You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2006/11/13 17:44:00 UTC
DO NOT REPLY [Bug 40957] New: - NullPointer Exception occurs during signature validation
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40957>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40957
Summary: NullPointer Exception occurs during signature validation
Product: Security
Version: Java 1.3
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: peterbacik@inmail.sk
If a client sends a SOAP request with wrong signature (values of the ds:...
elements are missing), a NullPointerException is thrown in ElementProxy class.
Request:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#Body"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
20010315#WithComments"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate/>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus/>
<ds:Exponent/>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</soapenv:Header>
<soapenv:Body Id="Body">
...
</soapenv:Body>
</soapenv:Envelope>
Stack trace:
java.lang.NullPointerException
at org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild
(ElementProxy.java:423)
at
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateByte
s(XMLX509Certificate.java:99)
at
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate
(XMLX509Certificate.java:111)
at
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolve
r.engineResolveX509Certificate(X509CertificateResolver.java:149)
at
org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate
(KeyResolver.java:239)
at
org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers
(KeyInfo.java:900)
at org.apache.xml.security.keys.KeyInfo.getX509Certificate
(KeyInfo.java:859)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40957] - NullPointer Exception occurs during signature validation
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40957>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40957
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From sean.mullan@sun.com 2007-02-14 12:28 -------
I don't really think this is a bug. The example signature is not
valid according to the xmldsig schema. In this case, I think throwing
an NPE is ok. The application should validate the soap message using
a schema/DTD prior to validating the signature to make sure it is in
correct form.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40957] - NullPointer Exception occurs during signature validation
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40957>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40957
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
------- Additional Comments From sean.mullan@sun.com 2007-09-19 12:24 -------
Closing old bugs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.