You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Atle Tokle (JIRA)" <ji...@apache.org> on 2015/01/19 18:58:35 UTC

[jira] [Created] (SANTUARIO-412) Signature verification fail because of unutilzed default namespace not removed

Atle Tokle created SANTUARIO-412:
------------------------------------

             Summary: Signature verification fail because of unutilzed default namespace not removed
                 Key: SANTUARIO-412
                 URL: https://issues.apache.org/jira/browse/SANTUARIO-412
             Project: Santuario
          Issue Type: Bug
      Security Level: Public (Public issues, viewable by everyone)
          Components: Java
    Affects Versions: Java 2.0.3, Java 2.0.1
         Environment: Webservice created with cxf 3.0.1, and running on java 7.
            Reporter: Atle Tokle
            Assignee: Colm O hEigeartaigh
            Priority: Blocker


In a soap-message where body is encrypted and signed, we get a signature verification fault because of differently calculated digest.

The decrypted body is (anonyminized) like this: <urn:GetDataRequest xmlns="" xmlns:cont="http://www.company1.no/jade/xsd/v1.3/contexttypes" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">123456789</urn:GetDataRequest>

When it's canonicalized using Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" it is like this:
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-767cf61e-3cc1-45dc-b677-04720471d3b0">
      <urn:GetDataRequest xmlns:urn="urn:no:company2:area:domain:melding:DataMessage-1.0" xmlns="">123456789</urn:GetDataRequest>
   </soapenv:Body>

This give a different signature from what we got from sender. If we remove the namespace deifinition xmlns="", and create a digest, it is equal  with what we get from sender.

>From my understanding of http://www.w3.org/TR/xml-exc-c14n/  it is the sender that is correct.

I have tested a local patch where I did two changes on 2.0.3 source for org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.java

line 184:
                String NName = attribute.getLocalName();
changed to
                String NName = attribute.getLocalName() == null ? "" : attribute.getLocalName();

line 187:
                if (!XMLNS_URI.equals(attribute.getNamespaceURI())) {
changed to:
                if (!XMLNS_URI.equals(attribute.getNamespaceURI()) &&
                        !(XMLNS.equals(attribute.getName()) && "".equals(NName) &&  "".equals(NNodeValue))) {

This fixed the problem for me, but don't know which regressions I might have introduced, or if really this new behaviour is the correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)