Signature Verification failed if response size is greater then 32768 bytes

Home » Forums » Project: WSO2 Web Services Framework for PHP (WSO2 WSF/PHP)
marcyn.post.com's picture
Submitted by marcyn.post.com on April 7, 2011 - 02:35
Hi, For a past month I was working on implementing WSO2-WSF in my project. Thanks to this forum I managed to resolve many problems I encountered. However few days ago I faced a problem that I can't resolve by my own (it seems to me like a bug in WSF). The situation is: Request which I send to webservice server asks it for a file inside XML which is encoded in base64. Sometimes I get a reponse, sometimes not... After a little investigation.... everything seems like if a response I get is below 32768 bytes long WSF is working correctly and proceeds with this response. However if a response is above 32768 bytes long WSF crashes - it looks like some buffer overflows and I get incomplete response, as if WSF suddenly "quits it's work" when receiving reponse. (The size of response I wrote above I get from extracted packet from Wireshark - which are always complete). Below some parts from debug: 1) Log from failed example (response XML above 32768 bytes): (...) [Thu Apr 7 09:52:53 2011] [debug] rampart_sec_header_processor.c(2019) [rampart]Processing security header element BinarySecurityToken [Thu Apr 7 09:52:53 2011] [debug] rampart_sec_header_processor.c(2019) [rampart]Processing security header element Signature [Thu Apr 7 09:52:53 2011] [error] error.c(94) OXS ERROR [x509.c:287 in openssl_x509_get_subject_key_identifier] oxs defualt error , The extenension index of NID_subject_key_identifier is not valid [Thu Apr 7 09:52:53 2011] [info] [oxs][xml_sig] Verifying signature part #Id-09ef4920-60ec-11e0-9560-001a645ad158 [Thu Apr 7 09:52:53 2011] [debug] transforms_factory.c(50) [rampart][c14n-OutPut] is XD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPD94bWwtc3R5bGVzaGVldCB0eXBlPSJ0ZXh0L3hzbCIgaHJlZj0iaHR0cDovL2NyZC5nb3YucGwvd3pvci8y(...) [Thu Apr 7 09:52:53 2011] [error] error.c(94) OXS ERROR [xml_signature.c:788 in oxs_xml_sig_verify_sign_part] Signature verification failed , Digest verification failed for node Id= #Id-09ef4920-60ec-11e0-9560-001a645ad158. Calculated digest is [92WNKtrye7Zf1j/d7YjJ365S49Y=] and given digest is [uktwUVWZ/T/vOWufmuKDIo+maK8=] [Thu Apr 7 09:52:53 2011] [error] rampart_sec_header_processor.c(1648) Signature Verification failed. [Thu Apr 7 09:52:53 2011] [error] rampart_sec_header_processor.c(2121) Signature processing failed [Thu Apr 7 09:52:53 2011] [error] rampart_in_handler.c(124) [rampart]Security Header processing failed. [Thu Apr 7 09:52:53 2011] [error] phase.c(224) Handler RampartInHandler invoke failed within phase Security [Thu Apr 7 09:52:53 2011] [error] engine.c(657) Invoking phase Security failed [Thu Apr 7 09:52:53 2011] [error] engine.c(262) Invoking operation specific phases failed for operation __OPERATION_OUT_IN__ [Thu Apr 7 09:52:53 2011] [error] /usr/local/src/wso2-wsf-php-src-2.1.0/src/wsf_wsdl.c(1226) [wsf_wsdl] Response envelope not found [Thu Apr 7 09:52:53 2011] [info] [rampart] rampart_mod shutdown [Thu Apr 7 09:52:53 2011] [info] [rahas] Rahas module shutdown as you can see - error message is: [Thu Apr 7 09:52:53 2011] [error] error.c(94) OXS ERROR [xml_signature.c:788 in oxs_xml_sig_verify_sign_part] Signature verification failed , Digest verification failed for node Id= #Id-09ef4920-60ec-11e0-9560-001a645ad158. Calculated digest is [92WNKtrye7Zf1j/d7YjJ365S49Y=] and given digest is [uktwUVWZ/T/vOWufmuKDIo+maK8=] and it's correct as webservice client received incomplete messages ... so calculated digest differs from expected. 