Solved: Ws Security signature verification

Report Inappropriate Content · 07-23-2018 02:30 AM

Hi,

I'm trying to use the library from https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature to verify incoming request signed with Ws Security signing. I have installed the example-bundle with the importAndDeploy tool.

I keep on getting the "Could not initialize class org.apache.wss4j.dom.engine.WSSConfig" error while performing the /verify use cases, while all jars are installed in the resource folder through the tool.

Any hints on how to resolve this?

Thanks,

Eelco

dchiesa1

Between the time I posted the original Ws-Security callout and now, something has changed in the MP to prevent the initialization of the WSS4J library within a Java Callout. This is preventing the callout from working correctly. At the moment the runtime error is not "handle-able" or "catchable" by your own Java code.

I don't have a good suggestion for a solution at this time.

I could suggest using a Hosted Target with nodejs code, but there are no good, proven WS-Sec libraries for nodejs, that I have been able to find. Also , the Hosted Target does not allow the use of non-JavaScript runtimes at the moment, so... no Java, no .NET. Either of those would be able to handle WS-Security, but you cannot use them in a Hosted Target, for now anyway.

I suggest opening a ticket with Apigee Support and requesting

help diagnosing the initialization failure in the Java callout
support for a better extensibility model which would allow you to use Java in Hosted Targets

Sorry I don't have a better answer !

Update

As of October 2019, There is now a new, different callout that will work for this purpose.

https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2

View solution in original post

dchiesa1

Hi, I wrote that callout jar. Maybe I can help you.

It's hard to know why you're experiencing the problem, without further details.

Most often, the problem is the WSS4J configuration cannot be read properly. This could be because the crypto.properties file is not included in the expected location, or because it has incorrect information, or the key is missing. The second common cause of problems is a Java security permissions error.

Some questions to help diagnose.

Did you recompile the callout module?
if so, Did you replace or modify or rename the .jks file? Did you modify the crypto.properties file to be consistent with your changes to the .jks file?
What is the Java Callout policy configuration? Can you show it? If you are specifying the .jks in the Callout, how did you base64 encode the .jks file before embedding it into the policy configuration?
Have you turned on tracing and did you look at the stacktrace that results when you receive the "Could not initialize" error? What does the stacktrace say?

Report Inappropriate Content

Thanks @Dino-at-Google, actually, I just deployed the example-bundle as described in the readme documentation, without any further changes. In that bundle, I don't see any crypto.properties either.

Can you point me to any documentation how to fill that one?

Thanks,

Eelco

Report Inappropriate Content

While looking further in the Trace, I see the following:

Properties
error	Could not initialize class org.apache.wss4j.dom.engine.WSSConfig
type	ErrorPoint
state	PROXY_REQ_FLOW
error.class	java.lang.NoClassDefFoundError
Identifier	fault

So it appears the correct jar cannot be loaded?

dchiesa1

Either the jar containing WSSConfig is missing, or a different jar containing a dependency required by that class.

You need to check the contents of the resources/java directory in your proxy to make sure all the required jars are present there. The list of jars is:

commons-lang3-3.7.jar
edge-wssec-sign-x509-1.0.4.jar
wss4j-bindings-2.2.1.jar
wss4j-ws-security-common-2.2.1.jar
wss4j-ws-security-dom-2.2.1.jar
wss4j-ws-security-stax-2.2.1.jar
xmlsec-2.1.1.jar

Do you have all of those?

Report Inappropriate Content

Yes, they're all there. They were installed through your importAndDeploy tool from the repo.

dchiesa1

Can you "git pull" from the repo, and then show your policy configuration please?

