algorithms."

Yes, this is still true as far as we know (frankly, we don't encounter
issues with SecureConversation, because we don't tend to see much use of
it).

I hope this helps,
Marty

-----Original Message-----
From: ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] On Behalf Of
Alan Sill
Sent: Thursday, March 01, 2007 10:11 AM
To: OGSA Authentication WG BoF
Cc: ogsa-wg at gridforum.org
Subject: [ogsa-wg] Fwd: [gt-user] GSI Secure Message: Signature or
decryption invalid

This question goes to the core of some of what we are talking about  
in the OGSA Security design team discussions and AuthN-WG work  
design.  Comments are welcome.

Alan

Begin forwarded message:

> From: "Kleopatra Konstanteli" <kkonst at telecom.ntua.gr>
> Date: March 1, 2007 9:07:02 AM CST
> To: <gt-user at globus.org>
> Subject: RE: [gt-user] GSI Secure Message: Signature or decryption  
> invalid
>
> Hi all,
>
>
>
> Does GT4's implementation of Secure Message interoperate with  
> WSRF.NET's one? A paper about interoperability between different  
> WSRF implementation (http://www.cs.virginia.edu/~humphrey/papers/ 
> WSRFComparison2005.pdf) specifies that there is no interoperability  
> in terms of Secure Conversation because WSRF.NET builds upon WSE.
>
> Does the same apply for Secure Message since WSE is used for this  
> purpose in WSRF.NET as well? Can anyone help me please?
>
>
>
> Thank you,
>
> Kleopatra
>
>
>
> From: owner-gt-user at globus.org [mailto:owner-gt-user at globus.org] On  
> Behalf Of Kleopatra Konstanteli
> Sent: Tuesday, February 27, 2007 7:08 PM
> To: gt-user at globus.org
> Subject: [gt-user] GSI Secure Message: Signature or decryption invalid
>
>
>
> Hello all,
>
>
>
> When using a WSRF.NET client to invoke a secure GT4 service using  
> WS-Security (WSE 3.0) I obtain the following error:
>
>
>
> System.Web.Services.Protocols.SoapException:
>
> SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/ 
> oasis-200401-wss-wssecur
>
> ity-secext-1.0.xsd:FailedCheck
>
> Message: The signature or decryption was invalid
>
>    in  
> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse 
> (SoapClie
>
> ntMessage message, WebResponse response, Stream responseStream,  
> Boolean asyncCal
>
> l)
>
>    in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke 
> (String methodN
>
> ame, Object[] parameters)
>
>    in MathService.MathServiceWse.subtract(Int32 subtractValue) in C: 
> \SecurityTest\WSSecurityCertificatePolicyClient\Web References\MathSer
>
> vice\Reference.cs:riga 128
>
>    in  
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Run()  
> in C:\SecurityTest\WSSecurityCertificatePolicyClient\WSSecurityC
>
> ertificateClient.cs:riga 110
>
>    in  
> WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Main 
> (String[
>
> ] args) in C:\SecurityTest\WSSecurityCertificatePolicyClie
>
> nt\WSSecurityCertificateClient.cs:riga 66.
>
>
>
>
>
> The secure GT4 service that is used is the one included in the  
> examples from the Borja Sotomayor book "Globus Toolkit 4:  
