Fwd: [gt-user] GSI Secure Message: Signature or decryption invalid
This question goes to the core of some of what we are talking about in the OGSA Security design team discussions and AuthN-WG work design. Comments are welcome. Alan Begin forwarded message:
From: "Kleopatra Konstanteli" <kkonst@telecom.ntua.gr> Date: March 1, 2007 9:07:02 AM CST To: <gt-user@globus.org> Subject: RE: [gt-user] GSI Secure Message: Signature or decryption invalid
Hi all,
Does GT4’s implementation of Secure Message interoperate with WSRF.NET’s one? A paper about interoperability between different WSRF implementation (http://www.cs.virginia.edu/~humphrey/papers/ WSRFComparison2005.pdf) specifies that there is no interoperability in terms of Secure Conversation because WSRF.NET builds upon WSE.
Does the same apply for Secure Message since WSE is used for this purpose in WSRF.NET as well? Can anyone help me please?
Thank you,
Kleopatra
From: owner-gt-user@globus.org [mailto:owner-gt-user@globus.org] On Behalf Of Kleopatra Konstanteli Sent: Tuesday, February 27, 2007 7:08 PM To: gt-user@globus.org Subject: [gt-user] GSI Secure Message: Signature or decryption invalid
Hello all,
When using a WSRF.NET client to invoke a secure GT4 service using WS-Security (WSE 3.0) I obtain the following error:
System.Web.Services.Protocols.SoapException:
SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecur
ity-secext-1.0.xsd:FailedCheck
Message: The signature or decryption was invalid
in System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse (SoapClie
ntMessage message, WebResponse response, Stream responseStream, Boolean asyncCal
l)
in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke (String methodN
ame, Object[] parameters)
in MathService.MathServiceWse.subtract(Int32 subtractValue) in C: \SecurityTest\WSSecurityCertificatePolicyClient\Web References\MathSer
vice\Reference.cs:riga 128
in WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Run() in C:\SecurityTest\WSSecurityCertificatePolicyClient\WSSecurityC
ertificateClient.cs:riga 110
in WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Main (String[
] args) in C:\SecurityTest\WSSecurityCertificatePolicyClie
nt\WSSecurityCertificateClient.cs:riga 66…
The secure GT4 service that is used is the one included in the examples from the Borja Sotomayor book “Globus Toolkit 4: Programming Java Services”. The certificate used is issued by an external CA that my GT4 installation has been configured to trust. When using a GT4 client there is no problem.
The SOAP request that the .NET client sends out is the following:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">http:// www.globus.org/namespaces/examples/MathService_instance_4op/ MathPortType/subtractRequest</wsa:Action>
<wsa:MessageID wsu:Id="Id-ef19c334-ea85-4261-b460- ac626331f9d7">urn:uuid:f0b89b6c-c8b3-4f40-8c5d-1f48bfa371d0</ wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-6ee907b3-2091-4209-859e- f60c58c52298"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/ addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
<wsa:To wsu:Id="Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">http:// 147.102.19.157:8080/wsrf/services/examples/security/first/ MathService</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-4ac3ee2e-906e-43de-9ecc- f3795aaf2c5d">
<wsu:Created>2007-02-27T14:44:57Z</wsu:Created>
<wsu:Expires>2007-02-27T14:49:57Z</wsu:Expires></wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/ 2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken- b7ff426b-cd9b-445f-b379-1d930ed5a40f">
MIIFUjCCBDqgAwIBAgIBKjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCREUxGjAYBg NVBAo
