You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2019/12/12 14:07:00 UTC

[jira] [Commented] (SANTUARIO-516) XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference

    [ https://issues.apache.org/jira/browse/SANTUARIO-516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994709#comment-16994709 ] 

Colm O hEigeartaigh commented on SANTUARIO-516:
-----------------------------------------------

I can't reproduce the issue - could you create a sample test-case that I can run to reproduce it?

> XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-516
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-516
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>            Reporter: Ivan Novak
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>         Attachments: signsoap.txt
>
>
> Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.
>  The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
> specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
>  This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.
>  The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)`  is evaluated to `false` for the Signature node. 
>  This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.
> Workaround:
>  - pass the parent node of the node you are signing to DOMSignContext
>  - after signing move the signature into the node that was signed as the last child
> Note:
> - I am using jaxws-ri v2.3.2 dependency for the SOAP classes



--
This message was sent by Atlassian Jira
(v8.3.4#803005)