You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/01/20 18:11:35 UTC

[jira] [Commented] (SANTUARIO-412) Signature verification fail because of unutilzed default namespace not removed

    [ https://issues.apache.org/jira/browse/SANTUARIO-412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284036#comment-14284036 ] 

Colm O hEigeartaigh commented on SANTUARIO-412:
-----------------------------------------------


Could you attach a test-case to reproduce the problem? A CXF based testcase is fine. I tried with some Santuario unit tests, and couldn't reproduce the problem - unused namespaces were removed from the canonicalized document.

Colm.

> Signature verification fail because of unutilzed default namespace not removed
> ------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-412
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-412
>             Project: Santuario
>          Issue Type: Bug
>      Security Level: Public(Public issues, viewable by everyone) 
>          Components: Java
>    Affects Versions: Java 2.0.1, Java 2.0.3
>         Environment: Webservice created with cxf 3.0.1, and running on java 7.
>            Reporter: Atle Tokle
>            Assignee: Colm O hEigeartaigh
>            Priority: Blocker
>
> In a soap-message where body is encrypted and signed, we get a signature verification fault because of differently calculated digest.
> The decrypted body is (anonyminized) like this: <urn:GetDataRequest xmlns="" xmlns:cont="http://www.company1.no/jade/xsd/v1.3/contexttypes" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">123456789</urn:GetDataRequest>
> When it's canonicalized using Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" it is like this:
> <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-767cf61e-3cc1-45dc-b677-04720471d3b0">
>       <urn:GetDataRequest xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns="">123456789</urn:GetDataRequest>
>    </soapenv:Body>
> This give a different signature from what we got from sender. If we remove the namespace deifinition xmlns="", and create a digest, it is equal  with what we get from sender.
> From my understanding of http://www.w3.org/TR/xml-exc-c14n/  it is the sender that is correct.
> I have tested a local patch where I did two changes on 2.0.3 source for org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.java
> line 184:
>                 String NName = attribute.getLocalName();
> changed to
>                 String NName = attribute.getLocalName() == null ? "" : attribute.getLocalName();
> line 187:
>                 if (!XMLNS_URI.equals(attribute.getNamespaceURI())) {
> changed to:
>                 if (!XMLNS_URI.equals(attribute.getNamespaceURI()) &&
>                         !(XMLNS.equals(attribute.getName()) && "".equals(NName) &&  "".equals(NNodeValue))) {
> This fixed the problem for me, but don't know which regressions I might have introduced, or if really this new behaviour is the correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)