TEVRlc3RiZWQgU3R1dHRnYXJ0MREwDwYDVQQLEwhBa29ncmltbzEUMBIGA1UEAxMLQWtvZ 3JpbW
8gQ0ExLjAsBgkqhkiG9w0BCQEWH0RhdmlkLkx1dHpAcnVzLnVuaS1zdHV0dGdhcnQuZGUw HhcNM
DcwMjI3MTE0OTE2WhcNMDcwOTE1MTE0OTE2WjBQMQswCQYDVQQGEwJERTERMA8GA1UEChM IQWtv
Z3JpbW8xETAPBgNVBAsTCEludGVybmV0MQ4wDAYDVQQDEwVDUk1QQTELMAkGA1UEBRMCND IwgZ8
wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0jTULOpwcOF1hftFfAn/ x1kUkprDk6VfELzGKTAT
i+1pF0hJXV1JLOvS8XknOwRxdIaxU/0hirXS47OEf2OF2/ ezw8WPHWgCeC2ELCf5FCgOd1qn7F9
dXDrHrOzvCz6WF9tD0QOcPS +xIg7tl8SqJX36dDwSA0WTb3nKg67wNXAgMBAAGjggKGMIICgjAJ
BgNVHRMEAjAAMEgGA1UdIARBMD8wBgYEKgMDBDAGBgQqAwMFMC0GBCoDAwYwJTAjBggrBg EFBQc
CARYXaHR0cDovL3NvbWUudXJsLm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdD wQEAw
IE8DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwKwYJYIZI AYb4Q
gENBB4WHFVzZXIgQ2VydGlmaWNhdGUgb2YgQWtvZ3JpbW8wHQYDVR0OBBYEFFxon/ CS0QHegAmT
oJTkBG5OfJLUMIG3BgNVHSMEga8wgayAFK1nDk0hJbjJ6B1HIXe+ox6Sv3/ UoYGIpIGFMIGCMQs
wCQYDVQQGEwJERTEaMBgGA1UEChMRVGVzdGJlZCBTdHV0dGdhcnQxETAPBgNVBAsTCEFrb 2dyaW
1vMRQwEgYDVQQDEwtBa29ncmltbyBDQTEuMCwGCSqGSIb3DQEJARYfRGF2aWQuTHV0ekBy dXMud
W5pLXN0dXR0Z2FydC5kZYIJAPlPMFjLt4H/ MCEGA1UdEQQaMBiBFm5yb21hbm9AY3JtcGEudW5p
c2EuaXQwKgYDVR0SBCMwIYEfRGF2aWQuTHV0ekBydXMudW5pLXN0dXR0Z2FydC5kZTAoBg lghkg
BhvhCAQQEGxYZaHR0cDovLy9wdWIvY3JsL2NhY3JsLmNybDAoBglghkgBhvhCAQMEGxYZa HR0cD
ovLy9wdWIvY3JsL2NhY3JsLmNybDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vMTkyLjEw OC4zN
y43OC9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAL0EcHCpi3Nv +2HoRPGkq
EJM2SWKLgU92t86NFNIEXeq3zfVYcoosUxTrQIi9USunofBz73ZOWG4DCMSiCfCMREnImi /MeSI
ZWbWeo34nv1JlP4VwlOyl0bheb5Sjml9hHtmKozvBkjLhwtW/gzUHlqHyVs9vV0Xc/ 5CyPPyRIU
GDFOLALCehxrNCFEqsz6eNcYi2HG07tVCNLbcNGNQqtqc511c94SLQOMCL6TyEMHjulyhW xmwi4
SSBxSik9rYHm889GSslrcdsz+Jz2jnJmGVtDXMQueZPOkD9ez7ch0wspiW1/ wb09wNWUBk6nAr1
ACsXMnh7yaRUMtD1WLV3ZQ==</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml- exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- sha1"/>
<Reference URI="#Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>3jg0oLM2rgwkCPp3/UEMzAJ0xqE=</DigestValue>
</Reference>
<Reference URI="#Id-ef19c334-ea85-4261-b460-ac626331f9d7">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>kT5HUy3NKW7LxbJqw9KYysZ4WGc=</DigestValue>
</Reference>
<Reference URI="#Id-6ee907b3-2091-4209-859e-f60c58c52298">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>9rjmjy+UPKyirXwsgowC448djOU=</DigestValue>
</Reference>
<Reference URI="#Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>hJ43DwpWlARhRsF3lgrscIuVmFw=</DigestValue></Reference>
<Reference URI="#Timestamp-4ac3ee2e-906e-43de-9ecc-f3795aaf2c5d">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>eGBpSN1gHvqLW99W/8qkWf7hchI=</DigestValue>
</Reference>
<Reference URI="#Id-7748d805-ccf9-4da8-b80b-855d9be2360f">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>fcVl/3wkgtUHIpAt3b+IMC8HXCY=</DigestValue>
</Reference></SignedInfo>
<SignatureValue>It06wTUqrTtjkWmX8RKeQSPOgMyOiuE6hYlIKSHDVOBEzDeJnPCVsc kp3hYg2r74rSczGAxxeh8/AjTvBXF9GKvZhfeid4jLTOP8P/4M32M/4qg8ZApIkk +65KvKJiREdYxzJCOAP4MLhU19/+vlLmV+WuaPbusK86EfJMJPivU=</ SignatureValue>
<KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-b7ff426b-cd9b-445f-b379-1d930ed5a40f" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ KeyInfo>
</Signature></wsse:Security>
</soap:Header><soap:Body wsu:Id="Id-7748d805-ccf9-4da8- b80b-855d9be2360f">
<subtract xmlns="http://www.globus.org/namespaces/examples/ MathService_instance_4op"><subtractValue xmlns="">3</ subtractValue></subtract>
</soap:Body></soap:Envelope>
The error message is very vague. To the best of my knowledge, there is no problem with the certificate but with the signature. For some reason the reconstructed message doesn’t have the form that it should have
