You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Guy Ridley <gu...@lunarlogic.com> on 2018/02/22 20:04:16 UTC

how to remove XML linebreaks from signatures

Hello,  

How can I create signatures that don't have XML linefeed characters in them?
(&#xd;)

The server receiving the transmission is saying that the ampersand or hash
could be the cause of a 'potential threat' fault, as if it could be a SQL
injection error. 

Last year the signatures had no line feeds at all - but there have been
several changes and I'm not sure when it started happening.  (Currently
using CXF 3.2.1, WSSJ 2.2, and Java 1.8 - we had to upgrade to handle a new
requirement for sha-256 instead of sha-1.)

I've tried this (among other things) without success.
        String xmlSec = "org.apache.xml.security.ignoreLineBreaks"; 
        System.setProperty(xmlSec, "true"); 

Is there a cxf or Tomcat config file somewhere I could set this permanently
in?  Or is this a red herring?

Could it be a WsHandler setting? (I've checked them all, don't see any that
would apply.)  Or a mismatch in the versions above?

Thanks for any ideas.





--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: how to remove XML linebreaks from signatures

Posted by Colm O hEigeartaigh <co...@apache.org>.

FYI I've decided to add a way of disabling line breaks in BASE-64 output:

https://issues.apache.org/jira/browse/SANTUARIO-482

Colm.

On Mon, Feb 26, 2018 at 11:33 AM, Colm O hEigeartaigh <co...@apache.org>
wrote:

> Have you tried just using the latest CXF 3.1.x instead? That uses the
> "old" signature line break functionality, and so you should be able to turn
> off the line breaks via either "org.apache.xml.security.ignoreLineBreaks"
> and/or "com.sun.org.apache.xml.internal.security.ignoreLineBreaks".
>
> Colm.
>
> On Fri, Feb 23, 2018 at 11:43 PM, Guy Ridley <gu...@lunarlogic.com>
> wrote:
>
>> Hello Colm,
>>
>> Thank you for this explanation!  It sounds like the system I'm sending to
>> does not follow the current standards about line feeds in the Signature &
>> Keyinfo tags, or perhaps their support team is just guessing about why it
>> thinks I have threatening characters in the payload.
>>
>> Either way, they are not going to change their system this year so I have
>> to
>> humor them, before they will look deeper.  I think it should be possible
>> to
>> remove the characters using an Interceptor, in the USER or POST_STREAM
>> Phase, without invalidating the signature, since they are not in the
>> SignedInfo tag?  (Am studying http://cxf.apache.org/docs/int
>> erceptors.html).
>>
>> Thanks again,
>> Guy
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: how to remove XML linebreaks from signatures

Posted by Colm O hEigeartaigh <co...@apache.org>.

Have you tried just using the latest CXF 3.1.x instead? That uses the "old"
signature line break functionality, and so you should be able to turn off
the line breaks via either "org.apache.xml.security.ignoreLineBreaks"
and/or "com.sun.org.apache.xml.internal.security.ignoreLineBreaks".

Colm.

On Fri, Feb 23, 2018 at 11:43 PM, Guy Ridley <gu...@lunarlogic.com>
wrote:

> Hello Colm,
>
> Thank you for this explanation!  It sounds like the system I'm sending to
> does not follow the current standards about line feeds in the Signature &
> Keyinfo tags, or perhaps their support team is just guessing about why it
> thinks I have threatening characters in the payload.
>
> Either way, they are not going to change their system this year so I have
> to
> humor them, before they will look deeper.  I think it should be possible to
> remove the characters using an Interceptor, in the USER or POST_STREAM
> Phase, without invalidating the signature, since they are not in the
> SignedInfo tag?  (Am studying http://cxf.apache.org/docs/interceptors.html
> ).
>
> Thanks again,
> Guy
>
>
>
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: how to remove XML linebreaks from signatures

Posted by Guy Ridley <gu...@lunarlogic.com>.

Hello Colm,

Thank you for this explanation!  It sounds like the system I'm sending to
does not follow the current standards about line feeds in the Signature &
Keyinfo tags, or perhaps their support team is just guessing about why it
thinks I have threatening characters in the payload.

Either way, they are not going to change their system this year so I have to
humor them, before they will look deeper.  I think it should be possible to
remove the characters using an Interceptor, in the USER or POST_STREAM
Phase, without invalidating the signature, since they are not in the
SignedInfo tag?  (Am studying http://cxf.apache.org/docs/interceptors.html).  

Thanks again,
Guy







--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: how to remove XML linebreaks from signatures

Posted by Colm O hEigeartaigh <co...@apache.org>.

You can't remove line breaks any more in XML Signature for BASE-64 encoded
content. This is because the spec says that:

"The SignatureValue element contains the actual value of the digital
signature; it is always encoded using base64 [RFC2045
<https://www.w3.org/TR/xmldsig-core1/#bib-RFC2045>]. "

and RFC-2045 mandates line breaks.

Colm.

On Thu, Feb 22, 2018 at 8:04 PM, Guy Ridley <gu...@lunarlogic.com>
wrote:

> Hello,
>
> How can I create signatures that don't have XML linefeed characters in
> them?
> (&#xd;)
>
> The server receiving the transmission is saying that the ampersand or hash
> could be the cause of a 'potential threat' fault, as if it could be a SQL
> injection error.
>
> Last year the signatures had no line feeds at all - but there have been
> several changes and I'm not sure when it started happening.  (Currently
> using CXF 3.2.1, WSSJ 2.2, and Java 1.8 - we had to upgrade to handle a new
> requirement for sha-256 instead of sha-1.)
>
> I've tried this (among other things) without success.
>         String xmlSec = "org.apache.xml.security.ignoreLineBreaks";
>         System.setProperty(xmlSec, "true");
>
> Is there a cxf or Tomcat config file somewhere I could set this permanently
> in?  Or is this a red herring?
>
> Could it be a WsHandler setting? (I've checked them all, don't see any that
> would apply.)  Or a mismatch in the versions above?
>
> Thanks for any ideas.
>
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com