You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Xavier Dury (JIRA)" <ji...@apache.org> on 2011/02/07 10:23:30 UTC
[jira] Updated: (SANTUARIO-264) Problem validating SOAP signatures
when using C14N#withComments
[ https://issues.apache.org/jira/browse/SANTUARIO-264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xavier Dury updated SANTUARIO-264:
----------------------------------
Description:
We're receiving the following SOAP signature:
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-8ea2b114-4eef-4065-9652-4a5ec993ec3a">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>f2APXuQigEwUbXF4iTU9CR6t29E=</DigestValue>
</Reference>
<Reference URI="#Body-dd696b91-999c-4e21-92d1-3fcf24df588c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Unhng+BNNENb3kMNAdJ79O+kV9k=</DigestValue>
</Reference>
</SignedInfo>
All C14N methods in the SignedInfo block are comments-sensitive.
That signature fails when the SOAP:Body contains comments; when comments are removed, the signature
validates correctly.
In some places of the code, it seems that the flag XMLSignatureInput.excludeComments is wrongly set:
for SignedInfo/CanonicalizationMethod
problem in ApacheCanonicalizer.transform(...) =>
DOMSubTreeData subTree = (DOMSubTreeData) data;
in = new XMLSignatureInput(subTree.getRoot());
in.setExcludeComments(subTree.excludeComments());
subtree is instantiated in DOMSignedInfo.canonicalize(...) =>
DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, true); // Always TRUE regardless of C14N method.
Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
XMLSignatureInput.setExcludeComments(boolean) line: 481
DOMExcC14NMethod(ApacheCanonicalizer).transform(Data, XMLCryptoContext, OutputStream) line: 198
DOMCanonicalizationMethod(DOMTransform).transform(Data, XMLCryptoContext, OutputStream) line: 129
DOMCanonicalizationMethod.canonicalize(Data, XMLCryptoContext, OutputStream) line: 67
DOMSignedInfo.canonicalize(XMLCryptoContext, ByteArrayOutputStream) line: 172
DOMRSASignatureMethod.verify(Key, DOMSignedInfo, byte[], XMLValidateContext) line: 112
DOMXMLSignature$DOMSignatureValue.validate(XMLValidateContext) line: 514
DOMXMLSignature.validate(XMLValidateContext) line: 232
Main.main(String[]) line: 67
for SignedInfo/Reference
problem in ResolverFragment.engineResolve(...) =>
XMLSignatureInput result = new XMLSignatureInput(selectedElem);
result.setExcludeComments(true); // Always TRUE regardless of C14N method.
Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
XMLSignatureInput.setExcludeComments(boolean) line: 481
ResolverFragment.engineResolve(Attr, String) line: 97
ResourceResolver.resolve(Attr, String) line: 236
DOMURIDereferencer.dereference(URIReference, XMLCryptoContext) line: 75
DOMReference.dereference(XMLCryptoContext) line: 344
DOMReference.validate(XMLValidateContext) line: 311
DOMXMLSignature.validate(XMLValidateContext) line: 244
Main.main(String[]) line: 67
was:
We're receiving the following SOAP signature:
{quote}
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-8ea2b114-4eef-4065-9652-4a5ec993ec3a">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>f2APXuQigEwUbXF4iTU9CR6t29E=</DigestValue>
</Reference>
<Reference URI="#Body-dd696b91-999c-4e21-92d1-3fcf24df588c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Unhng+BNNENb3kMNAdJ79O+kV9k=</DigestValue>
</Reference>
</SignedInfo>
{quote}
All C14N methods in the SignedInfo block are comments-sensitive.
That signature fails when the SOAP:Body contains comments; when comments are removed, the signature
validates correctly.
In some places of the code, it seems that the flag XMLSignatureInput.excludeComments is wrongly set:
for SignedInfo/CanonicalizationMethod
problem in ApacheCanonicalizer.transform(...) =>
{quote}
DOMSubTreeData subTree = (DOMSubTreeData) data;
in = new XMLSignatureInput(subTree.getRoot());
in.setExcludeComments(subTree.excludeComments());
{quote}
subtree is instantiated in DOMSignedInfo.canonicalize(...) =>
{quote}
DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, *true*); // Always TRUE regardless of C14N method.
