You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/04/15 18:04:05 UTC
[jira] [Updated] (SANTUARIO-264) Problem validating SOAP signatures
when using C14N#withComments
[ https://issues.apache.org/jira/browse/SANTUARIO-264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-264:
------------------------------------------
Affects Version/s: Java 1.4.4
Fix Version/s: Java 1.5
Java 1.4.5
> Problem validating SOAP signatures when using C14N#withComments
> ---------------------------------------------------------------
>
> Key: SANTUARIO-264
> URL: https://issues.apache.org/jira/browse/SANTUARIO-264
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Environment: JDK1.6.0_20
> Windows Vista
> Reporter: Xavier Dury
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.4.5, Java 1.5
>
>
> We're receiving the following SOAP signature:
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#Timestamp-8ea2b114-4eef-4065-9652-4a5ec993ec3a">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>f2APXuQigEwUbXF4iTU9CR6t29E=</DigestValue>
> </Reference>
> <Reference URI="#Body-dd696b91-999c-4e21-92d1-3fcf24df588c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>Unhng+BNNENb3kMNAdJ79O+kV9k=</DigestValue>
> </Reference>
> </SignedInfo>
> All C14N methods in the SignedInfo block are comments-sensitive.
> That signature fails when the SOAP:Body contains comments; when comments are removed, the signature
> validates correctly.
> In some places of the code, it seems that the flag XMLSignatureInput.excludeComments is wrongly set:
> for SignedInfo/CanonicalizationMethod
> problem in ApacheCanonicalizer.transform(...) =>
> DOMSubTreeData subTree = (DOMSubTreeData) data;
> in = new XMLSignatureInput(subTree.getRoot());
> in.setExcludeComments(subTree.excludeComments());
> subtree is instantiated in DOMSignedInfo.canonicalize(...) =>
> DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
> XMLSignatureInput.setExcludeComments(boolean) line: 481
> DOMExcC14NMethod(ApacheCanonicalizer).transform(Data, XMLCryptoContext, OutputStream) line: 198
> DOMCanonicalizationMethod(DOMTransform).transform(Data, XMLCryptoContext, OutputStream) line: 129
> DOMCanonicalizationMethod.canonicalize(Data, XMLCryptoContext, OutputStream) line: 67
> DOMSignedInfo.canonicalize(XMLCryptoContext, ByteArrayOutputStream) line: 172
> DOMRSASignatureMethod.verify(Key, DOMSignedInfo, byte[], XMLValidateContext) line: 112
> DOMXMLSignature$DOMSignatureValue.validate(XMLValidateContext) line: 514
> DOMXMLSignature.validate(XMLValidateContext) line: 232
> Main.main(String[]) line: 67
> for SignedInfo/Reference
> problem in ResolverFragment.engineResolve(...) =>
> XMLSignatureInput result = new XMLSignatureInput(selectedElem);
> result.setExcludeComments(true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
> XMLSignatureInput.setExcludeComments(boolean) line: 481
> ResolverFragment.engineResolve(Attr, String) line: 97
> ResourceResolver.resolve(Attr, String) line: 236
> DOMURIDereferencer.dereference(URIReference, XMLCryptoContext) line: 75
> DOMReference.dereference(XMLCryptoContext) line: 344
> DOMReference.validate(XMLValidateContext) line: 311
> DOMXMLSignature.validate(XMLValidateContext) line: 244
> Main.main(String[]) line: 67
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira