You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Marc Giger (JIRA)" <ji...@apache.org> on 2015/02/03 19:09:35 UTC
[jira] [Commented] (SANTUARIO-412) Signature verification fails
because unutilized default namespace is not removed
[ https://issues.apache.org/jira/browse/SANTUARIO-412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303687#comment-14303687 ]
Marc Giger commented on SANTUARIO-412:
--------------------------------------
Don't get me wrong, I support the decision to not depend on xalan. I just wanted to show some possible solutions since the commited
workaround isn't really one.
Yes, the DocumentSerializer seems to be working fine so far. I did run the santuario and wss4j testsuite and did not see any issues. Additionally the DocumentSerializer was the default before we switched over to the TransformSerializer for performance reasons and
I don't remember that we have seen any issues with it.
@Atke you don't have to use xalan if commit 1400018 is reverted and you can wait for the next release.
Will work on a simple sample that shows the issue and report it to oracle...
> Signature verification fails because unutilized default namespace is not removed
> --------------------------------------------------------------------------------
>
> Key: SANTUARIO-412
> URL: https://issues.apache.org/jira/browse/SANTUARIO-412
> Project: Santuario
> Issue Type: Bug
> Security Level: Public(Public issues, viewable by everyone)
> Components: Java
> Affects Versions: Java 2.0.1, Java 2.0.3
> Environment: Webservice created with cxf 3.0.1, and running on java 7.
> Reporter: Atle Tokle
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
> Fix For: Java 2.0.4
>
>
> In a soap-message where body is encrypted and signed, we get a signature verification fault because of differently calculated digest.
> The decrypted body is (anonyminized) like this: <urn:GetDataRequest xmlns="" xmlns:cont="http://www.company1.no/jade/xsd/v1.3/contexttypes" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">123456789</urn:GetDataRequest>
> When it's canonicalized using Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" it is like this:
> <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-767cf61e-3cc1-45dc-b677-04720471d3b0">
> <urn:GetDataRequest xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns="">123456789</urn:GetDataRequest>
> </soapenv:Body>
> This give a different signature from what we got from sender. If we remove the namespace deifinition xmlns="", and create a digest, it is equal with what we get from sender.
> From my understanding of http://www.w3.org/TR/xml-exc-c14n/ it is the sender that is correct.
> I have tested a local patch where I did two changes on 2.0.3 source for org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.java
> line 184:
> String NName = attribute.getLocalName();
> changed to
> String NName = attribute.getLocalName() == null ? "" : attribute.getLocalName();
> line 187:
> if (!XMLNS_URI.equals(attribute.getNamespaceURI())) {
> changed to:
> if (!XMLNS_URI.equals(attribute.getNamespaceURI()) &&
> !(XMLNS.equals(attribute.getName()) && "".equals(NName) && "".equals(NNodeValue))) {
> This fixed the problem for me, but don't know which regressions I might have introduced, or if really this new behaviour is the correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)