[
https://issues.apache.org/jira/browse/RAMPART-402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087800#comment-18087800
]
Robert Lazarski commented on RAMPART-402:
-----------------------------------------
Deferring to 2.0.1.
Investigated against the 2.0.0 codebase (WSS4J 4.x / Jakarta). The core of the
reported bug is real: PolicyBasedResultsValidator.validateSignedPartsHeaders
only
validates a signed part when wsep.getName() equals the literal "Header" (or
the part
has an XPath). Named header parts carry the actual header local name (e.g.
"To",
"VitalHeader"), so policy-required signed headers are currently never
verified as
signed. The attached patch's fix (change that `else if` to `else` so all
non-body
parts are checked) is conceptually correct.
However, applying that fix is not sufficient and is why the earlier attempt
failed.
It makes RampartTest.testWithPolicy case 31 fail with:
Element must be signed : http://sample.com:VitalHeader
Root cause (confirmed with temporary debug tracing):
- Policy rampart/policy/31.xml uses AsymmetricBinding with
<sp:EncryptBeforeSigning/>
and lists VitalHeader in BOTH <sp:SignedParts> and <sp:EncryptedParts>.
- Outbound, RampartUtil.getPartsAndElements DOES find
{http://sample.com}VitalHeader
and adds it to both the sign and encrypt parts lists.
- But at the receiver, the signed set contains only Body and Timestamp;
VitalHeader
never appears in any signed set, and the server also reports "Expected
encrypted
part missing". Under EncryptBeforeSigning the header that is both
encrypted and
signed ends up neither verifiably signed nor encrypted on the wire - it is
encrypted away and the by-name signature reference no longer resolves.
The pre-existing test only passed because the broken validator never
checked it.
A complete fix therefore needs two parts:
1. The validator change above (ready), and
2. Fixing Rampart's encrypt-before-sign handling so a header that is both
encrypted
and signed is actually protected, plus teaching the validator to map the
encrypted/signed form back to the original header QName.
Part 2 is non-trivial WSS4J 4.x work and is being deferred out of the 2.0.0
release
to avoid rushing a change to the signature/encryption validation path. Moving
Fix
Version to 2.0.1.
> PolicyBasedResultsValidator does not correctly check signed parts
> -----------------------------------------------------------------
>
> Key: RAMPART-402
> URL: https://issues.apache.org/jira/browse/RAMPART-402
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.6.2
> Reporter: Nathan Clement
> Assignee: Robert Lazarski
> Priority: Major
> Labels: Patch
> Fix For: 2.0.1
>
> Attachments: check_signed_parts.patch
>
>
> PolicyBasedResultsValidator does not correctly check the signed parts from
> the policy because it is checking that the element name is "Header".
> Obviously this won't match the signed part element name in the policy. I'm
> not sure of the historical reason for this, but I've removed this check in my
> attached patch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
