You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/04/15 18:04:05 UTC

[jira] [Commented] (SANTUARIO-264) Problem validating SOAP signatures when using C14N#withComments

    [ https://issues.apache.org/jira/browse/SANTUARIO-264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020338#comment-13020338 ] 

Colm O hEigeartaigh commented on SANTUARIO-264:
-----------------------------------------------


Definitely a bug. Could you supply a test-case for it?

Thanks,

Colm.

> Problem validating SOAP signatures when using C14N#withComments
> ---------------------------------------------------------------
>
>                 Key: SANTUARIO-264
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-264
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 1.4.4
>         Environment: JDK1.6.0_20
> Windows Vista
>            Reporter: Xavier Dury
>            Assignee: Colm O hEigeartaigh
>             Fix For: Java 1.4.5, Java 1.5
>
>
> We're receiving the following SOAP signature:
> <SignedInfo>
>   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
>   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>   <Reference URI="#Timestamp-8ea2b114-4eef-4065-9652-4a5ec993ec3a">
>     <Transforms>
>       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
>     </Transforms>
>     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>     <DigestValue>f2APXuQigEwUbXF4iTU9CR6t29E=</DigestValue>
>   </Reference>
>   <Reference URI="#Body-dd696b91-999c-4e21-92d1-3fcf24df588c">
>     <Transforms>
>       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
>     </Transforms>
>     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>     <DigestValue>Unhng+BNNENb3kMNAdJ79O+kV9k=</DigestValue>
>   </Reference>
> </SignedInfo>
> All C14N methods in the SignedInfo block are comments-sensitive.
> That signature fails when the SOAP:Body contains comments; when comments are removed, the signature
> validates correctly.
> In some places of the code, it seems that the flag XMLSignatureInput.excludeComments is wrongly set:
> for SignedInfo/CanonicalizationMethod
> problem in ApacheCanonicalizer.transform(...) => 
> 	DOMSubTreeData subTree = (DOMSubTreeData) data;
>         in = new XMLSignatureInput(subTree.getRoot());
> 	in.setExcludeComments(subTree.excludeComments());
> subtree is instantiated in DOMSignedInfo.canonicalize(...) =>
> 	DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))        
>                 XMLSignatureInput.setExcludeComments(boolean) line: 481   
>                 DOMExcC14NMethod(ApacheCanonicalizer).transform(Data, XMLCryptoContext, OutputStream) line: 198    
>                 DOMCanonicalizationMethod(DOMTransform).transform(Data, XMLCryptoContext, OutputStream) line: 129                
>                 DOMCanonicalizationMethod.canonicalize(Data, XMLCryptoContext, OutputStream) line: 67 
>                 DOMSignedInfo.canonicalize(XMLCryptoContext, ByteArrayOutputStream) line: 172  
>                 DOMRSASignatureMethod.verify(Key, DOMSignedInfo, byte[], XMLValidateContext) line: 112             
>                 DOMXMLSignature$DOMSignatureValue.validate(XMLValidateContext) line: 514         
>                 DOMXMLSignature.validate(XMLValidateContext) line: 232      
>                 Main.main(String[]) line: 67   
> for SignedInfo/Reference
> problem in ResolverFragment.engineResolve(...) =>
> 	XMLSignatureInput result = new XMLSignatureInput(selectedElem);
>       	result.setExcludeComments(true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))        
>                 XMLSignatureInput.setExcludeComments(boolean) line: 481   
>                 ResolverFragment.engineResolve(Attr, String) line: 97                
>                 ResourceResolver.resolve(Attr, String) line: 236              
>                 DOMURIDereferencer.dereference(URIReference, XMLCryptoContext) line: 75           
>                 DOMReference.dereference(XMLCryptoContext) line: 344      
>                 DOMReference.validate(XMLValidateContext) line: 311             
>                 DOMXMLSignature.validate(XMLValidateContext) line: 244      
>                 Main.main(String[]) line: 67   

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira