Re: [ebxmlms-develop] Signed message debugging

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

RE: [ebxmlms-develop] Signed message debuggingPeter, before I go into =
details to study your cert structure, may I ask you a quick question? =
:-)

How are you signing the message? Are you calling ebxmlMessage.sign(...)? =
Or calling request.setSign(...)? It is a trap there. Let me explain in =
details.=20

Here is the correct way of signing a message:

1. construct ebxmlMessage in client app
2. instruct hermes to sign by calling request.setSign(...)
3. send out using request.sendReliably(...)

Here is a wrong way:

1. construct ebxmlMessage in client app
2. sign the ebxmlMessage in client app using ebxmlMessage.sign(...)
3. send out using request.sendReliably(...)

The reason is: before request send the message to hermes server, it will =
modify the message header (e.g. add AckRequest header, etc.). If you =
sign the message before request.sendReliably(), any newly added header =
will invalidate the signature. So, the correct way is to call =
setSign(...). Then, request will sign the message *after* adding all =
necessary headers.

Seems we have to add an exception there to reject signed message as =
parameter to sendReliably().

Regards, -Patrick

  ----- Original Message -----=20
  From: Mayne, Peter=20
  To: 'ebx...@li...'=20
  Sent: Wednesday, April 02, 2003 8:19 AM
  Subject: RE: [ebxmlms-develop] Signed message debugging

  > Are you generating your own certificate?=20

  Yes.=20

  > Is the certificate self-signed?=20

  No.=20

  > Any certificate path is included in the certificate?=20

  Yes. keytool -list -v shows:=20

  <keytool>=20
  Alias name: pjdmca=20
  Creation date: 18/03/2003=20
  Entry type: trustedCertEntry=20

  Owner: CN=3DPJDM CA, OU=3DTechnology, O=3DSpherion Group Ltd, =
L=3DLyneham, ST=3DACT, C=3DAU=20
  Issuer: CN=3DPJDM CA, OU=3DTechnology, O=3DSpherion Group Ltd, =
L=3DLyneham, ST=3DACT, C=3DAU=20

  Serial number: 0=20
  Valid from: Tue Mar 04 21:36:25 EST 2003 until: Wed Mar 03 21:36:25 =
EST 2004=20
  Certificate fingerprints:=20
           MD5:  C3:55:8C:B5:DE:89:E8:48:3E:4C:BB:49:A3:84:E9:67=20
           SHA1: =
90:87:14:CE:0F:EE:A3:C6:6C:7E:95:3C:DE:F4:CB:FB:07:F5:0D:34=20

  *******************************************=20
  *******************************************=20

  Alias name: chmeeehermes=20
  Creation date: 18/03/2003=20
  Entry type: keyEntry=20
  Certificate chain length: 2=20
  Certificate[1]:=20
  Owner: CN=3Dchmeee Hermes, OU=3Db2b, O=3Debusiness, L=3DCanberra, =
ST=3DACT, C=3DAU=20
  Issuer: CN=3DPJDM CA, OU=3DTechnology, O=3DSpherion Group Ltd, =
L=3DLyneham, ST=3DACT, C=3DAU=20

  Serial number: 4=20
  Valid from: Tue Mar 18 22:56:13 EST 2003 until: Wed Mar 17 22:56:13 =
EST 2004=20
  Certificate fingerprints:=20
           MD5:  69:D9:46:50:B5:F0:FB:B6:85:34:F9:E6:D1:AF:92:3E=20
           SHA1: =
8E:2B:B6:9C:5D:DC:AC:C6:47:91:68:6D:18:9E:02:79:93:EF:41:C8=20
  Certificate[2]:=20
  Owner: CN=3DPJDM CA, OU=3DTechnology, O=3DSpherion Group Ltd, =
L=3DLyneham, ST=3DACT, C=3DAU=20
  Issuer: CN=3DPJDM CA, OU=3DTechnology, O=3DSpherion Group Ltd, =
L=3DLyneham, ST=3DACT, C=3DAU=20

