Mailing-List: contact dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ws.apache.org
Date: Tue, 26 Aug 2014 15:02:58 +0000 (UTC)
From: "Gene B. (JIRA)" <jira@apache.org>
To: dev@ws.apache.org
Message-ID: <JIRA.12735516.1408563444021.14471.1409065378247@arcas>
In-Reply-To: <JIRA.12735516.1408563444021@arcas>
References: <JIRA.12735516.1408563444021@arcas>
Subject: [jira] [Commented] (WSS-508) When using "add inclusive prefixes"
 and EXC C14N - signature cannot be validated
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


    [ https://issues.apache.org/jira/browse/WSS-508?page=3Dcom.atlassian.ji=
ra.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1411078=
5#comment-14110785 ]=20

Gene B. commented on WSS-508:
-----------------------------

Marc: I am looking at the DOMXMLSignature class and its easier for me to un=
derstand your explanation now. Signature value validation is solely based o=
n the SignedInfo element digest, and is independent of references validatio=
n and precedes the latter. It seems redundant though that signature value i=
s a function of SignedInfo, and SignedInfo is a derivative of all signed pa=
rts. And yet the code has to validate the signature first, and then still g=
o over all the references. I guess it is more of a conceptual problem - but=
 understanding this process is not for the faint of heart :)

> When using "add inclusive prefixes" and EXC C14N - signature cannot be va=
lidated
> -------------------------------------------------------------------------=
-------
>
>                 Key: WSS-508
>                 URL: https://issues.apache.org/jira/browse/WSS-508
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.0, 2.0.1
>         Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Win=
dows.
>            Reporter: Gene B.
>            Assignee: Colm O hEigeartaigh
>         Attachments: log 01 - signature verification failed with Inclusiv=
eNamespaces PrefixList.txt, log 02 - signature verification ok - signed by =
SOAP UI.txt, log_03a - consumer - sign message use InclusiveNamespaces pref=
ix list.txt, log_03b - provider - signature verification failed.txt, reques=
t1-printedby-provider-signedby-soapui.xml, request1-printedby-provider-sign=
edby-wss4j.xml
>
>
> Security implemented using WSS4J securement/validation action approach. W=
e are trying to sign the body.
> The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custo=
m handler uses WSS4j to validate security.=20
> The consumer is a WebSphere JAX-WS dispatch client =E2=80=93 also attachi=
ng custom security handler.
> Signature can be validated on the provider side when EXC C14N canonicaliz=
ation is specified with BST compliance flag relaxed. That is because when w=
e chose to add =E2=80=9CInclusiveNamespaces=E2=80=9D =E2=80=9CPrefixList=E2=
=80=9D on the consumer side, verification fails. When the same test is done=
 with the SOAP UI =E2=80=93 signature verifies Ok =E2=80=93 so I am blaming=
 the consumer =E2=80=93 the signing process - not verification process.
> I am attaching a log file which shows verification failure when the Inclu=
siveNamespaces option is used. If not for this option =E2=80=93 this verifi=
cation would=E2=80=99ve been a success.


--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org