Signing soap message using WSS4j in Java

Vincent L picture Vincent L · Mar 2, 2018 · Viewed 7.9k times · Source

I am writing a Java client application that needs to sign a SOAP message (with 2 parts in it) and send it to a remote server before fetching the response. I managed to make successful calls in SoapUI (see request and screenshot below).

I have most of the code ready, but I keep getting an error message from the server saying:

SECU3504: Digital signature verification failure.
Signature failed core validation

Signature validation status: true
ref[#id-32e3db92-b6fd-42a5-b032-a0dc2a15ae82] validity status: false
ref[#id-2b67ce75-e25f-4f66-b265-80a0e31911ec] validity status: false 

Here is my Java code:

// Load KeyStore from .PFX certificate
KeyStore store = KeyStore.getInstance("PKCS12");
store.load(new FileInputStream(certificateFileName), certificatePassword.toCharArray());

// Build XML Document from String
String data = "..."; // Same request as in SoapUI
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
doc = dBuilder.parse(new ByteArrayInputStream(data.getBytes()));

// Load certificate
String alias = store.aliases().nextElement(); // There's only one
PrivateKeyEntry keyEntry = (PrivateKeyEntry)store.getEntry(alias, new KeyStore.PasswordProtection(password.toCharArray()));
X509Certificate cert = (X509Certificate) keyEntry.getCertificate();

// Add <wsse:Security> tag.
WSSecHeader secHeader = new WSSecHeader();
secHeader.setMustUnderstand(false);
secHeader.insertSecurityHeader(doc);

// It is not added to the right place, so move it under the right header       
Node n = doc.getFirstChild().getFirstChild().getFirstChild();           
Element elemEnvelope = (Element)doc.getElementsByTagName("soapenv:Envelope").item(0);
Element elemNewHeader = (Element)doc.getElementsByTagName("Header").item(0);
Element elemSoapHeader = (Element)doc.getElementsByTagName("soapenv:Header").item(0);           
Element elemBody = (Element)doc.getElementsByTagName("soapenv:Body").item(0);
Element elemHeader = (Element)doc.getElementsByTagName("ns1:CAISOWSHeader").item(0);
elemSoapHeader.insertBefore(n, elemHeader);
elemEnvelope.removeChild(elemNewHeader);

// Setup signing algorithm
WSSecSignature builder = new WSSecSignature();
builder.setX509Certificate(cert);
builder.setUserInfo(alias, password);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
builder.setSignatureAlgorithm(WSConstants.RSA_SHA1);
builder.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);            
builder.setDigestAlgo(WSConstants.SHA1);
builder.setUseSingleCertificate(true);

// Set message parts to sign
List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
WSEncryptionPart bodyPart1 = new WSEncryptionPart("Body", WSConstants.URI_SOAP11_ENV, "Content");
WSEncryptionPart bodyPart2 = new WSEncryptionPart("CAISOWSHeader", "http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd", "Content");
bodyPart1.setElement(elemBody);
bodyPart2.setElement(elemHeader);
parts.add(bodyPart1);
parts.add(bodyPart2);
builder.getParts().addAll(parts);           

// Set keystore and sign the document
Properties properties = new Properties();
properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");

Merlin crypto = (Merlin)CryptoFactory.getInstance(properties);
crypto.setKeyStore(store);

doc = builder.build(doc, crypto, secHeader);
String docStr = this.toString(doc); // This method generates a string of the Document.

// Send SOAP message
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
HttpPost httppost = new HttpPost(this.url);
HttpEntity entity = new ByteArrayEntity(docStr .getBytes("UTF-8"));
httppost.setEntity(entity); // Signed Body
httppost.addHeader("SOAPAction", "http://www.caiso.com/soa/retrieveConvergenceBidAwards_v2");

HttpResponse response = httpclient.execute(httppost);
String respStr = EntityUtils.toString(response.getEntity());

I managed to make successful calls in SoapUI with the following security settings:enter image description here

The request I put in SoapUI is the following (Dates/MessageId/Nonce are generated on the spot, but for the sake of readability, I will hardcode them here):