  Serial number: 0=20
  Valid from: Tue Mar 04 21:36:25 EST 2003 until: Wed Mar 03 21:36:25 =
EST 2004=20
  Certificate fingerprints:=20
           MD5:  C3:55:8C:B5:DE:89:E8:48:3E:4C:BB:49:A3:84:E9:67=20
           SHA1: =
90:87:14:CE:0F:EE:A3:C6:6C:7E:95:3C:DE:F4:CB:FB:07:F5:0D:34=20
  </keytool>=20

  > Have you included the root certificate that sign your certificate =
into a trusted store file and point the file=20
  > by the properties MSH/DigitalSignature/TrustAnchor/KeyStore/* ?=20

  Yes. I'm using a different keystore containing the same "PJDM CA" =
certificate as above. (I've also tried using the same keystore.)

  PJDM=20
  --=20
  Peter Mayne=20
  Technology Consultant=20
  Spherion Technology Solutions=20
  Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602=20
  T: 61 2 62689727  F: 61 2 62689777=20
  -----Original Message-----=20
  From: Patrick Yee [mailto:kc...@ce...]=20
  Sent: Tuesday, 1 April 2003 6:52 PM=20
  To: ebx...@li...=20
  Subject: Re: [ebxmlms-develop] Signed message debugging=20

  Sorry for the unclear log messages. We are now trying to make the log =
messages more informative. But as you can guess, that is a tough job. =
:-)

  Meanwhile, I can help to track down the problem here. So, let me ask =
you several questions:=20

  Are you generating your own certificate? Is the certificate =
self-signed? Any certificate path is included in the certificate?

  Have you included the root certificate that sign your certificate into =
a trusted store file and point the file by the properties=20

  MSH/DigitalSignature/TrustAnchor/KeyStore/* ?=20

  Regards, -Patrick=20

  ----- Original Message -----=20
  From: Mayne, Peter=20
  To: 'ebx...@li...'=20
  Sent: Tuesday, April 01, 2003 1:16 PM=20
  Subject: [ebxmlms-develop] Signed message debugging=20

  I'm sending a signed message to myself using Request.setSign(). =
However, I get the following in the log.=20
  2003-04-01 15:03:27,134 DEBUG [Thread-12]: =3D> MessageServiceHandler =
verify=20
  2003-04-01 15:03:27,134 INFO  [Thread-12]: Verify the XML signature=20
  2003-04-01 15:03:27,575 INFO  [Thread-12]: Received SOAPMessage cannot =
be verified!=20
  2003-04-01 15:03:27,575 DEBUG [Thread-12]: <=3D MessageServiceHandler =
verify=20
  2003-04-01 15:03:27,575 WARN  [Thread-12]: Signature verification =
failed=20
  There doesn't seem to be any indication of why the message couldn't be =
verified.=20
  Is there a straightforward method of debugging verification failures =
to figure out what's going wrong?=20
  Thanks.=20
  PJDM=20
  --=20
  Peter Mayne=20
  Technology Consultant=20
  Spherion Technology Solutions=20
  Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602=20
  T: 61 2 62689727  F: 61 2 62689777=20
  The information contained in this email and any attachments to it:=20

  (a) may be confidential and if you are not the intended recipient, any =
interference with,=20
  use, disclosure or copying of this material is unauthorised and =
prohibited; and=20

  (b) may contain personal information of the recipient and/or the =
sender as defined=20
  under the Privacy Act 1988 (Cth). Consent is hereby given by the =
recipient(s) to=20
  collect, hold and use such information and any personal information =
contained in a=20
  response to this email, for any reasonable purpose in the ordinary =
course of=20
  Spherion's=20
  business, including forwarding this email internally or disclosing it =
to a third party. All=20
  personal information collected by Spherion will be handled in =
accordance with=20
  Spherion's Privacy Policy. If you have received this email in error, =
please notify the=20
  sender and delete it.=20

  (c) you agree not to employ or arrange employment for any candidate(s) =
supplied in=20
  this email and any attachments without first entering into a =
contractual agreement with=20
  Spherion. You further agree not to divulge any information contained =
in this document=20
  to any person(s) or entities without the express permission of =
Spherion.=20