header This is a WS-Security question b...">
Clever Geek Handbook

What does "wsse: InvalidSecurity" mean?

An error was discovered processing the <wsse:Security> header

This is a WS-Security question btw ...

I don't see anything wrong with my WS endpoint (other than the fact that it runs in the TIBCO BW engine!). Does anyone have any "prior" errors of this type? I understand that the WS-Security header could be broken anywhere, perhaps to get this error, but there GOT will be 90% percentile for some kind of generic error.

Here the secured SOAP client is a standalone java (WSS4J 1.5.0) signing only at this stage.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-18414151">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-15734641">
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
                                <ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
        <message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
    </soapenv:Body>
</soapenv:Envelope>
+1


source to share


1 answer


Wow ... if you still have this problem, you have more patience than me ... but just in case, here are my thoughts:

  • http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - suggests this is a tag reading issue.
  • One thing that sticks out to me is that I don't see a link linking the signature to key information. Of course, I would assume that the KeyInfo element describes the certificate that used the private key to create the SignatureValue, but I don't see the XML snippet that tells the software about it. I don't think including KeyInfo is enough, maybe there should be a reference to it.
  • If it is not, I would double check this against the schema, and possibly an independent source verification schema. An error at the heading level makes me think about format, not content.

This is my first guess at this, and is just a guess, not getting hands on your system and trying a bunch of different things. If that doesn't work, this is my general logical chain for this type of error:



  • Format - correct XML as per the schema?
  • Signature - a signature needs three things: data, a key, a set of algorithms to create it. Check all three - is the data correct, is the key correct, are the algorithms appropriate for the key, and how will the message be handled? Also, are the keywords and data items that are in your library listed correctly?
  • External sources of information . In this case, your key information refers to a certificate that is supposedly being pulled from somewhere else - for example, in an LDAP certificate store. So, can your code access this external source, is the data source and network accessible, where are you using the code from? and etc.
  • If PKI is certificate validation / trust - what does the system have to do behind the scenes to trust the subscriber? OCSP checks? LDAP search? Chaining to a trusted root? etc. Is the trust algorithm working correctly and has everything it needs - that is, access to the OCSP responder, a properly configured certificate store, etc.

I am modifying these steps based on my guess as to what the error means. Errors are not that intuitive - which is why I often go over all these steps just in case my interpretation of the error is wrong. Also, I can then prevent the problem later ...

+1


source






More articles:


All Articles