You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2019/12/12 14:07:00 UTC
[jira] [Commented] (SANTUARIO-516) XMLSignature regression in Java
11+ when signing SOAP message with Enveloped signature and Id attribute
reference
[ https://issues.apache.org/jira/browse/SANTUARIO-516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994709#comment-16994709 ]
Colm O hEigeartaigh commented on SANTUARIO-516:
-----------------------------------------------
I can't reproduce the issue - could you create a sample test-case that I can run to reproduce it?
> XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference
> -----------------------------------------------------------------------------------------------------------------
>
> Key: SANTUARIO-516
> URL: https://issues.apache.org/jira/browse/SANTUARIO-516
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Reporter: Ivan Novak
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Attachments: signsoap.txt
>
>
> Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.
> The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
> specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
> This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.
> The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)` is evaluated to `false` for the Signature node.
> This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.
> Workaround:
> - pass the parent node of the node you are signing to DOMSignContext
> - after signing move the signature into the node that was signed as the last child
> Note:
> - I am using jaxws-ri v2.3.2 dependency for the SOAP classes
--
This message was sent by Atlassian Jira
(v8.3.4#803005)