You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2010/11/08 18:59:27 UTC

DO NOT REPLY [Bug 50236] New: VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-enveloping-hmac-sha1-40.xml

https://issues.apache.org/bugzilla/show_bug.cgi?id=50236

           Summary: VerifyMerlinsExamplesFifteen/Sixteen.java samples
                    should ignore signature-enveloping-hmac-sha1-40.xml
           Product: Security
           Version: Java 1.4.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: sean.mullan@oracle.com


This a minor cleanup issue but these samples should not validate
signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC
truncation length and since release 1.4.3, this signature causes a validation
failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more
information. If you run the mega-sample target, you will see this exception
embedded in the output:

     [java] org.apache.xml.security.signature.XMLSignatureException:
HMACOutputLength must not be less than 160
     [java]     at
org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown
Source)
     [java]     at
org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
     [java]     at
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
     [java]     at
org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown
Source)
     [java]     at
org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown
Source)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.