and the signature check fails.
Can anyone help me?
Thank you in advance,
Kleopatra
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
Kleopatra et. al., Short answer is yes. We can submit jobs to GT4 via WSRF.NET clients. We can submit jobs to WSRF.NET via a GT4 client. Each server can understand the other's client's WS-Security-framed message (presumably username/password works, but we don't use it -- we only use X.509). Regarding SecureConversation, you're referring to the following statement in the paper you reference (HPDC 2005): "However, WSRF.NET's implementation of Secure Conversation will not interoperate with the other three systems' SecureConversation implementations because WSRF.NET inherits its SecureConversation from WSE. While the SecureConversation spec defines message formats for the exchange of cryptographic data necessary to establish a secure session, it does not define a single algorithm for computing that data, and WSE and GT4/pyGridWare implement different algorithms." Yes, this is still true as far as we know (frankly, we don't encounter issues with SecureConversation, because we don't tend to see much use of it). I hope this helps, Marty -----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Alan Sill Sent: Thursday, March 01, 2007 10:11 AM To: OGSA Authentication WG BoF Cc: ogsa-wg@gridforum.org Subject: [ogsa-wg] Fwd: [gt-user] GSI Secure Message: Signature or decryption invalid This question goes to the core of some of what we are talking about in the OGSA Security design team discussions and AuthN-WG work design. Comments are welcome. Alan Begin forwarded message:
From: "Kleopatra Konstanteli" <kkonst@telecom.ntua.gr> Date: March 1, 2007 9:07:02 AM CST To: <gt-user@globus.org> Subject: RE: [gt-user] GSI Secure Message: Signature or decryption invalid
Hi all,
Does GT4's implementation of Secure Message interoperate with WSRF.NET's one? A paper about interoperability between different WSRF implementation (http://www.cs.virginia.edu/~humphrey/papers/ WSRFComparison2005.pdf) specifies that there is no interoperability in terms of Secure Conversation because WSRF.NET builds upon WSE.
Does the same apply for Secure Message since WSE is used for this purpose in WSRF.NET as well? Can anyone help me please?
Thank you,
Kleopatra
From: owner-gt-user@globus.org [mailto:owner-gt-user@globus.org] On Behalf Of Kleopatra Konstanteli Sent: Tuesday, February 27, 2007 7:08 PM To: gt-user@globus.org Subject: [gt-user] GSI Secure Message: Signature or decryption invalid
Hello all,
When using a WSRF.NET client to invoke a secure GT4 service using WS-Security (WSE 3.0) I obtain the following error:
System.Web.Services.Protocols.SoapException:
SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecur
ity-secext-1.0.xsd:FailedCheck
Message: The signature or decryption was invalid
in System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse (SoapClie
ntMessage message, WebResponse response, Stream responseStream, Boolean asyncCal
l)
in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke (String methodN
ame, Object[] parameters)
in MathService.MathServiceWse.subtract(Int32 subtractValue) in C: \SecurityTest\WSSecurityCertificatePolicyClient\Web References\MathSer
vice\Reference.cs:riga 128
in WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Run() in C:\SecurityTest\WSSecurityCertificatePolicyClient\WSSecurityC
ertificateClient.cs:riga 110
in WSSecurityCertificatePolicyClient.WSSecurityCertificateClient.Main (String[
] args) in C:\SecurityTest\WSSecurityCertificatePolicyClie
nt\WSSecurityCertificateClient.cs:riga 66.
