You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2007/03/16 09:14:43 UTC
DO NOT REPLY [Bug 41858] New: - Namespace problem when initializing XMLSignature in version 1.4.0
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
Summary: Namespace problem when initializing XMLSignature in
version 1.4.0
Product: Security
Version: unspecified
Platform: Sun
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: kohring@ccrl-nece.de
When initializing XMLSignature from a DOM Element a null pointer exception can
arise if an Object element was created in the active default namespace, without
an explicit namespace identifier. This arises because the
Node.getNamespaceURI() method only looks for explicit namespaces and does not
search for any default namespaces which may be active.
The null pointer error occurs at:
if ((keyInfoElem != null) &&
(keyInfoElem.getNamespaceURI().equals(Constants.SignatureSpecNS) &&
keyInfoElem.getLocalName().equals(Constants._TAG_KEYINFO)) )
-- Gregory
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41858] - Namespace problem when initializing XMLSignature in version 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
------- Additional Comments From kohring@ccrl-nece.de 2007-08-02 00:26 -------
(In reply to comment #2)
> Can you attach a test case, or a sample of XML demonstrating the problem? I need
> to be able to reproduce this problem.
Well, the contract of org.w3c.dom.Node.getNamespaceURI() is very specific:
"The namespace URI of this node, or null if it is unspecified (see ). This is
not a computed value that is the result of a namespace lookup based on an
examination of the namespace declarations in scope." In other words, if a
org.w3c.dom.Node was given an implicit namespace based upon the default
namespace in effect when it was created, then this method will return null. It
will only return a non-null value if the Node was explicitly given a namespace
when it was created. For this reason you should check the return value of
org.w3c.dom.Node.getNamespaceURI() to make sure it is not null before you use it.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41858] - Namespace problem when initializing XMLSignature in version 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
------- Additional Comments From kohring@ccrl-nece.de 2007-08-13 00:08 -------
(In reply to comment #4)
> The Apache implementation requires all elements to be created with
> the DOM L2 namespace aware methods (Document.createElementNS ...) etc. Please
> search the archives for more information. The other problem is that the
> Node.isDefaultNamespace is a DOM L3 method and right now the implementation
> doesn't have any direct dependencies on DOM L3.
>
> Is there some reason you did not create the KeyInfo element with the
> createElementNS method?
OK, I see your point with respect to the DOM L3 interface (though it is odd that
getNamespaceURI() method on DOM L2 does not do a complete namespace lookup
either -- maybe that is why a new method was added in L3). As for how the
KeyInfo element is created, I do not have any control over that -- my part of
the code only validates the signature. The DOM Document is constructed by
software from another open source project. I contacted them about the following
the practice you recommend, but have not heard back from them. Thanks for you help.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41858] - Namespace problem when initializing XMLSignature in version 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
------- Additional Comments From sean.mullan@sun.com 2007-08-02 08:35 -------
The Apache implementation requires all elements to be created with
the DOM L2 namespace aware methods (Document.createElementNS ...) etc. Please
search the archives for more information. The other problem is that the
Node.isDefaultNamespace is a DOM L3 method and right now the implementation
doesn't have any direct dependencies on DOM L3.
Is there some reason you did not create the KeyInfo element with the
createElementNS method?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41858] - Namespace problem when initializing XMLSignature in version 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
------- Additional Comments From kohring@ccrl-nece.de 2007-03-16 01:16 -------
Created an attachment (id=19719)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19719&action=view)
one possible solution
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41858] - Namespace problem when initializing XMLSignature in version 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41858>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41858
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From sean.mullan@sun.com 2007-08-01 09:48 -------
Can you attach a test case, or a sample of XML demonstrating the problem? I need
to be able to reproduce this problem.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.