> Programming Java Services". The certificate used is issued by an  
> external CA that my GT4 installation has been configured to trust.  
> When using a GT4 client there is no problem.
>
>
>
> The SOAP request that the .NET client sends out is the following:
>
>
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> wssecurity-utility-1.0.xsd">
>
> <soap:Header>
>
> <wsa:Action wsu:Id="Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">http:// 
> www.globus.org/namespaces/examples/MathService_instance_4op/ 
> MathPortType/subtractRequest</wsa:Action>
>
> <wsa:MessageID wsu:Id="Id-ef19c334-ea85-4261-b460- 
> ac626331f9d7">urn:uuid:f0b89b6c-c8b3-4f40-8c5d-1f48bfa371d0</ 
> wsa:MessageID>
>
> <wsa:ReplyTo wsu:Id="Id-6ee907b3-2091-4209-859e- 
> f60c58c52298"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/ 
> addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
>
> <wsa:To wsu:Id="Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">http:// 
> 147.102.19.157:8080/wsrf/services/examples/security/first/ 
> MathService</wsa:To>
>
> <wsse:Security soap:mustUnderstand="1">
>
> <wsu:Timestamp wsu:Id="Timestamp-4ac3ee2e-906e-43de-9ecc- 
> f3795aaf2c5d">
>
> <wsu:Created>2007-02-27T14:44:57Z</wsu:Created>
>
> <wsu:Expires>2007-02-27T14:49:57Z</wsu:Expires></wsu:Timestamp>
>
> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/ 
> 2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- 
> wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken- 
> b7ff426b-cd9b-445f-b379-1d930ed5a40f">
>
> MIIFUjCCBDqgAwIBAgIBKjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCREUxGjAYBg 
> NVBAo
>
> TEVRlc3RiZWQgU3R1dHRnYXJ0MREwDwYDVQQLEwhBa29ncmltbzEUMBIGA1UEAxMLQWtvZ 
> 3JpbW
>
> 8gQ0ExLjAsBgkqhkiG9w0BCQEWH0RhdmlkLkx1dHpAcnVzLnVuaS1zdHV0dGdhcnQuZGUw 
> HhcNM
>
> DcwMjI3MTE0OTE2WhcNMDcwOTE1MTE0OTE2WjBQMQswCQYDVQQGEwJERTERMA8GA1UEChM 
> IQWtv
>
> Z3JpbW8xETAPBgNVBAsTCEludGVybmV0MQ4wDAYDVQQDEwVDUk1QQTELMAkGA1UEBRMCND 
> IwgZ8
>
> wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0jTULOpwcOF1hftFfAn/ 
> x1kUkprDk6VfELzGKTAT
>
> i+1pF0hJXV1JLOvS8XknOwRxdIaxU/0hirXS47OEf2OF2/ 
> ezw8WPHWgCeC2ELCf5FCgOd1qn7F9
>
> dXDrHrOzvCz6WF9tD0QOcPS 
> +xIg7tl8SqJX36dDwSA0WTb3nKg67wNXAgMBAAGjggKGMIICgjAJ
>
> BgNVHRMEAjAAMEgGA1UdIARBMD8wBgYEKgMDBDAGBgQqAwMFMC0GBCoDAwYwJTAjBggrBg 
> EFBQc
>
> CARYXaHR0cDovL3NvbWUudXJsLm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdD 
> wQEAw
>
> IE8DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwKwYJYIZI 
> AYb4Q
>
> gENBB4WHFVzZXIgQ2VydGlmaWNhdGUgb2YgQWtvZ3JpbW8wHQYDVR0OBBYEFFxon/ 
> CS0QHegAmT
>
> oJTkBG5OfJLUMIG3BgNVHSMEga8wgayAFK1nDk0hJbjJ6B1HIXe+ox6Sv3/ 
> UoYGIpIGFMIGCMQs
>
> wCQYDVQQGEwJERTEaMBgGA1UEChMRVGVzdGJlZCBTdHV0dGdhcnQxETAPBgNVBAsTCEFrb 
> 2dyaW
>
> 1vMRQwEgYDVQQDEwtBa29ncmltbyBDQTEuMCwGCSqGSIb3DQEJARYfRGF2aWQuTHV0ekBy 
> dXMud
>
> W5pLXN0dXR0Z2FydC5kZYIJAPlPMFjLt4H/ 
> MCEGA1UdEQQaMBiBFm5yb21hbm9AY3JtcGEudW5p
>
> c2EuaXQwKgYDVR0SBCMwIYEfRGF2aWQuTHV0ekBydXMudW5pLXN0dXR0Z2FydC5kZTAoBg 
> lghkg
>
> BhvhCAQQEGxYZaHR0cDovLy9wdWIvY3JsL2NhY3JsLmNybDAoBglghkgBhvhCAQMEGxYZa 
> HR0cD
>
> ovLy9wdWIvY3JsL2NhY3JsLmNybDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vMTkyLjEw 
> OC4zN
>
> y43OC9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAL0EcHCpi3Nv 
> +2HoRPGkq
>
> EJM2SWKLgU92t86NFNIEXeq3zfVYcoosUxTrQIi9USunofBz73ZOWG4DCMSiCfCMREnImi 
> /MeSI
>
> ZWbWeo34nv1JlP4VwlOyl0bheb5Sjml9hHtmKozvBkjLhwtW/gzUHlqHyVs9vV0Xc/ 
> 5CyPPyRIU
>
> GDFOLALCehxrNCFEqsz6eNcYi2HG07tVCNLbcNGNQqtqc511c94SLQOMCL6TyEMHjulyhW 
> xmwi4
>
> SSBxSik9rYHm889GSslrcdsz+Jz2jnJmGVtDXMQueZPOkD9ez7ch0wspiW1/ 
> wb09wNWUBk6nAr1
>
> ACsXMnh7yaRUMtD1WLV3ZQ==</wsse:BinarySecurityToken><Signature  
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml- 
> exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- 
> sha1"/>
>
> <Reference URI="#Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>3jg0oLM2rgwkCPp3/UEMzAJ0xqE=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-ef19c334-ea85-4261-b460-ac626331f9d7">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>kT5HUy3NKW7LxbJqw9KYysZ4WGc=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-6ee907b3-2091-4209-859e-f60c58c52298">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>9rjmjy+UPKyirXwsgowC448djOU=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>hJ43DwpWlARhRsF3lgrscIuVmFw=</DigestValue></Reference>
>
> <Reference URI="#Timestamp-4ac3ee2e-906e-43de-9ecc-f3795aaf2c5d">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>eGBpSN1gHvqLW99W/8qkWf7hchI=</DigestValue>
>
> </Reference>
>
> <Reference URI="#Id-7748d805-ccf9-4da8-b80b-855d9be2360f">
>
> <Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- 
> c14n#"/></Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>fcVl/3wkgtUHIpAt3b+IMC8HXCY=</DigestValue>
>
> </Reference></SignedInfo>
>
> <SignatureValue>It06wTUqrTtjkWmX8RKeQSPOgMyOiuE6hYlIKSHDVOBEzDeJnPCVsc 
> kp3hYg2r74rSczGAxxeh8/AjTvBXF9GKvZhfeid4jLTOP8P/4M32M/4qg8ZApIkk 
> +65KvKJiREdYxzJCOAP4MLhU19/+vlLmV+WuaPbusK86EfJMJPivU=</ 
> SignatureValue>
>
> <KeyInfo><wsse:SecurityTokenReference><wsse:Reference  
> URI="#SecurityToken-b7ff426b-cd9b-445f-b379-1d930ed5a40f"  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- 
> x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ 
> KeyInfo>
>
> </Signature></wsse:Security>
>
> </soap:Header><soap:Body wsu:Id="Id-7748d805-ccf9-4da8- 
> b80b-855d9be2360f">
>
> <subtract xmlns="http://www.globus.org/namespaces/examples/ 
> MathService_instance_4op"><subtractValue xmlns="">3</ 
> subtractValue></subtract>
>
> </soap:Body></soap:Envelope>
>
>
>
> The error message is very vague. To the best of my knowledge, there  
> is no problem with the certificate but with the signature. For some  
> reason the reconstructed message doesn't have the form that it  
> should have
>
> and the signature check fails.
>
>
>
> Can anyone help me?
>
>
>
> Thank you in advance,
>
> Kleopatra
>
>

Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

--
  ogsa-wg mailing list
  ogsa-wg at ogf.org
  http://www.ogf.org/mailman/listinfo/ogsa-wg