What does "wsse:InvalidSecurity" mean?

Question

An error was discovered processing the <wsse:Security> header

This is a WS-Security question btw...

I can't see anything wrong with my WS endpoint (apart from the fact that it's running in a TIBCO BW engine!). Does someone have any 'prior' with this kind of error? I realise that the WS-Security Header could be broken anywhere presumably to get this error but, there's GOT to be a 90% percentile on some kind of common error.

Here's the secured SOAP - the client is standalone java (WSS4J 1.5.0) performing signing only at this stage.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"&gt;
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
                    <ds:Reference URI="#id-18414151">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
                        <ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-15734641">
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
                                <ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
        <message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
    </soapenv:Body>
</soapenv:Envelope>

Answer 1

Wow... if you're still having this problem, you have more patience than I... but just in case, here's my thoughts:

• http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - suggests that this is a problem reading the tag.
• One thing that sticks out to me is that I don't see a reference connecting the signature to the key info. Certainly, I would assume that the KeyInfo element is describing the certificate that used a private key to make the SignatureValue, but I don't see a peice of the XML that is telling the software that. I don't think including the KeyInfo is enough, there may have to be a link to it.
• If not that, I'd double check this against the schema, and maybe an independant schema verifying source. An error at the header level makes me think format rather than content.

That's my first guess at this one, and it's just a guess without getting hands on with your system and trying a bunch of different things. If that doesn't work, this my general logical chain for this type of error:

1. Format - the XML correct according to the schema?
2. Signature - the signature needs three things: data, a key, a set of algorithms for making it. Check all three - is the data correct, is the key correct, are the algorithms appropriate for the key and for how the message will be handled? Also, are the key and data items referenced properly and being found by your library?
3. External sources of info - in this case, your key info references a certificate that presumably is pulled from somewhere else - like an LDAP cert store. So.. can your code get to that external source, is the source of data running and network accessible from where you are running the code? etc.
4. If PKI -- Certificate Validation/Trust - what does the system have to do behind the scenes to trust the signer? OCSP checks? Lookup in LDAP? Chain to trusted root? etc. Is the trust algorithm working properly and does it have everything it needs - ie, access to OCSP responder, properly configured certificate store, etc.

I reorder these steps based upon my guess on what the error means. The errors are not so intuitive -- so I often go through all these steps just in case my interpretation of the error is wrong. Besides, I may then prevent a problem later...