[
https://issues.apache.org/jira/browse/WSS-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910949#comment-17910949
]
Jim Ma edited comment on WSS-715 at 1/8/25 7:25 AM:
----------------------------------------------------
[~coheigea] After this change
[https://github.com/apache/ws-wss4j/commit/e5436f0192c421b00ce7b3b1004439e28f29ff74,(wss4j
2.3.0)|https://github.com/apache/ws-wss4j/commit/e5436f0192c421b00ce7b3b1004439e28f29ff74,]
the <SignatureValue> content will be added a line break for each line:
Before
{code:java}
<?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>......</DigestValue></Reference></SignedInfo><SignatureValue>
b1OtSA1nWBc5Y9W8gF8tD70qQOXW2jz9dy3J8L4e0dxUzXa4/O+3EdOwEHHF2TxqYwTUlQOQECOTHEQ+ovpxv18yMc8bHlVxyGc1as5lyqdF9Kw2HugXm4BkcVGd0v9wfT3FlRZJkpBQaa2LkpXUMdfU1UKD4jV4xF3/dhEpw2t0eTeJl65Fw41QOEnMIzKe
jFzH1Pz+txCmjlzbg0gnpUtYlB+d6J4OtM4F4h8QAf5PQhK5bmzvcfG+td6Ff0ZfjhQvq90W7JUzShw9p5/MzYwZwrDU8mdyA1M10yovBQm9sQ5dUR4RREi3B+qFi9gYt6aelI9EOTg/knq+7sT0nBOvTppO5O41dXlElH2WfVx9L7v3iES5Zg5rc5NKkDsD
</ds:SignatureValue>
</SignatureValue>
......
</Signature></Envelope>{code}
After:
{code:java}
<?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>......</DigestValue></Reference></SignedInfo><SignatureValue>
b1OtSA1nWBc5Y9W8gF8tD70qQOXW2jz9dy3J8L4e0dxUzXa4/O+3EdOwEHHF2Txq
YwTUlQOQECOTHEQ+ovpxv18yMc8bHlVxyGc1as5lyqdF9Kw2HugXm4BkcVGd0v9w
fT3FlRZJkpBQaa2LkpXUMdfU1UKD4jV4xF3/dhEpw2t0eTeJl65Fw41QOEnMIzKe
jFzH1Pz+txCmjlzbg0gnpUtYlB+d6J4OtM4F4h8QAf5PQhK5bmzvcfG+td6Ff0Zf
jhQvq90W7JUzShw9p5/MzYwZwrDU8mdyA1M10yovBQm9sQ5dUR4RREi3B+qFi9gY
t6aelI9EOTg/knq+7sT0nBOvTppO5O41dXlElH2WfVx9L7v3iES5Zg5rc5NKkDsD
</SignatureValue>
......
</Signature></Envelope>{code}
This can be reproduced with these lines code to sign the soap message :
{code:java}
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
try (InputStream is =
this.getClass().getClassLoader().getResourceAsStream("soap.xml")) {
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(is);
XMLSignatureFactory xmlSignatureFactory =
XMLSignatureFactory.getInstance("DOM");
LOG.info("XMLSignatureFactory implementation type = " +
xmlSignatureFactory.getClass().getName());
LOG.info("Classloader of XMLSignatureFactory implementation = " +
xmlSignatureFactory.getClass().getClassLoader());
KeyPairGenerator keyPairGenerator =
KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
DOMSignContext domSignContext = new
DOMSignContext(keyPair.getPrivate(), doc.getDocumentElement());
// create SignedInfo
DigestMethod dm =
xmlSignatureFactory.newDigestMethod(DigestMethod.SHA256, null);
List<Transform> transforms =
Collections.singletonList(xmlSignatureFactory.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null));
Reference ref = xmlSignatureFactory.newReference("", dm,
transforms, null, null);
CanonicalizationMethod cm =
xmlSignatureFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null);
SignatureMethod sm =
xmlSignatureFactory.newSignatureMethod(SignatureMethod.RSA_SHA256, null);
List<Reference> references = Collections.singletonList(ref);
SignedInfo si = xmlSignatureFactory.newSignedInfo(cm, sm,
references);
// create keyInfo
KeyInfoFactory kif = xmlSignatureFactory.getKeyInfoFactory();
KeyInfo ki =
kif.newKeyInfo(Collections.singletonList(kif.newKeyValue(keyPair.getPublic())));
// create XML Signature
XMLSignature signature = xmlSignatureFactory.newXMLSignature(si,
ki);
signature.sign(domSignContext);
// dump DOM with signature to stdout and file
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
FileWriter writer = new FileWriter(new File(signed-result.xml"));
trans.transform(new DOMSource(doc), new StreamResult(writer));
}
{code}
was (Author: ema):
[~coheigea] After this change
[https://github.com/apache/ws-wss4j/commit/e5436f0192c421b00ce7b3b1004439e28f29ff74,(wss4j
2.3.0)|https://github.com/apache/ws-wss4j/commit/e5436f0192c421b00ce7b3b1004439e28f29ff74,]
the <SignatureValue> content will be added a line break for each line:
Before
<?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>......</DigestValue></Reference></SignedInfo><SignatureValue>
b1OtSA1nWBc5Y9W8gF8tD70qQOXW2jz9dy3J8L4e0dxUzXa4/O+3EdOwEHHF2TxqYwTUlQOQECOTHEQ+ovpxv18yMc8bHlVxyGc1as5lyqdF9Kw2HugXm4BkcVGd0v9wfT3FlRZJkpBQaa2LkpXUMdfU1UKD4jV4xF3/dhEpw2t0eTeJl65Fw41QOEnMIzKe
jFzH1Pz+txCmjlzbg0gnpUtYlB+d6J4OtM4F4h8QAf5PQhK5bmzvcfG+td6Ff0ZfjhQvq90W7JUzShw9p5/MzYwZwrDU8mdyA1M10yovBQm9sQ5dUR4RREi3B+qFi9gYt6aelI9EOTg/knq+7sT0nBOvTppO5O41dXlElH2WfVx9L7v3iES5Zg5rc5NKkDsD
</ds:SignatureValue>
</SignatureValue>
......
