You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Resolved) (JIRA)" <ji...@apache.org> on 2012/04/16 11:52:23 UTC

[jira] [Resolved] (SANTUARIO-309) Default XMLCipher canonicalizer may decrypt element to the wrong namespace

     [ https://issues.apache.org/jira/browse/SANTUARIO-309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved SANTUARIO-309.
-------------------------------------------

    Resolution: Fixed
    
> Default XMLCipher canonicalizer may decrypt element to the wrong namespace
> --------------------------------------------------------------------------
>
>                 Key: SANTUARIO-309
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-309
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 1.4.5, Java 1.5.1
>            Reporter: Clement Pellerin
>            Assignee: Colm O hEigeartaigh
>             Fix For: Java 1.5.2
>
>         Attachments: SANTUARIO-309.diff, SANTUARIO-309b.diff, SANTUARIO-309c.diff, TestC14N.java
>
>
> The default XMLCipher canonicalizer is Inclusive XML C14N with comments. This canonicalization has the problem described in the XML Encryption spec section 4.3.3. If the encrypted element <elem> undeclares the default namespace inherited from its parent, the resulting decrypted element is missing the undeclaration and therefore the element lays in the wrong namespace.
> In this example, <elem> moves from the global namespace to the http://default.com namespace.
> <env:Envelope xmlns="http://default.com" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><elem xmlns="">11</elem></env:Body></env:Envelope>"
> It would be tempting to use Exclusive XML C14N, but this algorithm also has problems. It removes namespace declarations that are not visibly used. If the namespace prefix is used only in text mode, the algorithm cannot detect it.
> I would argue that the best way to solve this problem is to create a non-standard canonicalization that simply emits the nodes as is. This is like a pretty-printer without indenting.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira