You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2019/07/27 09:08:00 UTC
[jira] [Closed] (WSS-651) Incorrect signature if document has
WSU_NS declared on SOAP Header or Envelope
[ https://issues.apache.org/jira/browse/WSS-651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-651.
-----------------------------------
> Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
> ------------------------------------------------------------------------------
>
> Key: WSS-651
> URL: https://issues.apache.org/jira/browse/WSS-651
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.3
> Reporter: L
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: 2.3.0, 2.2.4
>
>
> I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting some of documents signed by WSS4J 2.2.3.
> After some investigation I could manage to reproduce it and make WSS4J reject its own signed documents.
> The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:
> I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source code of the new method:
>
> {code:java}
> @Test
> public void testSignedTimestamp1() throws Exception {
> Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
> WSSecHeader secHeader = new WSSecHeader(doc);
> secHeader.insertSecurityHeader();
> WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
> timestamp.setTimeToLive(300);
> timestamp.build();
> WSSecSignature builder = new WSSecSignature(secHeader);
> builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
> // Makes no difference, tested with it and without it.
> // Added to test because my code sets it to false
> // builder.setAddInclusivePrefixes(false);
> WSEncryptionPart encP =
> new WSEncryptionPart(
> "Timestamp",
> WSConstants.WSU_NS,
> "");
> builder.getParts().add(encP);
> builder.prepare(crypto);
> List<javax.xml.crypto.dsig.Reference> referenceList =
> builder.addReferencesToSign(builder.getParts());
> builder.computeSignature(referenceList, false, null);
> String outputString = XMLUtils.prettyDocumentToString(doc);
> if (LOG.isDebugEnabled()) {
> LOG.debug("After Signing....");
> LOG.debug(outputString);
> }
> // !!!!
> // Makes all the difference: validating just signed document works,
> // validating serialized and parsed document does not
> Document doc2 = SOAPUtil.toSOAPPart(outputString);
> // Document doc2 = doc;
> verify(doc2);
> }
> public static final String SAMPLE_SOAP_MSG_WSU_NS =
> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
> + "<SOAP-ENV:Envelope "
> + "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
> + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
> + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
> // !!!!
> // Makes all the difference: uncomment it and validating the serialized
> // and parsed document fails
> // + "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" "
> + ">"
> + "<SOAP-ENV:Body>"
> + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
> + "<value xmlns=\"\">15</value>"
> + "</add>"
> + "</SOAP-ENV:Body>"
> + "</SOAP-ENV:Envelope>";{code}
>
>
> Important parts marked with '!!!!' comments:
> # You need to verify the document after it was serialized and parsed back. Then the verification fails. Verifying the signed document "in memory" succeeds.
> # The original, to be signed, document must have WSU_NS namespace with some prefix other than 'wsu' declared on any ancestor of the to be inserted wsse:Security
>
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org