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:stan="http://www.caiso.com/soa/2006-06-13/StandardAttachmentInfor.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Header>
      <ns1:CAISOWSHeader xmlns:ns1="http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:actor="" soapenv:mustUnderstand="0">
         <ns1:CAISOUsernameToken>
            <ns1:Username>CN=XXXX, OU=people, O=XXXX, C=US</ns1:Username>
            <Nonce xmlns:ns2="http://schemas.xmlsoap.org/ws/2002/07/secext" EncodingType="http://docs.oasisopen.org/wss/2004/01/oasis-200401wss-soap-message-security-1.0#Base64Binary">MGNkNmU5ODMtZjcyZC00YTAyLWE5NWMtM2Q5Y2RjMTEyNDA1</Nonce>
            <Created xmlns:ns3="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T21:13:45.932Z</Created>
         </ns1:CAISOUsernameToken>
         <CAISOMessageInfo>
            <MessageID>06c3379d-f10e-45f2-84eb-9262acce277e</MessageID>
            <Timestamp>
               <Created xmlns:ns4="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T21:13:45.932Z</Created>
               <Expires xmlns:ns5="http://schemas.xmlsoap.org/ws/2002/07/utility">2018-03-02T23:13:45.932Z</Expires>
            </Timestamp>
         </CAISOMessageInfo>
      </ns1:CAISOWSHeader>
      <attachmentHash xmlns:ns7="http://www.caiso.com/mrtu/soa/schemas/2005/09/attachmenthash" actor="http://schemas.xmlsoap.org/soap/actor/next" mustUnderstand="0">
         <hashValue />
      </attachmentHash>
      <standardAttachmentInfor xmlns:ns1="http://www.caiso.com/soa/2006-06-13/StandardAttachmentInfor.xsd">
         <Attachment>
            <id>1</id>
            <compressFlag>yes</compressFlag>
            <compressMethod>gzip</compressMethod>
         </Attachment>
      </standardAttachmentInfor>
   </soapenv:Header>
   <soapenv:Body>
      <retrieveConvergenceBidAwards_v2>
         <RequestConvergenceBidAwards>
            <MessagePayload>
               <RequestConvergenceBidAwardRecord>
                  <dateTimeEnd>2018-02-02T08:00:00Z</dateTimeEnd>
                  <dateTimeStart>2018-02-01T08:00:00Z</dateTimeStart>
                  <SchedulingCoordinatorList>
                     <schedulingCoordinator>XXXX</schedulingCoordinator>
                  </SchedulingCoordinatorList>
               </RequestConvergenceBidAwardRecord>
            </MessagePayload>
         </RequestConvergenceBidAwards>
      </retrieveConvergenceBidAwards_v2>
   </soapenv:Body>
</soapenv:Envelope>

I have no idea where the issue is. Is it during the signing process, during the conversion from Document to String or in the way I perform the HTTP request?

Help is greatly appreciated :)

Answer

Julian Mesa picture Julian Mesa · Jul 24, 2018

I know this is an old question but I was struggling with this and I finally found a way to generate the signature like Soap UI does this is my code:

public String handleMessage(SOAPMessage message) {
        String ret;
        try {
            Document doc = message.getSOAPBody().getOwnerDocument();
            Crypto crypto = CryptoFactory.getInstance(properties); //File

            WSSecSignature sign = new WSSecSignature();
            sign.setUserInfo(properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias"), properties.getProperty("privatekeypassword"));
            sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // Binary Security Token - SecurityTokenReference
            sign.setUseSingleCertificate(true);
            sign.setDigestAlgo(DigestMethod.SHA256);

            WSSecHeader secHeader = new WSSecHeader();
            secHeader.insertSecurityHeader(doc);
            Document signedDoc = sign.build(doc, crypto, secHeader);

            ret = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);

        } catch (SOAPException e) {
            e.printStackTrace();
            return null;
        } catch (WSSecurityException e) {
            e.printStackTrace();
            throw new RuntimeException("Error: " + e.getMessage());
        }
        return ret;
    }

This code was take from: https://sourceforge.net/p/signsoaprequest/code/HEAD/tree/SignSOAPRequest/trunk/src/main/java/br/gov/dataprev/soaptools/sign/