axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anne Thomas Manes <atma...@gmail.com>
Subject Re: Problem with namespace handling in Axis 1.2 : break XML Signature
Date Fri, 18 Mar 2005 19:43:13 GMT
If your problem is performance, then I suggest you try using an XML
gateway applicance, such as Data Power or Reactivity, to process your
signatures. When signing XML, you should use XML Sginature and
exclusive canonicalization.

Anne


On Thu, 17 Mar 2005 13:18:49 -0500, Pasula, Venugopal (Consultant)
<Venugopal.Pasula@gtech.com> wrote:
> Hi Ed,
>     Still I have a question.I could able to verify the digital signature, when I used
c14n with the XMLSignature. we had some performance issues with the XML Siganature. So for
better performance we switched XMLSiganture to JavaSignature for signing and verifying the
soap request. There I am getting problem in veryfing the request(because of changing the xml
name spaces). I dont want to  canonicalize the message(due to performance issue). Is there
any way that I can vryfy successfully without c14n. Here I am sending my code which does sign
the soap message and vrify that. please give me any suggetions to make it work.
> 
>         // Signing the Soap Request :
> 
>             Signature sig = Signature.getInstance(sigAlg);
>             sig.initSign(privateKey);
>             // specify the part of the message tobe signed(here we are signing the SOAP
body)
>             sig.update(env.getBody().toString().getBytes());
>             // do the signature
>             byte signature[] = sig.sign();
>             /**
>              * append the signature value to the soap envelope(to the header)
>              * and send for verification.
>              */
>             SOAPElement element = env.getHeader().addChildElement(env.createName("Signature"));
>             element.addTextNode(Base64.encode(signature));
> 
>         // Verifying that signed Soap Request..
> 
>             Signature sig = Signature.getInstance(sigAlg);
>             sig.initVerify(pubKey);
> 
>             /**
>              * get the part of soap message for whch the digital signature
>              * was applied (in this case digital signature was applied to the body of
the soap message)
>              * and update to the Signature.
>              */
> 
>             sig.update(env.getBody().toString().getBytes());
> 
>             // verify the digital signature.
>             boolean isVerified = sig.verify(Base64.decode(sigValue));
> 
> Thanx, Venu
> 
> -----Original Message-----
> From: Ed Saltelli [mailto:eduardo.saltelli@webmethods.com]
> Sent: Wednesday, March 16, 2005 11:34 AM
> To: axis-dev@ws.apache.org
> Subject: RE: Problem with namespace handling in Axis 1.2 : break XML
> Signature
> 
> The namespaces shouldn't be a problem for signature verification since
> you're using exclusive c14n .  It drops unused namespaces (dsig ns in the
> roottag) and redistributes ns declarations to the areeas where they are in
> use i.e. xmlns:name2 is moved from roottag to the name2:child1 element.
> 
> Ed
> 
> <valerie.bauche@bull.net> wrote:
> > I have a web service (Message style) working with Axis 1.1
> > When upgrading to Axis 1.2, it doesn't work anymore because of a
> > namespace management that changes in Axis 1.2.
> >
> > Details of the problem :
> > The web service is of type :
> >     public Document execute(Document body)
> > it returns a signed document
> > The client have to verify the signature of the response.
> >
> > At the end of this mail, you can see the message sent by the server and
> > the message received by the client
> >
> > You can see that the message has been changed during transfer : all
> > namespace definitions have moved to the root element.
> > The document is still syntactically correct, but the signature is
> broken...
> >
> > It's a serious problem if Axis 1.2 is no more compatible with xml
> > signature. Is there a way to solve this problem ? Is it a bug ?
> >
> > Message sent by the server :
> >
> > <name1:roottag xmlns:name1="http://name1.com">
> > <name2:child1 xmlns:name2="http://name2.com">
> > <name2:child2>text</name2:child2>
> > </name2:child1>
> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >    <ds:SignedInfo>
> >      <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >      <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >      <ds:Reference URI="">
> >        <ds:Transforms>
> >          <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >        </ds:Transforms>
> >        <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
> >      </ds:Reference>
> >    </ds:SignedInfo>
> >    <ds:SignatureValue>
> >
> > O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> >
> > EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
> >      qjVJp7Iic3opzb8VQKpLvle1ZME=
> >    </ds:SignatureValue>
> > </ds:Signature></name1:roottag>
> >
> > Message received by the client :
> > <name1:roottag xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> > xmlns:name1="http://name1.com" xmlns:name2="http://name2.com">
> > <name2:child1>
> > <name2:child2>text</name2:child2>
> > </name2:child1>
> > <ds:Signature>
> >    <ds:SignedInfo>
> >      <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >      <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >      <ds:Reference URI="">
> >        <ds:Transforms>
> >          <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >        </ds:Transforms>
> >        <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >        <ds:DigestValue>EbF81+pMnbZZ/e4E325r3R50pWA=</ds:DigestValue>
> >      </ds:Reference>
> >    </ds:SignedInfo>
> >    <ds:SignatureValue>
> >
> > O12jWOqgkpkOXxGHmmXi0IzJhMv29uhbdl1PE1S/CYlL/Ua3sDSuReucWt1Ae6iRjKdN8Ekr
> >
> > EaM0K/+bASmXXwK82pul3ZF4dykClCUKIX4eGLSYDsQIJzNhG5g6n+eRzxjk3Eak6G2eYAky
> >      qjVJp7Iic3opzb8VQKpLvle1ZME=
> >    </ds:SignatureValue>
> > </ds:Signature></name1:roottag>
> >
> >
> 
> -----------------------------------------
> This email may contain confidential and privileged material for the sole
> use of the intended recipient(s). Any review, use, retention, distribution
> or disclosure by others is strictly prohibited. If you are not the intended
> recipient (or authorized to receive for the recipient), please contact the
> sender by reply email and delete all copies of this message. Also, email is
> susceptible to data corruption, interception, tampering, unauthorized
> amendment and viruses. We only send and receive emails on the basis that we
> are not liable for any such corruption, interception, tampering, amendment
> or viruses or any consequence thereof.
> 
>

Mime
View raw message