Search code examples
web-servicescxfws-securitysoapuisigning

"*Certificate not found* (from client)" when calling Web Service that requires signing

I have a peculiar problem when calling a web service that expects the message to be signed using WS-Security. If I call using my client application (using Apache CXF) I get a HTTP 500 error message:

*Certificate not found* (from client)

while if I call the same service using SoapUI, configured for signing with the same key and key-store, it works as expected.

I noticed that the <KeyInfo> part of the call differs between CXF and SoapUI. With CXF (as below) the KeyInfo is a lot more detailed with <X509Data> sections etc while the SoapUI call contains just a simple <SecurityTokenReference>. I suspect that this difference might be the cause of the server not being able to identify the certificate used for signing.

Unfortunately I'm not in control of the server side thus I cannot do much investigation there. It would be nice to know if this is a known problem and if there are any workarounds?

Regards, Ola

CXF:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-1007572087">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1355509614"><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">C=SE,O=Company,CN=Company Test Corporate CA 01,SERIALNUMBER=516406-0120</ds:X509IssuerName>
    <ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">29382</ds:X509SerialNumber>
</ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>

SoapUI:

<ds:KeyInfo Id="KeyId-850CCDA383426C4A1E129683271974138"><wsse:SecurityTokenReference wsu:Id="STRId-850CCDA383426C4A1E129683271974139" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-850CCDA383426C4A1E129683271974137" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo>
Solution

  • Apparently the trick is to configure the WSS4JOutInterceptor's signatureKeyIdentifier property to "DirectReference" which creates a KeyInfo similar to SoapUI, i.e. it's accepted by the server.

                <spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
            <spring:constructor-arg>
                <spring:map>
                    <spring:entry key="signatureKeyIdentifier" value="DirectReference"/>
                </spring:map>