Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
1 reply Latest Post - ‏2014-04-08T13:44:57Z by daniel64
Maddy631
Maddy631
1 Post
ACCEPTED ANSWER

Pinned topic Token Validation failing

‏2013-09-11T03:27:15Z |

Hi ,

 

We are having an issue while validating the token from client as part of the message level authentication.

 

Below I am providing you the details of the token and client source code (how they are making the signature).

Token Value - eyJhbGciOiJSUzI1NiIsImtpZCI6IjcxMTM5YTM3OTE2OGMwYTIxMmQzNjgyNDc2N2FjOTZjZmM5YjI3ZmYifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJzbWFydG1haWwtZGV2ZWxAc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJ2ZXJpZmllZF9lbWFpbCI6InRydWUiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJpZCI6IjEwODc0OTgzNTU1MTIwNjYzMzcxOCIsInN1YiI6IjEwODc0OTgzNTU1MTIwNjYzMzcxOCIsImNpZCI6InNtYXJ0bWFpbC1kZXZlbEBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImF6cCI6InNtYXJ0bWFpbC1kZXZlbEBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImF1ZCI6IjU1NTUwMDM4OTU4NEBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImlhdCI6MTM3ODgyNjU2NiwiZXhwIjoxMzc4ODMwNDY2fQ.zFUDZ_ubqzjczWzVzzfCHg8NWxjTssOIz8NPPwwWwd2i2Y9uVLB-Wm_tMswwJ25uNZyiCCijtuyIlbXjtsPE1bPG4Znwg1WlCLiDINxH5eGC2JeB7R7Z5FBERcSGZie6Ewus_y7LxI0l1SOAQbCfzu7DFkDvTM5goktzR-HRono

 

Above token has three parts which can be separated by '.'. Below source code explains clearly how they created the token.

 

Source Code :

*

* @param privateKey private key

* @param jsonFactory JSON factory

* @param header JWS header

* @param payload JWS payload

* @return signed JWS string

* @since 1.14 (since 1.7 as com.google.api.client.auth.jsontoken.RsaSHA256Signer)

*/

public static String signUsingRsaSha256(PrivateKey privateKey, JsonFactory jsonFactory,

    JsonWebSignature.Header header, JsonWebToken.Payload payload)

    throws GeneralSecurityException, IOException {

  String content = Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(header)) + "."

      + Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(payload));

  byte[] contentBytes = StringUtils.getBytesUtf8(content);

  byte[] signature = SecurityUtils.sign(

      SecurityUtils.getSha256WithRsaSignatureAlgorithm(), privateKey, contentBytes);

  return content + "." + Base64.encodeBase64URLSafeString(signature);

}

 

Below is my DP code for verifying the token.

<xsl:stylesheet version="2.0" extension-element-prefixes="dp" exclude-result-prefixes="dp dpconfig" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions" xmlns:dpconfig="http://www.datapower.com/param/config" >

   <!--********************************************************************************************
File:    bearerTokenValidation.xsl
Purpose: This stylesheet will be used to validate the bearer token 
Scope:   Refill Reminder Smart Mail Integration
Input params: Bearer Token, certificate, ClientID to validate the token
Output:
Change History:
Date           Author               Description of Change
============================================================
06/13/2013     Raju Mandapati           creation
********************************************************************************************-->
   <xsl:import href="local://Common/xsl/logLib.xsl"/>
   <xsl:import href="local://Common/xsl/retryLib.xsl"/>
   <xsl:template match="/">
      <xsl:variable name="Authorization">
     <xsl:value-of select="dp:http-request-header('Authorization')"/>
         
      </xsl:variable>
 <xsl:variable name="bearerToken">
 <xsl:choose>
         <xsl:when test="string(normalize-space($Authorization))!=''">
 <xsl:value-of select="normalize-space(substring-after($Authorization,'Bearer'))"/>
 <xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('Bearer Token',$bearerToken)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="'Authorization is not available in request HTTP request header'"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
<dp:reject>No Bearer Token</dp:reject>
<dp:set-variable name="'var://service/error-subcode'" value="0x01d30001"/>
</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<xsl:variable name="base64urlEncodedHeader" select="normalize-space(substring-before($bearerToken,'.'))"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlEncodedHeader is',$base64urlEncodedHeader)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
<xsl:variable name="base64urlEncodedClaimset" select="normalize-space(substring-before(substring-after($bearerToken,'.'),'.'))"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlEncodedClaimset is ',$base64urlEncodedClaimset)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
<xsl:variable name="base64urlEncodedSignature" select="normalize-space(substring-after(substring-after($bearerToken,'.'),'.'))"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlEncodedSignature is',$base64urlEncodedSignature)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
 
<xsl:variable name="base64urlDecodedHeader" select="dp:decode($base64urlEncodedHeader,'base-64')"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlDecodedHeader is',$base64urlDecodedHeader)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
<xsl:variable name="base64urlDecodedClaimset" select="dp:decode($base64urlEncodedClaimset,'base-64')"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlDecodedClaimset is ',$base64urlDecodedClaimset)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
 
<xsl:variable name="base64urlDecodedSignature" select="normalize-space(dp:binary-decode($base64urlEncodedSignature))"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('base64urlDecodedSignature is',$base64urlDecodedSignature)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
 
 
<xsl:variable name="signed-Info" select="normalize-space(concat($base64urlEncodedHeader,'.',$base64urlEncodedClaimset))"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('Signed Info is ',$signed-Info)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
 
 
<xsl:variable name="signedInfo-Hash" select="dp:hash('http://www.w3.org/2001/04/xmlenc#sha256',$signed-Info)"/>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('Hashed Signed Info is ',$signedInfo-Hash)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
 
 
 <xsl:variable name="sigmech" select="'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'"/>
 
      
      
      <xsl:variable name="certid" select="concat('name:', 'Google_Cert')"/>
      <xsl:variable name="base64Certificate" select="dp:base64-cert($certid)"/>
      
 
      <xsl:variable name="cert-Details" select="dp:get-cert-details($certid)"/>
      <xsl:variable name="verify-result" select="dp:verify($sigmech,$signedInfo-Hash,$base64urlEncodedSignature,concat('cert:',$base64Certificate))"/>
 <xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="concat('Verify Result is',$verify-result)"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
      
 
 <xsl:choose>
         <xsl:when test="string(normalize-space($verify-result))=''">
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="'Token Validation Successfull.'"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:call-template name="sendLogUserMessage">
<xsl:with-param name="logMsg" select="'Token Validation Failed.'"/>
<xsl:with-param name="priority" select="'notice'"/>
</xsl:call-template>
<dp:reject>Unauthorized</dp:reject>
<dp:set-variable name="'var://service/error-subcode'" value="0x01d30001"/>
</xsl:otherwise>
</xsl:choose>
      
   </xsl:template>
   
</xsl:stylesheet>

I am getting the below error.

Signature verification failed: *RSA signature did not verify*

Could you please anyone help/guide me to resolve the issue.

Thanks...

  • daniel64
    daniel64
    10 Posts
    ACCEPTED ANSWER

    Re: Token Validation failing

    ‏2014-04-08T13:44:57Z  in response to Maddy631

    Hello,

    Did you finanly get it work ?

    Thanks.