You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "L (JIRA)" <ji...@apache.org> on 2019/05/26 19:01:00 UTC
[jira] [Created] (WSS-651) Incorrect signature if document has
WSU_NS declared on SOAP Header or Envelope
L created WSS-651:
---------------------
Summary: Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
Key: WSS-651
URL: https://issues.apache.org/jira/browse/WSS-651
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 2.2.3
Reporter: L
Assignee: Colm O hEigeartaigh
I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting some of documents signed by WSS4J 2.2.3.
After some investigation I could manage to reproduce it and make WSS4J reject its own signed documents.
The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:
I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source code of the new method:
{code:java}
@Test
public void testSignedTimestamp1() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
WSSecHeader secHeader = new WSSecHeader(doc);
secHeader.insertSecurityHeader();
WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
timestamp.setTimeToLive(300);
timestamp.build();
WSSecSignature builder = new WSSecSignature(secHeader);
builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
// Makes no difference, tested with it and without it.
// Added to test because my code sets it to false
// builder.setAddInclusivePrefixes(false);
WSEncryptionPart encP =
new WSEncryptionPart(
"Timestamp",
WSConstants.WSU_NS,
"");
builder.getParts().add(encP);
builder.prepare(crypto);
List<javax.xml.crypto.dsig.Reference> referenceList =
builder.addReferencesToSign(builder.getParts());
builder.computeSignature(referenceList, false, null);
String outputString = XMLUtils.prettyDocumentToString(doc);
if (LOG.isDebugEnabled()) {
LOG.debug("After Signing....");
LOG.debug(outputString);
}
// !!!!
// Makes all the difference: validating just signed document works,
// validating serialized and parsed document does not
Document doc2 = SOAPUtil.toSOAPPart(outputString);
// Document doc2 = doc;
verify(doc2);
}
public static final String SAMPLE_SOAP_MSG_WSU_NS =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<SOAP-ENV:Envelope "
+ "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
+ "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+ "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
// !!!!
// Makes all the difference: uncomment it and validating the serialized
// and parsed document fails
// + "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" "
+ ">"
+ "<SOAP-ENV:Body>"
+ "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
+ "<value xmlns=\"\">15</value>"
+ "</add>"
+ "</SOAP-ENV:Body>"
+ "</SOAP-ENV:Envelope>";{code}
Important parts marked with '!!!!' comments:
# You need to verify the document after it was serialized and parsed back. Then the verification fails. Verifying the signed document "in memory" succeeds.
# The original, to be signed, document must have WSU_NS namespace with some prefix other than 'wsu' declared on any ancestor of the to be inserted wsse:Security
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org