1 2 Previous Next 18 Replies Latest reply on Jul 29, 2015 3:17 AM by captain_goldfish

    XML-Signature verification fails

    captain_goldfish

      Hi I devloped some functions to create xml-signatures and to verify them again. These methods are running without any problems on glassfish and in simple JUnit tests but not on JBoss. I don't know why but WildFly 8.2 and JBoss AS7 are generating wrong hashes.

      You can verify the problem by downloading my provided test-project. I made a fully direct deployable application so you can see, that this problem exists.

       

      https://github.com/Captain-P-Goldfish/SignatureFailOnJBoss

       

      There is also a JUnit Test in the project that executes the methods and shows that the signature-verification succeeds.

       

      If you deploy the application you will have to get-methods accessible via browser under:

       

      host:port/{contextPath}/service/signature/create

       

      this link will produce the signed xml that can then be verified with

       

      host:port/{contextPath}/service/signature/verify

       

      first call create and then verfiy otherwise an excption will be thrown.

       

      can anyone tell me how to resolve this problem? its an absolute blocker in my application. I might switch to glassfish but I got other even worse problems on that server using distributed transactions... so I'd like to stick to WildFly. But I just cannot resolve this problem here.

        • 1. Re: XML-Signature verification fails
          ctomc

          Can you try with WildFly 9 as some stuff changed in this area since 8.2

          • 2. Re: XML-Signature verification fails
            captain_goldfish

            I'm sorry but WildFly 9 does not cure the problem

            • 3. Re: XML-Signature verification fails
              mayerw01

              I've found something strange here.

              When checking the provider of this XMLSignatureFactory then Glassfish responds with 'XMLDSig version 1.8' while WildFly responds with 'XMLDSig version 1.0'.

              But I am not sure about the reason of this discrepancy and whether this is related to your issue. 

              • 4. Re: XML-Signature verification fails
                captain_goldfish

                unfortunately I would'nt even know how to fix that behaviour. But I just tried another thing. I created the signature using the apache-Stax-API and verfied it using the DOM-API. It works on WildFly but throws exception in junit test and glassfish. This is kinda funny and sad at the same time...

                • 5. Re: XML-Signature verification fails
                  mayerw01
                  • 6. Re: XML-Signature verification fails
                    captain_goldfish

                    I just found some time to test the solution of the given link but it did not solve the problem either...

                    • 7. Re: XML-Signature verification fails
                      mayerw01

                      Hmm, that is strange ...

                      And you really changed the entry in "standalone.conf" file to add "org.jcp.xml.dsig.internal" package after package "org.jboss.byteman" as described ihttps://issues.jboss.org/browse/WFLY-4317n WFLY-4317?

                       

                      if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then
                      JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.jcp.xml.dsig.internal"
                      fi

                       

                      You also restarted the server and got the same issue?

                      I've just reproduced this in my environment and this worked fine as well on wildfly-8.1.0.Final as on wildfly-9.0.0.Final

                      • 8. Re: XML-Signature verification fails
                        captain_goldfish

                        I just tried it again and it still does not work. I'm not sure what is wrong in what I am doing...

                        Here is the copy of my "${wildfly_home}/bin/standalone.conf"

                         

                        ## -*- shell-script -*- ######################################################
                        ##                                                                          ##
                        ##  JBoss Bootstrap Script Configuration                                    ##
                        ##                                                                          ##
                        ##############################################################################
                        
                        #
                        # This file is optional; it may be removed if not needed.
                        #
                        
                        #
                        # Specify the maximum file descriptor limit, use "max" or "maximum" to use
                        # the default, as queried by the system.
                        #
                        # Defaults to "maximum"
                        #
                        #MAX_FD="maximum"
                        
                        #
                        # Specify the profiler configuration file to load.
                        #
                        # Default is to not load profiler configuration file.
                        #
                        #PROFILER=""
                        
                        #
                        # Specify the location of the Java home directory.  If set then $JAVA will
                        # be defined to $JAVA_HOME/bin/java, else $JAVA will be "java".
                        #
                        #JAVA_HOME="/opt/java/jdk"
                        
                        #
                        # Specify the exact Java VM executable to use.
                        #
                        #JAVA=""
                        
                        if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then
                            JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.jcp.xml.dsig.internal"
                        fi
                        
                        # Uncomment the following line to prevent manipulation of JVM options
                        # by shell scripts.
                        #
                        #PRESERVE_JAVA_OPTS=true
                        
                        #
                        # Specify options to pass to the Java VM.
                        #
                        if [ "x$JAVA_OPTS" = "x" ]; then
                           JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true"
                           JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true"
                        else
                           echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS"
                        fi
                        
