You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/12/07 12:50:10 UTC
[jira] Updated: (SANTUARIO-250)
VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore
signature-enveloping-hmac-sha1-40.xml
[ https://issues.apache.org/jira/browse/SANTUARIO-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-250:
------------------------------------------
Affects Version/s: Java 1.4.4
Fix Version/s: Java 1.5
Java 1.4.5
Assignee: Colm O hEigeartaigh (was: XML Security Developers Mailing List)
> VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-enveloping-hmac-sha1-40.xml
> -----------------------------------------------------------------------------------------------------
>
> Key: SANTUARIO-250
> URL: https://issues.apache.org/jira/browse/SANTUARIO-250
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.2, Java 1.4.4
> Environment: Operating System: All
> Platform: All
> Reporter: sean.mullan
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: Java 1.4.5, Java 1.5
>
>
> This a minor cleanup issue but these samples should not validate signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC truncation length and since release 1.4.3, this signature causes a validation failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more information. If you run the mega-sample target, you will see this exception embedded in the output:
> [java] org.apache.xml.security.signature.XMLSignatureException: HMACOutputLength must not be less than 160
> [java] at org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown Source)
> [java] at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
> [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
> [java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown Source)
> [java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown Source)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.