2) Log from success example (response XML below 32768 bytes): (...) [Thu Apr 7 10:02:38 2011] [debug] rampart_sec_header_processor.c(2019) [rampart]Processing security header element BinarySecurityToken [Thu Apr 7 10:02:38 2011] [debug] rampart_sec_header_processor.c(2019) [rampart]Processing security header element Signature [Thu Apr 7 10:02:38 2011] [error] error.c(94) OXS ERROR [x509.c:287 in openssl_x509_get_subject_key_identifier] oxs defualt error , The extenension index of NID_subject_key_identifier is not valid [Thu Apr 7 10:02:38 2011] [info] [oxs][xml_sig] Verifying signature part #Id-66acef40-60ed-11e0-9560-001a645ad158 [Thu Apr 7 10:02:38 2011] [debug] transforms_factory.c(50) [rampart][c14n-OutPut] is XD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPD94bWwtc3R5bGVzaGVldCB0eXBlPSJ0ZXh0L3hzbCIgaHJlZj0iaHR0cDovL2NyZC5nb3Yu(...) [Thu Apr 7 10:02:38 2011] [info] [oxs][xml_sig] Digest verification success for node Id= #Id-66acef40-60ed-11e0-9560-001a645ad158 [Thu Apr 7 10:02:38 2011] [info] [oxs][xml_sig] Verifying signature part #ID-66ac7a17-60ed-11e0-9560-001a645ad158 [Thu Apr 7 10:02:38 2011] [debug] transforms_factory.c(50) [rampart][c14n-OutPut] is 2011-04-07T08:02:36Z [Thu Apr 7 10:02:38 2011] [info] [oxs][xml_sig] Digest verification success for node Id= #ID-66ac7a17-60ed-11e0-9560-001a645ad158 [Thu Apr 7 10:02:38 2011] [info] [oxs][xml_sig] Digests verification SUCCESS [Thu Apr 7 10:02:38 2011] [debug] xml_signature.c(891) [rampart] C14N (verif1)= ZUXk8V+ZYUv4o/P9ECAnKm/T/Yw=VrykTqj/UVNIr3871FJkSr1twFc= [Thu Apr 7 10:02:38 2011] [debug] xml_signature.c(897) [oxs][xml_sig] C14N (verif2)= ZUXk8V+ZYUv4o/P9ECAnKm/T/Yw=VrykTqj/UVNIr3871FJkSr1twFc= [Thu Apr 7 10:02:38 2011] [debug] sign_ctx.c(99) [oxs][sign_ctx] Public key is not available directly. Extracting the certificate [Thu Apr 7 10:02:38 2011] [info] [openssl][sig] Signature verification SUCCESS [Thu Apr 7 10:02:38 2011] [info] [oxs][sig] Signature verification SUCCESS (...) and of course further everyhing goes well. I've noticed that "[error] rampart_sec_header_processor.c(1648) Signature Verification failed." is because function "oxs_xml_sig_verify_sign_part" from "wsf_c/rampartc/src/omxmlsec/xml_signature.c" file sets "status = AXIS2_FAILURE;" - which is correct as calculated digest differs from expected one.... however if I change this to AXIS2_SUCCESS .... WSF goes on, and finises its job (I'm receiving response) - but of course this response is incorrect (not complete - broken). And the last thing - webservice server sends everything ok, and wireshark shows me that full response is transmitted to me (I can extract a whole XML reponse message from wireshark), only WSF seems like it "suddenly stops" receiving message. Please help me resolve this issue .... guide me what could be wrong, and I'll happily resolve this by my own - if it is not a bug in WSF (or Rampart2c perhabs ?) I need some kind of starting point... BTW for clearance of this message I didn't paste a whole debug - only parts that are important in this matter - if you need more, no problem. I was trying to resolve this issue by myself for a past few days .. but I've stucked. If you could provide some help I would be grateful. If you need something else that could help in resolving this issue - please ask - I'm determined to resolve this as soon as possible because my project depends on it. Ordinal information: OS: Ubuntu 10.04.2 LTS 1) PHP 5.3 + Apache 2.2.14 (memory limit set to 512MiB) 2) WSO2-WSF 2.1.0 3) I had to change some source code (without it WSF didn't work at all - memory leaks): 3.1) file "wsf_c/axis2c/src/core/transport/http/sender/http_client.c" - without this modification I was constantly getting segmentation fault in apache --> http_client.c.diff_.txt 3.2) I use 2048-bit private key so I had to also change "wsf_c/rampartc/src/omxmlsec/openssl/pem.c" --> pem.c.diff_.txt sincerely, marcyn
AttachmentSize
http_client.c.diff_.txt1.87 KB
pem.c.diff_.txt497 bytes
‹ Digest verification failed for node Id - #w_20. SECURITY samples with usertoken does not work ›
aymen.elkhorchani.contractor.unibail-rodamco.com's picture

