You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/01/15 12:12:00 UTC

[jira] [Resolved] (SANTUARIO-516) XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference

     [ https://issues.apache.org/jira/browse/SANTUARIO-516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved SANTUARIO-516.
-------------------------------------------
    Resolution: Not A Problem

I'm resolving this as I'm almost certain it's a bug that was introduced in SAAJ. I've provided them a test-case with no Santuario dependencies to reproduce the issue, so the ball is in their court.

> XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-516
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-516
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>            Reporter: Ivan Novak
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>         Attachments: SANTUARIO-516.patch, SANTUARIO-516.zip, signsoap.txt
>
>
> Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.
>  The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
> specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
>  This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.
>  The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)`  is evaluated to `false` for the Signature node. 
>  This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.
> Workaround:
>  - pass the parent node of the node you are signing to DOMSignContext
>  - after signing move the signature into the node that was signed as the last child
> Note:
> - I am using jaxws-ri v2.3.2 dependency for the SOAP classes



--
This message was sent by Atlassian Jira
(v8.3.4#803005)