You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Christopher Cool <st...@gmail.com> on 2016/03/08 22:55:45 UTC

InclusiveNamespaces and empty PrefixList

I have a dynamic client application that is sending a signed SOAP request
to a service where an InclusiveNamespaces element contains a PrefixList
that is empty. The service rejects the payload with the error:

*Validation failed because:cvc-minLength-valid: Value '' with length = '0'
is not facet-valid with respect to minLength '1' for type 'NMTOKENS'.*

I took a look at the specs:

    https://www.w3.org/TR/xml-exc-c14n/


http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#InclusiveNamespaces

And it is not clear to me if PrefixList can be an empty string or not, but
this spec:

    https://www.w3.org/TR/2000/WD-xml-2e-20000814#NT-Nmtokens

indicates that it cannot.

I am using the following settings:


   - The "action" parameter is set to "Timestamp" and "Body"
   - The "signatureDigestAlgorithm" parameter is "
   http://www.w3.org/2000/09/xmldsig#sha1"
   - The "signatureParts" parameter is

"{Element}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body
";


Here is a snippet from the header of the outbound request. Note that the
Reference for the Timestamp contains values in the PrefixList, but the
reference associated with the Body does not:

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
        <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
               PrefixList="soap">
        </ec:InclusiveNamespaces>
    </ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1">
        </ds:SignatureMethod>

<ds:Reference URI="#TS-15">
    <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
           <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
                PrefixList="ns1 ns2 ns3 ns4 soap">
           </ec:InclusiveNamespaces>
         </ds:Transform>
    </ds:Transforms>

    <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

    <ds:DigestValue>hjy97p3MBjtA2IjdM/XzjHG9V6s=</ds:DigestValue>
</ds:Reference>

<ds:Reference URI="#id-16">
   <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
              *PrefixList**=""*>
         </ec:InclusiveNamespaces>
       </ds:Transform>
   </ds:Transforms>

   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"></ds:DigestMethod>
   <ds:DigestValue>dknPQWZJt54NUo+dJKAWiG8oYz8=</ds:DigestValue>
</ds:Reference>

</ds:SignedInfo>

And here is the reference to the Body (id-16):

<soap:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
 utility-1.0.xsd" wsu:Id="id-16">

Is an empty PrefixList valid?

If not, is there a way to control this programmatically as an outbound
interceptor? I saw the samples that use DefaultCryptoCoverageChecker, but
the samples use it as an inbound interceptor.

I am using CXF 2.7.8, WSS4j 1.6.11 and XMLSec 1.5.4.

Thanks,

Chris

Re: InclusiveNamespaces and empty PrefixList

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi,

Yes, an empty PrefixList is valid, and the receiving stack should be able
to handle it. I've updated WSS4J however not to emit an empty PrefixList
for the next release, but you will need to update your CXF version as WSS4J
1.6.x is no longer supported.

Colm.

On Tue, Mar 8, 2016 at 9:55 PM, Christopher Cool <st...@gmail.com>
wrote:

> I have a dynamic client application that is sending a signed SOAP request
> to a service where an InclusiveNamespaces element contains a PrefixList
> that is empty. The service rejects the payload with the error:
>
> *Validation failed because:cvc-minLength-valid: Value '' with length = '0'
> is not facet-valid with respect to minLength '1' for type 'NMTOKENS'.*
>
> I took a look at the specs:
>
>     https://www.w3.org/TR/xml-exc-c14n/
>
>
>
> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#InclusiveNamespaces
>
> And it is not clear to me if PrefixList can be an empty string or not, but
> this spec:
>
>     https://www.w3.org/TR/2000/WD-xml-2e-20000814#NT-Nmtokens
>
> indicates that it cannot.
>
> I am using the following settings:
>
>
>    - The "action" parameter is set to "Timestamp" and "Body"
>    - The "signatureDigestAlgorithm" parameter is "
>    http://www.w3.org/2000/09/xmldsig#sha1"
>    - The "signatureParts" parameter is
>
> "{Element}{
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body
> ";
>
>
> Here is a snippet from the header of the outbound request. Note that the
> Reference for the Timestamp contains values in the PrefixList, but the
> reference associated with the Body does not:
>
> <ds:SignedInfo>
>     <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>         <ec:InclusiveNamespaces xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"
>                PrefixList="soap">
>         </ec:InclusiveNamespaces>
>     </ds:CanonicalizationMethod>
>     <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1">
>         </ds:SignatureMethod>
>
> <ds:Reference URI="#TS-15">
>     <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>            <ec:InclusiveNamespaces xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"
>                 PrefixList="ns1 ns2 ns3 ns4 soap">
>            </ec:InclusiveNamespaces>
>          </ds:Transform>
>     </ds:Transforms>
>
>     <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>
>     <ds:DigestValue>hjy97p3MBjtA2IjdM/XzjHG9V6s=</ds:DigestValue>
> </ds:Reference>
>
> <ds:Reference URI="#id-16">
>    <ds:Transforms>
>        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"
>               *PrefixList**=""*>
>          </ec:InclusiveNamespaces>
>        </ds:Transform>
>    </ds:Transforms>
>
>    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "></ds:DigestMethod>
>    <ds:DigestValue>dknPQWZJt54NUo+dJKAWiG8oYz8=</ds:DigestValue>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> And here is the reference to the Body (id-16):
>
> <soap:Body xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
>  utility-1.0.xsd" wsu:Id="id-16">
>
> Is an empty PrefixList valid?
>
> If not, is there a way to control this programmatically as an outbound
> interceptor? I saw the samples that use DefaultCryptoCoverageChecker, but
> the samples use it as an inbound interceptor.
>
> I am using CXF 2.7.8, WSS4j 1.6.11 and XMLSec 1.5.4.
>
> Thanks,
>
> Chris
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com