Report Inappropriate Content

Yes, one of the policies is below. It is completely untouched from your example-bundle. The error appears on all the different signing and verifying policies by the way.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout name="Java-VerifySignature-BYOJKS">
    <Properties>
        <Property name="alias">my-key-alias</Property>
        <Property name="password">Secret123</Property>
        <Property name="jks-base64">
      /u3+7QAAAAIAAAABAAAAAQAMbXkta2V5LWFsaWFzAAABYbnEZOYAAAUCMIIE/jAO
      BgorBgEEASoCEQEBBQAEggTqnnD8kh66XIABAyAK2L0nLUm3z0jEFLiYgKXE8YhK
      y3AKBZcBSltXLTeAiLAv2xEwdZF8+EkaUSoRoggyrAA8YGTyK9qjoiPAeklozMip
      noNYmjvg0baH8RaAp2rHLI85Foav0HOE5kRbOXN8lm3uU2TmqMxx70/L/VFRWVAz
      XzFxxbFaGn8LB4a5C6a0UQ0Laxq9/iIF7jBBDZWZaYvTZSB5Bp6/iynu1EzDVIEg
      BpHSRHe9k2Proev4ISv8hz5CSKpLo5PiFbXoLlmiyjanoYurNN4uNRp/F2GyDnOd
      dRtGO90wRCwzm3xL4+SIsDZzCVc05eQT7jtEdkdleZcQjyoYJ4ZucNUejRPpeU8I
      02ZwQEApxT7ZkDZqo+BX2MdYF9okLwBW0o5UNYSsd2VpPoKbd7C2ZvcG3D9zvuev
      Gz9QtGqcF2DPnV5Eq/OVrB7RqlgGGerBBUEyCSjV/rFrUu0LvOZ83QN/IDd4aUOy
      RibQw3R3xVc3OPbpiPy76lD8C8vfxVi9sqskTvGCrjSqILSr2kehQO295NTKYRsy
      9peXMbCIjWJoo301NIc8Xnz44RMc1vzGL8cfZa8tgJe8Fo9x32Xa4F2JroNUB+B2
      e6WhS/1yVA2wv2i54SNrJ+5aQ2e2Fs6dZ6omIF016JTUUTNhZh9i8EaPqyi7jhid
      FCQtc0PSkhwdzg/CKn+kbBnVNPGa7wsyHs+AwQ/+EFrLXI4X6RCmzEyzpAcHADlb
      BVYKcs1N6nEdQMg8Mkn6hvo7Rzm0o8lfiBKIGUmum2u8HChXZkbSjq0U4AJ5J8Pf
      S3PUMsLNuAnFXl7VM+k9Ld5BgtPIwFJl5Qy6X5qtPhB2Dd0gJSg31aJ3lw+1JrA0
      ONRHAFh4wIgRLecpb4JYp8dq+E5Zn7DgaSa/P/ohiW+Ghw/n2qmti6qHkBO5SwpF
      BzlW4US7XXTvrJOsELzAmc6dFyFEy4iy0C4AGih0hvnHPo/ZJbWvaZA0W1VmF/HN
      puK4eLry8W8rw/oGP0dvexTuyolF4V9pi+h11Zvhf/xP54WdweXyDx0pG3asSs55
      bRAyWduuY9y8mmS2gKmLE//kCaqWHNXzLRVSExN8ANnbK3FGWYPc4I9fOdsvBH5O
      6VcdCBWwtRzYF9FeF5owx0Uu6IgmKEDLJOgExEi3t3kcL0CEszZCgpKpSNTi1qsN
      03340dR6/R50OQtdcd09Y3U66WVGgWN47hb+HfzCV+Y3I16LWroKICfjXh0v8i1x
      D7s9u7QcD0/YAJYa20hg3qilishYIeOvJ1ca7tOZ6tN9L8nSQkN843a39ZPzttFt
      TacQ/yfj5GlvqFOG0X7mWM+Q6KXNXRXzpW/sh5CMR1YJcVUI6UR1nzdB/JHgV1dI
      kXlWf9FFh8KxnLCJCVAo4K6WVYZcvcqGj7PvOnvLJvI11OEdLmuA7HmhvnOZ0JnA
      iu10/GJC/+uuFZRXohYte20Np6wMeeku5YivUI7q/V9pRAtEggrlXYCs2hPM01oZ
      W+jv7ngjXe/hncTJLtGahEC3cz6ia+xQUhQOH4+0eGEzzcD/G68LGGXdWY8puxRn
      OVR2u4LCmetKV73Dw2S5LstRU5yq0xWSMyAb/RZsXtHCt4eYkH2FsEg2irp/hEKc
      kBga6n9oWwh7M8/QoLW/VmFyHggWIMUiV6jxtgAAAAEABVguNTA5AAADgzCCA38w
      ggJnoAMCAQICBDIFTQMwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCVVMxCzAJ
      BgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxHb29nbGUgQ2xv
      dWQxDzANBgNVBAsTBkFwaWdlZTEaMBgGA1UEAxMRV2VybmVyIEhlaXNlbmJlcmcw
      HhcNMTgwMjIxMTkwODI5WhcNNDUwNzA5MTkwODI5WjBwMQswCQYDVQQGEwJVUzEL
      MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDEdvb2dsZSBD
      bG91ZDEPMA0GA1UECxMGQXBpZ2VlMRowGAYDVQQDExFXZXJuZXIgSGVpc2VuYmVy
      ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYCpQ7SAwbB6zz87kL6
      WRjNl7NUI7y+9c21slYZ+lfwtbQujSK7ZJEvQ6rgxTMJwV7HrkEKUAhhe5oJ9TgI
      TkqTTndoMiJFHEItEM1zBMTcLtPKw81Wnsx7zXpgiexjDiHwTWQw2OHJlRwJeRhR
      WWJ+fiVXNy0BG5XBO2Ekf8E1U5PPPwnGBcAHaUbrbpJylwvs/SDMkDbAqanPEBlS
      6Xdi46rVtrjGE1oeAymZh7GYVcpYLVzPFhT55kgvvKEB1w3DZIGSNnj+wqzvtRVr
      04fzpxkIbgbneYJSS/BLgKa+hJAiGAmBq7KnDsX7pCQvAWqcRRhDdXgTD3bWG5LQ
      Av8CAwEAAaMhMB8wHQYDVR0OBBYEFN/2Z+Lghk+4QH5tjH8K564KuwSwMA0GCSqG
      SIb3DQEBCwUAA4IBAQA8FhrObopn7TjNdZbf1UT6EpnQB+Y+wMHuD8mXcRJ17qfH
      a4UTDefQ86Rut8l07g1nXiGVD/39NwO51LCqllLpt4r/zraOqne04nxnYURG7dho
      nlq3n0ZQOQI/gSB07zqvfAwJ8JsgZoS32xQoVzRZI4c0bZh0hsd+RZfgyX4h9/G+
      +suInu8LyBfW8dfXy45PIz8bUIEUdPgIqMQXD/I6MyBYJls3WjUKi2hgYcLs255K
      4xnj6pKH1UEwYf7kP2P8z535ofVkzWNwsw+JkEHAvpK6J1KoxllMXgIRuwkyF9RF
      INdapRxnrH3Hdvjmnti6cY7SgVlbAR2gR/jAU6FOkjo9Yi0o8hzQB9wQuU7yQrCY
      +qA=
    </Property>
    </Properties>
    <ClassName>com.google.apigee.callout.wssec.SOAPVerifier</ClassName>
    <ResourceURL>java://edge-wssec-sign-x509-1.0.4.jar</ResourceURL>
</JavaCallout>