I have the same problem

Submitted by aymen.elkhorcha... on October 6, 2011 - 01:26.
Hi, I use Windows XP, and i installed WSF with PHP and Appache with no need to modify any API file ! I have wrote a WSF client to consume Apache CXF web-service. I use only signature as security policy. I can successfully contact the service and get the response if the response size is smaller than 32k ! When response size is greater, no response result and no fault message ! (WSF logs attached) i get the same error as Marcyn that concern digest validation failure witch have only one explanation (the response is not complete or corrupted !). Because i'm beginner in PHP, i tried to verify the CXF service side of the WS, I debugged CXF in order to view the sent SOAP envelope and all things write and the body xml is valid ! Also i checked if there is a "chunck" behavior at the response sending phase, but CXF implements this feature only in request (Client side). So, i wish to ask if - there are a response size limitation on WSF (I don't think so because even if is yes, it cant be 32k !!!) ? - in case of huge response size, is there a chuncking strategy on WSF client when reading response ? Finally, my service works very good with SoapUi or a java based client ! Thank you for help !
aymen.elkhorchani.contractor.unibail-rodamco.com's picture

!!!!!!!!!!!!!!!!

Submitted by aymen.elkhorcha... on October 6, 2011 - 08:45.
Hey guys ! can any one help ??????
tatu.ulmanen.gmail.com's picture

I had the same problem many

Submitted by tatu.ulmanen.gm... on October 7, 2011 - 01:46.
I had the same problem many months ago. Unfortunately, I was not able to solve the problem. I resorted to using cURL to send the message and normal XML parse methods to parse the result. This way I lost the ability to use WS Security checks on the incoming message but at least I was able to get data back and forth. Hope you can use something similar until a bug fix is made.
aymen.elkhorchani.contractor.unibail-rodamco.com's picture

A solution but not the right's one !

Submitted by aymen.elkhorcha... on October 7, 2011 - 05:33.
In my case the security is essential ! I have to identify with signature who is talking with my web service ! in your case, adding SSL (via https) can cover the security need if you look for securing data. For me, if the data has been read by third party during transmission does not matter. Then, https cant be the solution. I'm very surprised by the fact that no one from the WSF team have read or try to process this problem ! This is the first time i use PHP and will be the last ! Good luck Aymen
yevgeny.yacenko.npdconcept.com's picture

Experiencing same problem

Submitted by yevgeny.yacenko... on October 10, 2011 - 23:10.
Hi, is any assumptions when bug with digest calculation failure on large responses will be fixed? Is there some workaround about that?
aymen.elkhorchani.contractor.unibail-rodamco.com's picture

There are really a support team for this project ???????

Submitted by aymen.elkhorcha... on October 11, 2011 - 00:53.
Hi, This bug was posted first time on April 2011, and still now there are any response from the developer team of this Framework ??????????
gary.uber.biz's picture

Any update on this post? I

Submitted by gary.uber.biz on January 20, 2012 - 16:16.
Any update on this post? I have a similar issue with WSO2-WSF implementation which requires digital signing and XML encryption.