Hi,
I have an issue with digest verification when using SAAJ versions newer than
1.3. In general my issue is very similar to
SANTUARIO-576<https://issues.apache.org/jira/browse/SANTUARIO-576>.
With SAAJ 1.3 everything works as intended, but if I use SAAJ 1.4 (or any newer
version, e.g. 3.0.4), the digest verification fails. After some investigation,
I noticed that with the new versions there is a type mismatch in
org.apache.xml.security.c14n.implementations.CanonicalizerBase which leads to
the Signature element not being removed, thus calculating a wrong digest value.
The relevant code is from line 242 onwards:
case Node.ELEMENT_NODE :
documentLevel = NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT;
if (currentNode == excludeNode) {
break;
}
In my case excludeNode is of type
com.sun.xml.messaging.saaj.soap.impl.ElementImpl and currentNode is of type
com.sun.org.apache.xerces.internal.dom.ElementNSImpl. Therefore, the condition
currentNode == excludeNode is not true and the excludeNode is not removed.
The behaviour seems to have changed with SAAJ 1.4 because ElementImpl is no
longer extending com.sun.org.apache.xerces.internal.dom.ElementNSImpl. It now
has a private element field to store a reference to the actual Element.
A fix for my issue would be replacing
if (currentNode == excludeNode)
with
if (excludeNode != null && excludeNode.isSameNode(currentNode))
but maybe there are better fixes. Especially the case from the Jira Ticket,
where the class types of currentNode and excludeNode are swapped, would not be
fixed with my approach.
Is it possible to fix this in a future version of Santuario? This issue is
blocking the JBoss EAP8 migration of our application.
Kind regards,
Lukas Fabian