                        # Sample JPDA settings for remote socket debugging
                        #JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n"
                        
                        # Sample JPDA settings for shared memory debugging
                        #JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_shmem,server=y,suspend=n,address=jboss"
                        
                        # Uncomment to not use JBoss Modules lockless mode
                        #JAVA_OPTS="$JAVA_OPTS -Djboss.modules.lockless=false"
                        
                        # Uncomment to gather JBoss Modules metrics
                        #JAVA_OPTS="$JAVA_OPTS -Djboss.modules.metrics=true"
                        
                        # Uncomment this in order to be able to run WildFly on FreeBSD
                        # when you get "epoll_create function not implemented" message in dmesg output
                        #JAVA_OPTS="$JAVA_OPTS -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider"
                        
                        

                         

                        as you can see, I added the snippet you suggested but it doesn't make any difference. I am currently running my server on a windows 8.1 environment with JDK 7u80 and also tried with JDK 8u45. But no luck at all...

                        • 9. Re: XML-Signature verification fails
                          jewellgm

                          I just tried it again and it still does not work. I'm not sure what is wrong in what I am doing...

                          Here is the copy of my "${wildfly_home}/bin/standalone.conf"

                          as you can see, I added the snippet you suggested but it doesn't make any difference. I am currently running my server on a windows 8.1 environment

                           

                          The standalone.conf file is for *nix systems, but you're on Windows 8.1.  You need to make the analagous changes to standalone.conf.bat if you start the server with standalone.bat, or standalone.conf.ps1 if you start the server with standalone.ps1.

                          • 10. Re: XML-Signature verification fails
                            captain_goldfish

                            I tried it again with wildfly 8.2 and 9 (currently on win 7 system). I altered the specified entry and it still does not work... I was not sure if I should seperate the entries by comma or semicolon so I tried both and still no luck.

                             

                            changes made on standalone.conf.bat

                             

                            first try

                            rem # Make Byteman classes visible in all module loaders
                            rem # This is necessary to inject Byteman rules into AS7 deployments
                            set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman,org.jcp.xml.dsig.internal"
                            

                             

                            second try

                            rem # Make Byteman classes visible in all module loaders
                            rem # This is necessary to inject Byteman rules into AS7 deployments
                            set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman;org.jcp.xml.dsig.internal"
                            

                             

                            I also restarted the server each time I made a change.

                            • 11. Re: XML-Signature verification fails
                              mayerw01

                              Maybe this is a stupid question. But do you start Wildfly-9.0.0-Final in standalone mode?

                              This is what I just did:

                              • Copy your directory to the Windows server.
                              • start Wildfly-9.0.0-Final on Windows 7 Professional (Service Pack 1).
                              • run mvn in the SignatureFailOnJBoss directory
                              • Deploy de.gold-1.0-SNAPSHOT.war
                              • open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/create
                              • open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/verify
                              • -> response: false
                              • Change standalone.conf.bat:

                                        rem # This is necessary to inject Byteman rules into AS7 deployments

                                        set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman,org.jcp.xml.dsig.internal"

                               

                              • open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/create
                              • open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/verify
                              • -> response: true

                                       

                              Did you make something different or what did I miss here?  

                              • 12. Re: XML-Signature verification fails
                                jewellgm

                                I am not at all familiar with this aspect of XML security, but the JIRA issue that was linked to seems to indicate that the method used to instantiate the XMLSignatureFactory was incorrect.  In the JIRA ticket and your linked code, the factory is instantiated similarly:

                                 

                                String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");

                                XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());

                                 

                                When the submitter changed the code to the following, based on a suggestion by one of the commenters, he said that things started working:

                                 

                                XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "XMLDSig");


                                According to the commenter, since this provider is part of the JDK/JRE, this is the proper method to retrieve the instance, rather than trying to instantiate the Provider class directly.

                                • 13. Re: XML-Signature verification fails
                                  captain_goldfish

                                  alright this is starting to smell funny.

                                   

                                  I did exactly the steps described by you and it still does not work. I even used a clean wildfly 9 instance to make sure that none of my settings are interfering.

                                  screenshot.PNG

                                   

                                  the server was clean. I build the project with maven deployed via management-console and called the URLs...

                                  I have no idea what might be different here...

                                   

                                  @Greg:

                                  XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "XMLDSig");


                                  According to the commenter, since this provider is part of the JDK/JRE, this is the proper method to retrieve the instance, rather than trying to instantiate the Provider class directly.

                                  This is no solution either, unfortunately.

                                  • 14. Re: XML-Signature verification fails
                                    ctomc

                                    what is the JDK version you guys used?

                                    1 2 Previous Next