</Signature></Envelope>
After:
{code:java}
<?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>......</DigestValue></Reference></SignedInfo><SignatureValue>
b1OtSA1nWBc5Y9W8gF8tD70qQOXW2jz9dy3J8L4e0dxUzXa4/O+3EdOwEHHF2Txq
YwTUlQOQECOTHEQ+ovpxv18yMc8bHlVxyGc1as5lyqdF9Kw2HugXm4BkcVGd0v9w
fT3FlRZJkpBQaa2LkpXUMdfU1UKD4jV4xF3/dhEpw2t0eTeJl65Fw41QOEnMIzKe
jFzH1Pz+txCmjlzbg0gnpUtYlB+d6J4OtM4F4h8QAf5PQhK5bmzvcfG+td6Ff0Zf
jhQvq90W7JUzShw9p5/MzYwZwrDU8mdyA1M10yovBQm9sQ5dUR4RREi3B+qFi9gY
t6aelI9EOTg/knq+7sT0nBOvTppO5O41dXlElH2WfVx9L7v3iES5Zg5rc5NKkDsD
</SignatureValue>
......
</Signature></Envelope>{code}
This can be reproduced with these lines code to sign the soap message :
{code:java}
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
try (InputStream is =
this.getClass().getClassLoader().getResourceAsStream("soap.xml")) {
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(is);
XMLSignatureFactory xmlSignatureFactory =
XMLSignatureFactory.getInstance("DOM");
LOG.info("XMLSignatureFactory implementation type = " +
xmlSignatureFactory.getClass().getName());
LOG.info("Classloader of XMLSignatureFactory implementation = " +
xmlSignatureFactory.getClass().getClassLoader());
KeyPairGenerator keyPairGenerator =
KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
DOMSignContext domSignContext = new
DOMSignContext(keyPair.getPrivate(), doc.getDocumentElement());
// create SignedInfo
DigestMethod dm =
xmlSignatureFactory.newDigestMethod(DigestMethod.SHA256, null);
List<Transform> transforms =
Collections.singletonList(xmlSignatureFactory.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null));
Reference ref = xmlSignatureFactory.newReference("", dm,
transforms, null, null);
CanonicalizationMethod cm =
xmlSignatureFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null);
SignatureMethod sm =
xmlSignatureFactory.newSignatureMethod(SignatureMethod.RSA_SHA256, null);
List<Reference> references = Collections.singletonList(ref);
SignedInfo si = xmlSignatureFactory.newSignedInfo(cm, sm,
references);
// create keyInfo
KeyInfoFactory kif = xmlSignatureFactory.getKeyInfoFactory();
KeyInfo ki =
kif.newKeyInfo(Collections.singletonList(kif.newKeyValue(keyPair.getPublic())));
// create XML Signature
XMLSignature signature = xmlSignatureFactory.newXMLSignature(si,
ki);
signature.sign(domSignContext);
// dump DOM with signature to stdout and file
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
FileWriter writer = new FileWriter(new File(signed-result.xml"));
trans.transform(new DOMSource(doc), new StreamResult(writer));
}
{code}
> Set com.sun.org.apache.xml.internal.security.ignoreLineBreaks to the JDK
> provider
> ---------------------------------------------------------------------------------
>
> Key: WSS-715
> URL: https://issues.apache.org/jira/browse/WSS-715
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 2.3.4, 2.4.3, 3.0.4
> Reporter: Jim Ma
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 2.3.5, 4.0.0, 2.4.4, 3.0.5
>
>
> After https://issues.apache.org/jira/browse/WSS-661,the Provider like
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactor will be inserted
> after
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory from JDK, hence the
> "com.sun.org.apache.xml.internal.security.ignoreLineBreaks" property should
> be set explicitly as this JDK Provider will be selected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
