santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43685] - Problem verifying signatures generated by BEA Aqualogic
Date Wed, 12 Dec 2007 13:03:48 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43685>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43685





------- Additional Comments From sean.mullan@sun.com  2007-12-12 05:03 -------
(In reply to comment #8)

> But, while jogging around the various forums, I found this link:
> 
> http://forums.bea.com/thread.jspa?threadID=600008882
> 
> It mentions a similar problem where the poster claimed he patched wss4j to get 
> it to work, here is a quote from the post:
> 
> -----
> I've gotten a little further since my initial post. As it turns out there is a 
> cannonicalization problem. I believe its on the wss4j/XML-Security side. The 
> problem seems to occur because of "non-visible" namespaces in the body of the 
> message due to soap encoding of array types. The particular service I was 
> trying to secure has some of these in there, i.e there are attributes that look 
> like soapenc:arrayType="mynsprefix:mytype[]". I believe AL is following the 
> spirit of the WS-I Basic Security profile and is including the mynsprefix in 
> the cannonicalized xml. wss4j on the other hand isnt. So, I modified wss4j to 
> scan for these namespaces and included them in the list of includednamespaces 
> to the exclusive-c14n cannonicalization algorithim. Long story short, with the 
> change I made, the digests are the same and the signatures match.
> -----
> 
> I don't know if its relevant or not, but I'm including it in case it rings a 
> bell somewhere ;)

If this does indeed turn out to be the same problem, then the issue needs to be
fixed (assuming it is the correct behavior) in the wss4j implementation (to add
this namespace to the InclusiveNamespaces PrefixList attribute), and not the
xmlsec implementation.

> 
> I'll get back to you when I have the canonicalized bytes from AquaLogic.
> 

Ok, thanks.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Mime
View raw message