I am writing a Java client application that needs to sign a SOAP message (with 2 parts in it) and send it to a remote server before fetching the response. I managed to make successful calls in SoapUI (see request and screenshot below).
I have most of the code ready, but I keep getting an error message from the server saying:
SECU3504: Digital signature verification failure.
Signature failed core validation
Signature validation status: true
ref[#id-32e3db92-b6fd-42a5-b032-a0dc2a15ae82] validity status: false
ref[#id-2b67ce75-e25f-4f66-b265-80a0e31911ec] validity status: false
Here is my Java code:
// Load KeyStore from .PFX certificate
KeyStore store = KeyStore.getInstance("PKCS12");
store.load(new FileInputStream(certificateFileName), certificatePassword.toCharArray());
// Build XML Document from String
String data = "..."; // Same request as in SoapUI
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
doc = dBuilder.parse(new ByteArrayInputStream(data.getBytes()));
// Load certificate
String alias = store.aliases().nextElement(); // There's only one
PrivateKeyEntry keyEntry = (PrivateKeyEntry)store.getEntry(alias, new KeyStore.PasswordProtection(password.toCharArray()));
X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
// Add <wsse:Security> tag.
WSSecHeader secHeader = new WSSecHeader();
secHeader.setMustUnderstand(false);
secHeader.insertSecurityHeader(doc);
// It is not added to the right place, so move it under the right header
Node n = doc.getFirstChild().getFirstChild().getFirstChild();
Element elemEnvelope = (Element)doc.getElementsByTagName("soapenv:Envelope").item(0);
Element elemNewHeader = (Element)doc.getElementsByTagName("Header").item(0);
Element elemSoapHeader = (Element)doc.getElementsByTagName("soapenv:Header").item(0);
Element elemBody = (Element)doc.getElementsByTagName("soapenv:Body").item(0);
Element elemHeader = (Element)doc.getElementsByTagName("ns1:CAISOWSHeader").item(0);
elemSoapHeader.insertBefore(n, elemHeader);
elemEnvelope.removeChild(elemNewHeader);
// Setup signing algorithm
WSSecSignature builder = new WSSecSignature();
builder.setX509Certificate(cert);
builder.setUserInfo(alias, password);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
builder.setSignatureAlgorithm(WSConstants.RSA_SHA1);
builder.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
builder.setDigestAlgo(WSConstants.SHA1);
builder.setUseSingleCertificate(true);
// Set message parts to sign
List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
WSEncryptionPart bodyPart1 = new WSEncryptionPart("Body", WSConstants.URI_SOAP11_ENV, "Content");
WSEncryptionPart bodyPart2 = new WSEncryptionPart("CAISOWSHeader", "http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd", "Content");
bodyPart1.setElement(elemBody);
bodyPart2.setElement(elemHeader);
parts.add(bodyPart1);
parts.add(bodyPart2);
builder.getParts().addAll(parts);
// Set keystore and sign the document
Properties properties = new Properties();
properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
Merlin crypto = (Merlin)CryptoFactory.getInstance(properties);
crypto.setKeyStore(store);
doc = builder.build(doc, crypto, secHeader);
String docStr = this.toString(doc); // This method generates a string of the Document.
// Send SOAP message
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
HttpPost httppost = new HttpPost(this.url);
HttpEntity entity = new ByteArrayEntity(docStr .getBytes("UTF-8"));
httppost.setEntity(entity); // Signed Body
httppost.addHeader("SOAPAction", "http://www.caiso.com/soa/retrieveConvergenceBidAwards_v2");
HttpResponse response = httpclient.execute(httppost);
String respStr = EntityUtils.toString(response.getEntity());
I managed to make successful calls in SoapUI with the following security settings:
The request I put in SoapUI is the following (Dates/MessageId/Nonce are generated on the spot, but for the sake of readability, I will hardcode them here):
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:stan="http://www.caiso.com/soa/2006-06-13/StandardAttachmentInfor.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<ns1:CAISOWSHeader xmlns:ns1="http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:actor="" soapenv:mustUnderstand="0">
<ns1:CAISOUsernameToken>
<ns1:Username>CN=XXXX, OU=people, O=XXXX, C=US</ns1:Username>
<Nonce xmlns:ns2="http://schemas.xmlsoap.org/ws/2002/07/secext" EncodingType="http://docs.oasisopen.org/wss/2004/01/oasis-200401wss-soap-message-security-1.0#Base64Binary">MGNkNmU5ODMtZjcyZC00YTAyLWE5NWMtM2Q5Y2RjMTEyNDA1</Nonce>
<Created xmlns:ns3="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T21:13:45.932Z</Created>
</ns1:CAISOUsernameToken>
<CAISOMessageInfo>
<MessageID>06c3379d-f10e-45f2-84eb-9262acce277e</MessageID>
<Timestamp>
<Created xmlns:ns4="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T21:13:45.932Z</Created>
<Expires xmlns:ns5="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T23:13:45.932Z</Expires>
</Timestamp>
</CAISOMessageInfo>
</ns1:CAISOWSHeader>
<attachmentHash xmlns:ns7="http://www.caiso.com/mrtu/soa/schemas/2005/09/attachmenthash" actor="http://schemas.xmlsoap.org/soap/actor/next" mustUnderstand="0">
<hashValue />
</attachmentHash>
<standardAttachmentInfor xmlns:ns1="http://www.caiso.com/soa/2006-06-13/StandardAttachmentInfor.xsd">
<Attachment>
<id>1</id>
<compressFlag>yes</compressFlag>
<compressMethod>gzip</compressMethod>
</Attachment>
</standardAttachmentInfor>
</soapenv:Header>
<soapenv:Body>
<retrieveConvergenceBidAwards_v2>
<RequestConvergenceBidAwards>
<MessagePayload>
<RequestConvergenceBidAwardRecord>
<dateTimeEnd>2018-02-02T08:00:00Z</dateTimeEnd>
<dateTimeStart>2018-02-01T08:00:00Z</dateTimeStart>
<SchedulingCoordinatorList>
<schedulingCoordinator>XXXX</schedulingCoordinator>
</SchedulingCoordinatorList>
</RequestConvergenceBidAwardRecord>
</MessagePayload>
</RequestConvergenceBidAwards>
</retrieveConvergenceBidAwards_v2>
</soapenv:Body>
</soapenv:Envelope>
I have no idea where the issue is. Is it during the signing process, during the conversion from Document to String or in the way I perform the HTTP request?
Help is greatly appreciated :)
I know this is an old question but I was struggling with this and I finally found a way to generate the signature like Soap UI does this is my code:
public String handleMessage(SOAPMessage message) {
String ret;
try {
Document doc = message.getSOAPBody().getOwnerDocument();
Crypto crypto = CryptoFactory.getInstance(properties); //File
WSSecSignature sign = new WSSecSignature();
sign.setUserInfo(properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias"), properties.getProperty("privatekeypassword"));
sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // Binary Security Token - SecurityTokenReference
sign.setUseSingleCertificate(true);
sign.setDigestAlgo(DigestMethod.SHA256);
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Document signedDoc = sign.build(doc, crypto, secHeader);
ret = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
} catch (SOAPException e) {
e.printStackTrace();
return null;
} catch (WSSecurityException e) {
e.printStackTrace();
throw new RuntimeException("Error: " + e.getMessage());
}
return ret;
}
This code was take from: https://sourceforge.net/p/signsoaprequest/code/HEAD/tree/SignSOAPRequest/trunk/src/main/java/br/gov/dataprev/soaptools/sign/