You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/12/07 12:50:10 UTC

[jira] Updated: (SANTUARIO-250) VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-enveloping-hmac-sha1-40.xml

     [ https://issues.apache.org/jira/browse/SANTUARIO-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated SANTUARIO-250:
------------------------------------------

    Affects Version/s: Java 1.4.4
        Fix Version/s: Java 1.5
                       Java 1.4.5
             Assignee: Colm O hEigeartaigh  (was: XML Security Developers Mailing List)

> VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-enveloping-hmac-sha1-40.xml
> -----------------------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-250
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-250
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 1.4.2, Java 1.4.4
>         Environment: Operating System: All
> Platform: All
>            Reporter: sean.mullan
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>             Fix For: Java 1.4.5, Java 1.5
>
>
> This a minor cleanup issue but these samples should not validate signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC truncation length and since release 1.4.3, this signature causes a validation failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more information. If you run the mega-sample target, you will see this exception embedded in the output:
>      [java] org.apache.xml.security.signature.XMLSignatureException: HMACOutputLength must not be less than 160
>      [java]     at org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown Source)
>      [java]     at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
>      [java]     at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
>      [java]     at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown Source)
>      [java]     at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown Source)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.