I'm using WSS4J to verify sign and timestamp in soap messages. But when I receive message without signed timestamp part wssj4 thinks that everything is ok, and I would like to see error in that situation.
My good message looks like that:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>X9EntCBO7nmNrYsYuugpHxN13wSUNhTF4exkRRWj0tTrfEqbz8potg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-B60AEEFF94DBA35E9413402583324452">
<wsse:SecurityTokenReference wsu:Id="STR-B60AEEFF94DBA35E9413402583324473">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:58:52.392Z</wsu:Created>
<wsu:Expires>2012-06-21T06:03:52.392Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
And bad message (this one should throw exception something like “timestamp not signed”):
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>U6TSJXJTCryEm5FhoMBbEoiUIL0jjFDvPxPJ3ihoOHsWCwk4t3++2w==</ds:SignatureValue>
<ds:KeyInfo Id="KI-9AEDF8EC92B112ADE113402583983992">
<wsse:SecurityTokenReference wsu:Id="STR-9AEDF8EC92B112ADE113402583984013">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:59:58.376Z</wsu:Created>
<wsu:Expires>2012-06-21T06:04:58.376Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
So my bad message doesn't contains:
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
Currently I have my veryfying interceptor configured like that:
// verifying incepteptor
final String actions = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
Map<String, Object> inProps = new HashMap<String, Object>();
Map<QName, Validator> validatorMap = new HashMap<QName, Validator>();
validatorMap.put(WSSecurityEngine.SIGNATURE, new SignatureTrustValidator());
validatorMap.put(WSSecurityEngine.TIMESTAMP, new TimeStampValidator());
inProps.put(WSS4JInInterceptor.VALIDATOR_MAP, validatorMap);
inProps.put(WSHandlerConstants.ACTION, actions);
inProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, SIG_PROPFILE);
WSS4JInInterceptor verifying = new WSS4JInInterceptor(inProps);
How to setup wss4j to achieve such behavior? BTW: CXF version: 2.5.1 WSS4J version: 1.6.2
And the answer is org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker:
<util:constant id="typeSigned" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType.SIGNED"/>
<util:constant id="scoopeElement" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope.ELEMENT"/>
<util:map id="prfx">
<entry key="soap" value="http://schemas.xmlsoap.org/soap/envelope/"/>
<entry key="wsse" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<entry key="wsu" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
</util:map>
<bean id="bodyVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
<constructor-arg index="0" value="/soap:Envelope/soap:Body" />
<constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
<constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<bean id="timestampVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
<constructor-arg index="0" value="/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" />
<constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
<constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<util:list id="paths" >
<ref bean="bodyVerifier" />
<ref bean="timestampVerifier" />
</util:list>
<bean id="coverageChecker" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker">
<constructor-arg index="0"><ref bean="prfx" /></constructor-arg>
<constructor-arg index="1"><ref bean="paths" /></constructor-arg>
</bean>
And next we must add this as interceptor:
<jaxws:endpoint id="someId" implementor="#example" address="/">
<jaxws:inInterceptors>
<ref bean="coverageChecker" />
</jaxws:inInterceptors>
</jaxws:endpoint>