You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Ed Saltelli <ed...@webmethods.com> on 2005/03/16 17:33:56 UTC

RE: Problem with namespace handling in Axis 1.2 : break XML Signa ture

The namespaces shouldn't be a problem for signature verification since
you're using exclusive c14n .  It drops unused namespaces (dsig ns in the
roottag) and redistributes ns declarations to the areeas where they are in
use i.e. xmlns:name2 is moved from roottag to the name2:child1 element.


Ed
 

<va...@bull.net> wrote:
> I have a web service (Message style) working with Axis 1.1
> When upgrading to Axis 1.2, it doesn't work anymore because of a
> namespace management that changes in Axis 1.2.
> 
> Details of the problem :
> The web service is of type :
>     public Document execute(Document body)
> it returns a signed document
> The client have to verify the signature of the response.
> 
> At the end of this mail, you can see the message sent by the server and
> the message received by the client
> 
> You can see that the message has been changed during transfer : all
> namespace definitions have moved to the root element.
> The document is still syntactically correct, but the signature is
broken...
> 
> It's a serious problem if Axis 1.2 is no more compatible with xml
> signature. Is there a way to solve this problem ? Is it a bug ?
> 
> Message sent by the server :
> 
> <name1:roottag xmlns:name1="http://name1.com">
> <name2:child1 xmlns:name2="http://name2.com">
> <name2:child2>text</name2:child2>
> </name2:child1>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>    <ds:SignedInfo>
>      <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>      <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>      <ds:Reference URI="">
>        <ds:Transforms>
>          <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>        </ds:Transforms>
>        <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
>      </ds:Reference>
>    </ds:SignedInfo>
>    <ds:SignatureValue>
> 
> O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> 
> EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
>      qjVJp7Iic3opzb8VQKpLvle1ZME=
>    </ds:SignatureValue>
> </ds:Signature></name1:roottag>
> 
> Message received by the client :
> <name1:roottag xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:name1="http://name1.com" xmlns:name2="http://name2.com">
> <name2:child1>
> <name2:child2>text</name2:child2>
> </name2:child1>
> <ds:Signature>
>    <ds:SignedInfo>
>      <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>      <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>      <ds:Reference URI="">
>        <ds:Transforms>
>          <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>        </ds:Transforms>
>        <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
>      </ds:Reference>
>    </ds:SignedInfo>
>    <ds:SignatureValue>
> 
> O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> 
> EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
>      qjVJp7Iic3opzb8VQKpLvle1ZME=
>    </ds:SignatureValue>
> </ds:Signature></name1:roottag>
> 
>

Re: Problem with namespace handling in Axis 1.2 : break XML Signa ture

Posted by Anne Thomas Manes <at...@gmail.com>.

Either way -- Axis should not modify the message when using message style.


On Wed, 16 Mar 2005 08:33:56 -0800, Ed Saltelli
<ed...@webmethods.com> wrote:
> 
> The namespaces shouldn't be a problem for signature verification since
> you're using exclusive c14n .  It drops unused namespaces (dsig ns in the
> roottag) and redistributes ns declarations to the areeas where they are in
> use i.e. xmlns:name2 is moved from roottag to the name2:child1 element.
> 
> 
> Ed
> 
> 
> <va...@bull.net> wrote:
> > I have a web service (Message style) working with Axis 1.1
> > When upgrading to Axis 1.2, it doesn't work anymore because of a
> > namespace management that changes in Axis 1.2.
> >
> > Details of the problem :
> > The web service is of type :
> >     public Document execute(Document body)
> > it returns a signed document
> > The client have to verify the signature of the response.
> >
> > At the end of this mail, you can see the message sent by the server and
> > the message received by the client
> >
> > You can see that the message has been changed during transfer : all
> > namespace definitions have moved to the root element.
> > The document is still syntactically correct, but the signature is
> broken...
> >
> > It's a serious problem if Axis 1.2 is no more compatible with xml
> > signature. Is there a way to solve this problem ? Is it a bug ?
> >
> > Message sent by the server :
> >
> > <name1:roottag xmlns:name1="http://name1.com">
> > <name2:child1 xmlns:name2="http://name2.com">
> > <name2:child2>text</name2:child2>
> > </name2:child1>
> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >    <ds:SignedInfo>
> >      <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >      <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >      <ds:Reference URI="">
> >        <ds:Transforms>
> >          <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >        </ds:Transforms>
> >        <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
> >      </ds:Reference>
> >    </ds:SignedInfo>
> >    <ds:SignatureValue>
> >
> > O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> >
> > EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
> >      qjVJp7Iic3opzb8VQKpLvle1ZME=
> >    </ds:SignatureValue>
> > </ds:Signature></name1:roottag>
> >
> > Message received by the client :
> > <name1:roottag xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> > xmlns:name1="http://name1.com" xmlns:name2="http://name2.com">
> > <name2:child1>
> > <name2:child2>text</name2:child2>
> > </name2:child1>
> > <ds:Signature>
> >    <ds:SignedInfo>
> >      <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >      <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >      <ds:Reference URI="">
> >        <ds:Transforms>
> >          <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >        </ds:Transforms>
> >        <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
> >      </ds:Reference>
> >    </ds:SignedInfo>
> >    <ds:SignatureValue>
> >
> > O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> >
> > EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
> >      qjVJp7Iic3opzb8VQKpLvle1ZME=
> >    </ds:SignatureValue>
> > </ds:Signature></name1:roottag>
> >
> >
>