ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (WSS-651) Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
Date Wed, 12 Jun 2019 16:38:00 GMT

     [ https://issues.apache.org/jira/browse/WSS-651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh resolved WSS-651.
-------------------------------------
    Resolution: Fixed

> Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
> ------------------------------------------------------------------------------
>
>                 Key: WSS-651
>                 URL: https://issues.apache.org/jira/browse/WSS-651
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.2.3
>            Reporter: L
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>             Fix For: 2.3.0, 2.2.4
>
>
> I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting
some of documents signed by WSS4J 2.2.3.
> After some investigation I could manage to reproduce it and make WSS4J reject its own
signed documents.
> The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:
> I have copy pasted method testSignedTimestamp() and modified it slightly. This is full
source code of the new method:
>  
> {code:java}
>     @Test
>     public void testSignedTimestamp1() throws Exception {
>         Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
>         WSSecHeader secHeader = new WSSecHeader(doc);
>         secHeader.insertSecurityHeader();
>         WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
>         timestamp.setTimeToLive(300);
>         timestamp.build();
>         WSSecSignature builder = new WSSecSignature(secHeader);
>         builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
>         // Makes no difference, tested with it and without it.
>         // Added to test because my code sets it to false
>         // builder.setAddInclusivePrefixes(false);
>         WSEncryptionPart encP =
>             new WSEncryptionPart(
>                 "Timestamp",
>                 WSConstants.WSU_NS,
>                 "");
>         builder.getParts().add(encP);
>         builder.prepare(crypto);
>         List<javax.xml.crypto.dsig.Reference> referenceList =
>             builder.addReferencesToSign(builder.getParts());
>         builder.computeSignature(referenceList, false, null);
>         String  outputString = XMLUtils.prettyDocumentToString(doc);
>         if (LOG.isDebugEnabled()) {
>             LOG.debug("After Signing....");
>             LOG.debug(outputString);
>         }
>         // !!!!
>         // Makes all the difference: validating just signed document works,
>         // validating serialized and parsed document does not
>         Document  doc2 = SOAPUtil.toSOAPPart(outputString);
>         // Document  doc2 = doc;
>         verify(doc2);
>     }
>     public static final String SAMPLE_SOAP_MSG_WSU_NS =
>         "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
>         + "<SOAP-ENV:Envelope "
>         +   "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
>         +   "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
>         +   "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
>         // !!!!
>         // Makes all the difference: uncomment it and validating the serialized
>         // and parsed document fails
>         // +   "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"
"
>         +   ">"
>         +   "<SOAP-ENV:Body>"
>         +       "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
>         +           "<value xmlns=\"\">15</value>"
>         +       "</add>"
>         +   "</SOAP-ENV:Body>"
>         + "</SOAP-ENV:Envelope>";{code}
>  
>  
> Important parts marked with '!!!!' comments:
>  # You need to verify the document after it was serialized and parsed back. Then the
verification fails. Verifying the signed document "in memory" succeeds.
>  # The original, to be signed, document must have WSU_NS namespace with some prefix other
than 'wsu' declared on any ancestor of the to be inserted wsse:Security
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message