Report Inappropriate Content

@Dino-at-Google: any more hints for this one would be much appreciated.

apininja

hi @Dino-at-Google, I just tried to the same. I just downloaded and deployed the example-bundle in a demo org. It shows the same behavior as Eelco explained.

dchiesa1

I've been away. Let me look again.

dchiesa1

Between the time I posted the original Ws-Security callout and now, something has changed in the MP to prevent the initialization of the WSS4J library within a Java Callout. This is preventing the callout from working correctly. At the moment the runtime error is not "handle-able" or "catchable" by your own Java code.

I don't have a good suggestion for a solution at this time.

I could suggest using a Hosted Target with nodejs code, but there are no good, proven WS-Sec libraries for nodejs, that I have been able to find. Also , the Hosted Target does not allow the use of non-JavaScript runtimes at the moment, so... no Java, no .NET. Either of those would be able to handle WS-Security, but you cannot use them in a Hosted Target, for now anyway.

I suggest opening a ticket with Apigee Support and requesting

help diagnosing the initialization failure in the Java callout
support for a better extensibility model which would allow you to use Java in Hosted Targets

Sorry I don't have a better answer !

Update

As of October 2019, There is now a new, different callout that will work for this purpose.

https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2

pauljosh

Hi @dchiesa1, good day! Many thanks to you're active support to these query items and thanks to all involved on this post!

I was wondering if the bugs cited for https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2 are updated? I've been following community posts related to this thread and looking for a solution that offers verification of an xml digital signature with SHA-256.

Appreciate all the help!

Thank you!

dchiesa1

Hi Pauljosh - I don't know what you mean by "bugs cited" . I guess you are talking about the discussion in the thread. But what specifically are you asking about? Right now I know of no bugs in the callout that prevent its use for signing and validating.

The callout you cited can sign or validate, using RSA keys. The README states:

Signing or validating with RSA-SHA1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1 ) or RSA-SHA256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 ). The latter is highly recommended.
using a digest method of sha1 (http://www.w3.org/2000/09/xmldsig#sha1) or sha256 (http://www.w3.org/2001/04/xmlenc#sha256) . The latter is highly recommended.

So I think that may cover your case. Let me know if not. (Please open a NEW THREAD)

pauljosh

Hi Dchiesa1, good day! I have created another post for my concern item.

Kindly refer to this link: https://www.googlecloudcommunity.com/gc/Apigee/Ws-Security-signature-verification-follow-up-question...

Many thanks!