You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/01/20 18:11:35 UTC
[jira] [Commented] (SANTUARIO-412) Signature verification fail
because of unutilzed default namespace not removed
[ https://issues.apache.org/jira/browse/SANTUARIO-412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284036#comment-14284036 ]
Colm O hEigeartaigh commented on SANTUARIO-412:
-----------------------------------------------
Could you attach a test-case to reproduce the problem? A CXF based testcase is fine. I tried with some Santuario unit tests, and couldn't reproduce the problem - unused namespaces were removed from the canonicalized document.
Colm.
> Signature verification fail because of unutilzed default namespace not removed
> ------------------------------------------------------------------------------
>
> Key: SANTUARIO-412
> URL: https://issues.apache.org/jira/browse/SANTUARIO-412
> Project: Santuario
> Issue Type: Bug
> Security Level: Public(Public issues, viewable by everyone)
> Components: Java
> Affects Versions: Java 2.0.1, Java 2.0.3
> Environment: Webservice created with cxf 3.0.1, and running on java 7.
> Reporter: Atle Tokle
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
>
> In a soap-message where body is encrypted and signed, we get a signature verification fault because of differently calculated digest.
> The decrypted body is (anonyminized) like this: <urn:GetDataRequest xmlns="" xmlns:cont="http://www.company1.no/jade/xsd/v1.3/contexttypes" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">123456789</urn:GetDataRequest>
> When it's canonicalized using Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" it is like this:
> <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-767cf61e-3cc1-45dc-b677-04720471d3b0">
> <urn:GetDataRequest xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns="">123456789</urn:GetDataRequest>
> </soapenv:Body>
> This give a different signature from what we got from sender. If we remove the namespace deifinition xmlns="", and create a digest, it is equal with what we get from sender.
> From my understanding of http://www.w3.org/TR/xml-exc-c14n/ it is the sender that is correct.
> I have tested a local patch where I did two changes on 2.0.3 source for org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.java
> line 184:
> String NName = attribute.getLocalName();
> changed to
> String NName = attribute.getLocalName() == null ? "" : attribute.getLocalName();
> line 187:
> if (!XMLNS_URI.equals(attribute.getNamespaceURI())) {
> changed to:
> if (!XMLNS_URI.equals(attribute.getNamespaceURI()) &&
> !(XMLNS.equals(attribute.getName()) && "".equals(NName) && "".equals(NNodeValue))) {
> This fixed the problem for me, but don't know which regressions I might have introduced, or if really this new behaviour is the correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)