You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Ivan Novak (Jira)" <ji...@apache.org> on 2019/12/11 20:08:00 UTC
[jira] [Created] (SANTUARIO-516) XMLSignature regression in Java
11+ when signing SOAP message with Enveloped signature and Id attribute
reference
Ivan Novak created SANTUARIO-516:
------------------------------------
Summary: XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference
Key: SANTUARIO-516
URL: https://issues.apache.org/jira/browse/SANTUARIO-516
Project: Santuario
Issue Type: Bug
Components: Java
Reporter: Ivan Novak
Assignee: Colm O hEigeartaigh
Attachments: signsoap.txt
Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.
The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.
The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)` is evaluated to `false` for the Signature node.
This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.
Workaround:
- pass the parent node of the node you are signing to DOMSignContext
- after signing move the signature into the node that was signed as the last child
Note:
- I am using jaxws-ri v2.3.2 dependency for the SOAP classes
--
This message was sent by Atlassian Jira
(v8.3.4#803005)