The secure GT4 service that is used is the one included in the examples from the Borja Sotomayor book "Globus Toolkit 4: Programming Java Services". The certificate used is issued by an external CA that my GT4 installation has been configured to trust. When using a GT4 client there is no problem.
The SOAP request that the .NET client sends out is the following:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">http:// www.globus.org/namespaces/examples/MathService_instance_4op/ MathPortType/subtractRequest</wsa:Action>
<wsa:MessageID wsu:Id="Id-ef19c334-ea85-4261-b460- ac626331f9d7">urn:uuid:f0b89b6c-c8b3-4f40-8c5d-1f48bfa371d0</ wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-6ee907b3-2091-4209-859e- f60c58c52298"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/ addressing/role/anonymous</wsa:Address></wsa:ReplyTo>
<wsa:To wsu:Id="Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">http:// 147.102.19.157:8080/wsrf/services/examples/security/first/ MathService</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-4ac3ee2e-906e-43de-9ecc- f3795aaf2c5d">
<wsu:Created>2007-02-27T14:44:57Z</wsu:Created>
<wsu:Expires>2007-02-27T14:49:57Z</wsu:Expires></wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/ 2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken- b7ff426b-cd9b-445f-b379-1d930ed5a40f">
MIIFUjCCBDqgAwIBAgIBKjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCREUxGjAYBg NVBAo
TEVRlc3RiZWQgU3R1dHRnYXJ0MREwDwYDVQQLEwhBa29ncmltbzEUMBIGA1UEAxMLQWtvZ 3JpbW
8gQ0ExLjAsBgkqhkiG9w0BCQEWH0RhdmlkLkx1dHpAcnVzLnVuaS1zdHV0dGdhcnQuZGUw HhcNM
DcwMjI3MTE0OTE2WhcNMDcwOTE1MTE0OTE2WjBQMQswCQYDVQQGEwJERTERMA8GA1UEChM IQWtv
Z3JpbW8xETAPBgNVBAsTCEludGVybmV0MQ4wDAYDVQQDEwVDUk1QQTELMAkGA1UEBRMCND IwgZ8
wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0jTULOpwcOF1hftFfAn/ x1kUkprDk6VfELzGKTAT
i+1pF0hJXV1JLOvS8XknOwRxdIaxU/0hirXS47OEf2OF2/ ezw8WPHWgCeC2ELCf5FCgOd1qn7F9
dXDrHrOzvCz6WF9tD0QOcPS +xIg7tl8SqJX36dDwSA0WTb3nKg67wNXAgMBAAGjggKGMIICgjAJ
BgNVHRMEAjAAMEgGA1UdIARBMD8wBgYEKgMDBDAGBgQqAwMFMC0GBCoDAwYwJTAjBggrBg EFBQc
CARYXaHR0cDovL3NvbWUudXJsLm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdD wQEAw
IE8DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwKwYJYIZI AYb4Q
gENBB4WHFVzZXIgQ2VydGlmaWNhdGUgb2YgQWtvZ3JpbW8wHQYDVR0OBBYEFFxon/ CS0QHegAmT
oJTkBG5OfJLUMIG3BgNVHSMEga8wgayAFK1nDk0hJbjJ6B1HIXe+ox6Sv3/ UoYGIpIGFMIGCMQs
wCQYDVQQGEwJERTEaMBgGA1UEChMRVGVzdGJlZCBTdHV0dGdhcnQxETAPBgNVBAsTCEFrb 2dyaW
1vMRQwEgYDVQQDEwtBa29ncmltbyBDQTEuMCwGCSqGSIb3DQEJARYfRGF2aWQuTHV0ekBy dXMud
W5pLXN0dXR0Z2FydC5kZYIJAPlPMFjLt4H/ MCEGA1UdEQQaMBiBFm5yb21hbm9AY3JtcGEudW5p
c2EuaXQwKgYDVR0SBCMwIYEfRGF2aWQuTHV0ekBydXMudW5pLXN0dXR0Z2FydC5kZTAoBg lghkg
BhvhCAQQEGxYZaHR0cDovLy9wdWIvY3JsL2NhY3JsLmNybDAoBglghkgBhvhCAQMEGxYZa HR0cD