{quote}
Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
XMLSignatureInput.setExcludeComments(boolean) line: 481
DOMExcC14NMethod(ApacheCanonicalizer).transform(Data, XMLCryptoContext, OutputStream) line: 198
DOMCanonicalizationMethod(DOMTransform).transform(Data, XMLCryptoContext, OutputStream) line: 129
DOMCanonicalizationMethod.canonicalize(Data, XMLCryptoContext, OutputStream) line: 67
DOMSignedInfo.canonicalize(XMLCryptoContext, ByteArrayOutputStream) line: 172
DOMRSASignatureMethod.verify(Key, DOMSignedInfo, byte[], XMLValidateContext) line: 112
DOMXMLSignature$DOMSignatureValue.validate(XMLValidateContext) line: 514
DOMXMLSignature.validate(XMLValidateContext) line: 232
Main.main(String[]) line: 67
for SignedInfo/Reference
problem in ResolverFragment.engineResolve(...) =>
{quote}
XMLSignatureInput result = new XMLSignatureInput(selectedElem);
result.setExcludeComments(*true*); // Always TRUE regardless of C14N method.
{quote}
Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
XMLSignatureInput.setExcludeComments(boolean) line: 481
ResolverFragment.engineResolve(Attr, String) line: 97
ResourceResolver.resolve(Attr, String) line: 236
DOMURIDereferencer.dereference(URIReference, XMLCryptoContext) line: 75
DOMReference.dereference(XMLCryptoContext) line: 344
DOMReference.validate(XMLValidateContext) line: 311
DOMXMLSignature.validate(XMLValidateContext) line: 244
Main.main(String[]) line: 67
> Problem validating SOAP signatures when using C14N#withComments
> ---------------------------------------------------------------
>
> Key: SANTUARIO-264
> URL: https://issues.apache.org/jira/browse/SANTUARIO-264
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Environment: JDK1.6.0_20
> Windows Vista
> Reporter: Xavier Dury
> Assignee: Colm O hEigeartaigh
>
> We're receiving the following SOAP signature:
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#Timestamp-8ea2b114-4eef-4065-9652-4a5ec993ec3a">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>f2APXuQigEwUbXF4iTU9CR6t29E=</DigestValue>
> </Reference>
> <Reference URI="#Body-dd696b91-999c-4e21-92d1-3fcf24df588c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>Unhng+BNNENb3kMNAdJ79O+kV9k=</DigestValue>
> </Reference>
> </SignedInfo>
> All C14N methods in the SignedInfo block are comments-sensitive.
> That signature fails when the SOAP:Body contains comments; when comments are removed, the signature
> validates correctly.
> In some places of the code, it seems that the flag XMLSignatureInput.excludeComments is wrongly set:
> for SignedInfo/CanonicalizationMethod
> problem in ApacheCanonicalizer.transform(...) =>
> DOMSubTreeData subTree = (DOMSubTreeData) data;
> in = new XMLSignatureInput(subTree.getRoot());
> in.setExcludeComments(subTree.excludeComments());
> subtree is instantiated in DOMSignedInfo.canonicalize(...) =>
> DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
> XMLSignatureInput.setExcludeComments(boolean) line: 481
> DOMExcC14NMethod(ApacheCanonicalizer).transform(Data, XMLCryptoContext, OutputStream) line: 198
> DOMCanonicalizationMethod(DOMTransform).transform(Data, XMLCryptoContext, OutputStream) line: 129
> DOMCanonicalizationMethod.canonicalize(Data, XMLCryptoContext, OutputStream) line: 67
> DOMSignedInfo.canonicalize(XMLCryptoContext, ByteArrayOutputStream) line: 172
> DOMRSASignatureMethod.verify(Key, DOMSignedInfo, byte[], XMLValidateContext) line: 112
> DOMXMLSignature$DOMSignatureValue.validate(XMLValidateContext) line: 514
> DOMXMLSignature.validate(XMLValidateContext) line: 232
> Main.main(String[]) line: 67
> for SignedInfo/Reference
> problem in ResolverFragment.engineResolve(...) =>
> XMLSignatureInput result = new XMLSignatureInput(selectedElem);
> result.setExcludeComments(true); // Always TRUE regardless of C14N method.
> Thread [main] (Suspended (breakpoint at line 481 in XMLSignatureInput))
> XMLSignatureInput.setExcludeComments(boolean) line: 481
> ResolverFragment.engineResolve(Attr, String) line: 97
> ResourceResolver.resolve(Attr, String) line: 236
> DOMURIDereferencer.dereference(URIReference, XMLCryptoContext) line: 75
> DOMReference.dereference(XMLCryptoContext) line: 344
> DOMReference.validate(XMLValidateContext) line: 311
> DOMXMLSignature.validate(XMLValidateContext) line: 244
> Main.main(String[]) line: 67
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira