ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: AW: signature verification fail when modifying soap body by intermediate
Date Fri, 11 Nov 2005 08:09:23 GMT
Hi Yinghui,

it is a very common misunderstanding that canonicalization
removes what you call "insignificant change". This is not
true. C14n canonicalizes the namespace ordering,
which namespaces to use, etc. Also the parser usually performs 
some adjustments inside the tags. But c14n does not modify/remove
data that appears outside the tags, e.g. newlines that were added
to do  "pretty printing" or something else.

Regards,
Werner

> -----Urspr√ľngliche Nachricht-----
> Von: yinghui chen [mailto:yinghui77@hotmail.com] 
> Gesendet: Freitag, 11. November 2005 08:53
> An: Dittmann, Werner; wss4j-dev@ws.apache.org
> Betreff: RE: AW: signature verification fail when modifying 
> soap body by intermediate
> 
> Hello, Werner,
>   Many thanks for the response. You are right that 
> constructing a new DOM 
> tree might modify element in some way. But before signature 
> verification, 
> the XML should go through the canonicalization process, which 
> should make 
> sure any insignificant change, for example, line feed, extra 
> blank space 
> etc, should not effect the signature verification. So do you 
> think it might 
> be a kind of bug within canonicalization code?
> 
> Best Regards,
> Yinghui
> 
> 
> >From: "Dittmann, Werner" <werner.dittmann@siemens.com>
> >To: "yinghui chen" <yinghui77@hotmail.com>, <wss4j-dev@ws.apache.org>
> >Subject: AW: signature verification fail when modifying soap body by 
> >intermediate Date: Fri, 11 Nov 2005 08:22:32 +0100
> >
> >Yinghui,
> >
> >that failure may have several reasons. Fist of all,
> >you are right that modifiying/addin an element that was
> >not part of the Signature should not cause the verification
> >to fail.
> >
> >However, my assumption is that during the modification of the
> >body ny adding another element also the original element (A)
> >is modifiy somehow. To add the second element (B) someone
> >usually needs to parse the body, building a DOM tree, insert
> >the new element and serialize the DOM into a new body.
> >
> >If during this parsing/inserting/serialization process the element
> >A is modifiyied in some way the verification fails. Modification
> >in this case mean e.g. adding a newline character, a blank, a tab
> >or something else. This very often occurs during the above mentioned
> >steps. After Singing an element this element _must not_ be modified
> >in the way described above. You may check the whole stuff if you
> >really look at the request using e.g. TCPMON before the request
> >enters procesing of company B and after processing.
> >
> >Regards,
> >Werner
> >
> > > -----Urspr√ľngliche Nachricht-----
> > > Von: yinghui chen [mailto:yinghui77@hotmail.com]
> > > Gesendet: Donnerstag, 10. November 2005 22:32
> > > An: wss4j-dev@ws.apache.org
> > > Betreff: signature verification fail when modifying soap body
> > > by intermediate
> > >
> > > Dear All,
> > >   I am currently applying the wss4j for a small project. But
> > > we are having a
> > > problem of signature verification failure. Here is the 
> description.
> > >   For example, company A construct a SOAP message, and sign
> > > element A within
> > > the SOAP body. And then company A send the SOAP to company B.
> > > Company B
> > > insert an element B into the SOAP body. The element B is 
> a sibling of
> > > element A. And then Company B forward the SOAP to Company C.
> > > The Company C
> > > verifies the signature, but it fails. I have tried the case
> > > if Company B
> > > does not insert element B, the signature verification is success.
> > >   The thing that I do not understand is that company A sign
> > > only element A,
> > > why insersion of element B break the signature.
> > >   I attached the source code together with the email.
> > >
> > > I am looking forward to your help,
> > > Yinghui
> > >
> > >
> > >
> > > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > >
> > >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> >For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message