ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-535) Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
Date Mon, 20 Apr 2015 09:34:58 GMT

    [ https://issues.apache.org/jira/browse/WSS-535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14502570#comment-14502570
] 

Colm O hEigeartaigh commented on WSS-535:
-----------------------------------------


I'll fix it. However, this is really a bug in the other software...

Colm.

> Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
> ------------------------------------------------------------------------
>
>                 Key: WSS-535
>                 URL: https://issues.apache.org/jira/browse/WSS-535
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.3
>            Reporter: Modestas Vainius
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0.4, 1.6.19, 2.1.0
>
>
> Hello,
> when <ds:Signature> is created with WSS4J, it contains <wsse:SecurityTokenReference>
within it which uses *wsse* and *wsu* namespaces. Those namespaces are defined "above" <ds:Signature>
tag in the XML document so <ds:Signature> does not validate as standalone fragment.
For example:
> {code:xml}
> <ds:Signature Id="SIG-3E9A9AB1F5821FE8E81429475914581153" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>   <ds:SignedInfo>
>     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>       <ec:InclusiveNamespaces PrefixList="wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>     </ds:CanonicalizationMethod>
>     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
>     <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914580148">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>n1FO7gH3mlf7xwN9NV7BtdhqqNM=</ds:DigestValue>
>     </ds:Reference>
>     <ds:Reference URI="#TS-3E9A9AB1F5821FE8E81429475914579144">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="wsse wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>8IPio9C93C+IYpVOtFUX+Ig6eFQ=</ds:DigestValue>
>     </ds:Reference>
>     <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581149">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>T5t9Lg+/6tnL3XMUqi/XBa2RPgs=</ds:DigestValue>
>     </ds:Reference>
>     <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581150">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>dNjOA0ZosOLeB7R1YnBWvW5RoWI=</ds:DigestValue>
>     </ds:Reference>
>     <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581151">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>LqsYd2ZbZG39gMytaAfebfw0Jpc=</ds:DigestValue>
>     </ds:Reference>
>     <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581152">
>       <ds:Transforms>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>           <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
>         </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
>       <ds:DigestValue>KBXU/UkCBosBKxaP+pPv7qFfLmw=</ds:DigestValue>
>     </ds:Reference>
>   </ds:SignedInfo>
>   <ds:SignatureValue>CKwqqOizXZUS21GUbOK0U87u2XL+OBLj9Sfy4GaRmovCGuj8Wfm855oxbzHNaBw2rl9cFzEIUp5Pz6PKglE/KFc9E9TtKqp8aRPcRjcUvsbBZk9ntfKeJtYDF30Vsfcr6NFahCg+I2N61Mv5B622LLc7UnM8xlrUVgcBLHJwAcbX6GcQCm9hwRhO2f8n/HgHzdWW7KFw9sUQdGRyzm+k7Vhz/A6FxyqpECwIt9FWjTCaAQMo8/jS899y05UkFEFzMZy8Y6z1aODOR1W4QBp5D3+kMrG2bZHgi6UsBlCOgCH5EjolhD5grkM7wfvDbsWBw+41eswdY+at8tBhYvUFog==</ds:SignatureValue>
>   <ds:KeyInfo Id="KI-3E9A9AB1F5821FE8E81429475914580146">
>     <wsse:SecurityTokenReference wsu:Id="STR-3E9A9AB1F5821FE8E81429475914580147">
>       <ds:X509Data>
>         <ds:X509IssuerSerial>
>           <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
>           <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
>         </ds:X509IssuerSerial>
>       </ds:X509Data>
>     </wsse:SecurityTokenReference>
>   </ds:KeyInfo>
> </ds:Signature>
> {code}
> This is generally fine. However, when <ds:Signature> is encrypted, some other platforms
(for example, some versions of .NET) have trouble validating decrypted <ds:Signature>
since they cannot resolve *wsse* and *wsu* namespaces (as they are not in the decrypted fragment).
I suppose, they should put decrypted <ds:Signature> back to the context of the rest
of XML but this does not happen.
> I think it would be a good idea to add definitions of wsse and wsu namespaces to the
<wsse:SecurityTokenReference> in order to improve compatibility with WSS implementations
from other vendors. Or at least make this behaviour configurable.
> The following patch always adds *wsse* and *wsu* definitions:
> {code}
> diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> index 0258f0c..35bd3ba 100644
> --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> @@ -181,6 +181,8 @@ public class WSSecSignature extends WSSecSignatureBase {
>          if (!useCustomSecRef) {
>              secRef = new SecurityTokenReference(doc);
>              strUri = getWsConfig().getIdAllocator().createSecureId("STR-", secRef);
> +            secRef.addWSSENamespace();
> +            secRef.addWSUNamespace();
>              secRef.setID(strUri);
>              
>              //
> {code}
> Then:
> {code:xml}
> ....
> <wsse:SecurityTokenReference wsu:Id="STR-906b1964-8e27-40a5-a2ed-7f4ac9dabd69" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>       <ds:X509Data>
>         <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
         <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
>         </ds:X509IssuerSerial>
>       </ds:X509Data>
>         </ds:X509IssuerSerial>
>       </ds:X509Data>
>     </wsse:SecurityTokenReference>
> ...
> {code}
> As far as I can tell, the same problem is present in earlier versions (1.6) as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message