ovLy9wdWIvY3JsL2NhY3JsLmNybDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vMTkyLjEw OC4zN
y43OC9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAL0EcHCpi3Nv +2HoRPGkq
EJM2SWKLgU92t86NFNIEXeq3zfVYcoosUxTrQIi9USunofBz73ZOWG4DCMSiCfCMREnImi /MeSI
ZWbWeo34nv1JlP4VwlOyl0bheb5Sjml9hHtmKozvBkjLhwtW/gzUHlqHyVs9vV0Xc/ 5CyPPyRIU
GDFOLALCehxrNCFEqsz6eNcYi2HG07tVCNLbcNGNQqtqc511c94SLQOMCL6TyEMHjulyhW xmwi4
SSBxSik9rYHm889GSslrcdsz+Jz2jnJmGVtDXMQueZPOkD9ez7ch0wspiW1/ wb09wNWUBk6nAr1
ACsXMnh7yaRUMtD1WLV3ZQ==</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml- exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- sha1"/>
<Reference URI="#Id-5dc3847c-2b32-4c89-b221-ae6b51bda267">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>3jg0oLM2rgwkCPp3/UEMzAJ0xqE=</DigestValue>
</Reference>
<Reference URI="#Id-ef19c334-ea85-4261-b460-ac626331f9d7">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>kT5HUy3NKW7LxbJqw9KYysZ4WGc=</DigestValue>
</Reference>
<Reference URI="#Id-6ee907b3-2091-4209-859e-f60c58c52298">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>9rjmjy+UPKyirXwsgowC448djOU=</DigestValue>
</Reference>
<Reference URI="#Id-3ab411a1-538e-4bab-9467-c7d4d85cd2c3">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>hJ43DwpWlARhRsF3lgrscIuVmFw=</DigestValue></Reference>
<Reference URI="#Timestamp-4ac3ee2e-906e-43de-9ecc-f3795aaf2c5d">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>eGBpSN1gHvqLW99W/8qkWf7hchI=</DigestValue>
</Reference>
<Reference URI="#Id-7748d805-ccf9-4da8-b80b-855d9be2360f">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>fcVl/3wkgtUHIpAt3b+IMC8HXCY=</DigestValue>
</Reference></SignedInfo>
<SignatureValue>It06wTUqrTtjkWmX8RKeQSPOgMyOiuE6hYlIKSHDVOBEzDeJnPCVsc kp3hYg2r74rSczGAxxeh8/AjTvBXF9GKvZhfeid4jLTOP8P/4M32M/4qg8ZApIkk +65KvKJiREdYxzJCOAP4MLhU19/+vlLmV+WuaPbusK86EfJMJPivU=</ SignatureValue>
<KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-b7ff426b-cd9b-445f-b379-1d930ed5a40f" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ KeyInfo>
</Signature></wsse:Security>
</soap:Header><soap:Body wsu:Id="Id-7748d805-ccf9-4da8- b80b-855d9be2360f">
<subtract xmlns="http://www.globus.org/namespaces/examples/ MathService_instance_4op"><subtractValue xmlns="">3</ subtractValue></subtract>
</soap:Body></soap:Envelope>
The error message is very vague. To the best of my knowledge, there is no problem with the certificate but with the signature. For some reason the reconstructed message doesn't have the form that it should have
and the signature check fails.
Can anyone help me?
Thank you in advance,
Kleopatra
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ==================================================================== -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
participants (2)
-
Alan Sill -
Marty Humphrey