[ https://issues.apache.org/jira/browse/WSS-651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-651: ------------------------------------ Fix Version/s: 2.2.4 2.3.0 > Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope > ------------------------------------------------------------------------------ > > Key: WSS-651 > URL: https://issues.apache.org/jira/browse/WSS-651 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.2.3 > Reporter: L > Assignee: Colm O hEigeartaigh > Priority: Critical > Fix For: 2.3.0, 2.2.4 > > > I have run into a problem with documents signed by WSS4J 2.2.3: the "other > side" is rejecting some of documents signed by WSS4J 2.2.3. > After some investigation I could manage to reproduce it and make WSS4J reject > its own signed documents. > The problem can be reproduced quite easily with modified > org.apache.wss4j.dom.message.SignatureTest: > I have copy pasted method testSignedTimestamp() and modified it slightly. > This is full source code of the new method: > > {code:java} > @Test > public void testSignedTimestamp1() throws Exception { > Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS); > WSSecHeader secHeader = new WSSecHeader(doc); > secHeader.insertSecurityHeader(); > WSSecTimestamp timestamp = new WSSecTimestamp(secHeader); > timestamp.setTimeToLive(300); > timestamp.build(); > WSSecSignature builder = new WSSecSignature(secHeader); > builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", > "security"); > // Makes no difference, tested with it and without it. > // Added to test because my code sets it to false > // builder.setAddInclusivePrefixes(false); > WSEncryptionPart encP = > new WSEncryptionPart( > "Timestamp", > WSConstants.WSU_NS, > ""); > builder.getParts().add(encP); > builder.prepare(crypto); > List<javax.xml.crypto.dsig.Reference> referenceList = > builder.addReferencesToSign(builder.getParts()); > builder.computeSignature(referenceList, false, null); > String outputString = XMLUtils.prettyDocumentToString(doc); > if (LOG.isDebugEnabled()) { > LOG.debug("After Signing...."); > LOG.debug(outputString); > } > // !!!! > // Makes all the difference: validating just signed document works, > // validating serialized and parsed document does not > Document doc2 = SOAPUtil.toSOAPPart(outputString); > // Document doc2 = doc; > verify(doc2); > } > public static final String SAMPLE_SOAP_MSG_WSU_NS = > "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" > + "<SOAP-ENV:Envelope " > + "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" " > + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " > + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " > // !!!! > // Makes all the difference: uncomment it and validating the > serialized > // and parsed document fails > // + > "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" > " > + ">" > + "<SOAP-ENV:Body>" > + "<add > xmlns=\"http://ws.apache.org/counter/counter_port_type\">" > + "<value xmlns=\"\">15</value>" > + "</add>" > + "</SOAP-ENV:Body>" > + "</SOAP-ENV:Envelope>";{code} > > > Important parts marked with '!!!!' comments: > # You need to verify the document after it was serialized and parsed back. > Then the verification fails. Verifying the signed document "in memory" > succeeds. > # The original, to be signed, document must have WSU_NS namespace with some > prefix other than 'wsu' declared on any ancestor of the to be inserted > wsse:Security > > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org