Re: Validation failing due to empty namespace in tag

2018-03-05 Thread Al Ramsey 
Thank you Colm – another engineer actually found the culprit today.  It was a 
bug with xmlsec (https://issues.apache.org/jira/browse/SANTUARIO-412), and 
after we upgraded the version of the library, it now works!

-Al



From: Colm O hEigeartaigh <cohei...@apache.org>
Reply-To: "users@ws.apache.org" <users@ws.apache.org>, "cohei...@apache.org" 
<cohei...@apache.org>
Date: Monday, March 5, 2018 at 4:53 AM
To: "users@ws.apache.org" <users@ws.apache.org>
Subject: Re: Validation failing due to empty namespace in tag

I'm not sure why you are seeing empty namespaces. Could you create a unit test 
or some way of reproducing the problem that I can look at?
Colm.

On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey 
<aram...@vecna.com<mailto:aram...@vecna.com>> wrote:
We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our 
integration tests to the service provider is now failing.  A highlighted 
overview is given below:

• In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) 
Body.  Validation of (1) the Timestamp SHA1 digest against the expected value 
passes, but it fails for (2) the Body.  WSS4J decrypts the Body successfully, 
but fails in the validation.
• We made some changes with our WSS4J configuration based on the 
recommendations from the WSS4J Migration Guide (link: 
https://ws.apache.org/wss4j/migration/wss4j20.html).
• When I manually removed an empty namespace in one of the tags, a manual check 
of the SHA1 digest appears to finally succeed.
• WSS4J first decrypts the Body, then performs a canonical transformation prior 
to validation.  An empty namespace in one of the tags seem to show up in our 
application when we use WSS4J 2.0.1 but it does not show up when using WSS4J 
1.6.

An illustrative example: the decoded Body is:

http://ebs.health.ontario.ca/; 
xmlns:b="http://msa.ebs.health.ontario.ca/; 
xmlns:c="http://hcv.health.ontario.ca/; 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask
 the cardholder to either visit the local ServiceOntario office or call 1 
800-268-1154<tel:1%20800-268-1154>.10The
 Health Number submitted does not exist on the ministry's 
systemFAILED_MOD10YX

… and the Body after canonical transformation is:

http://schemas.xmlsoap.org/soap/envelope/; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
 wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4">http://hcv.health.ontario.ca/;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask
 the cardholder to either visit the local ServiceOntario office or call 1 
800-268-1154<tel:1%20800-268-1154>.10The
 Health Number submitted does not exist on the ministry's 
systemFAILED_MOD10YX

I had to manually change



to the following:



A manual check of the SHA1 digest tells me it would now pass validation.  I am 
not sure why the empty namespace appears when using WSS4J 2.0.1 and not 1.6.  
Did I miss a configuration when updated  them?



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Validation failing due to empty namespace in tag

2018-03-05 Thread Colm O hEigeartaigh 
I'm not sure why you are seeing empty namespaces. Could you create a unit
test or some way of reproducing the problem that I can look at?

Colm.

On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey  wrote:

> We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our
> integration tests to the service provider is now failing.  A highlighted
> overview is given below:
>
> • In the SignedInfo node, two references were hashed - (1) Timestamp, and
> (2) Body.  Validation of (1) the Timestamp SHA1 digest against the expected
> value passes, but it fails for (2) the Body.  WSS4J decrypts the Body
> successfully, but fails in the validation.
> • We made some changes with our WSS4J configuration based on the
> recommendations from the WSS4J Migration Guide (link:
> https://ws.apache.org/wss4j/migration/wss4j20.html).
> • When I manually removed an empty namespace in one of the tags, a manual
> check of the SHA1 digest appears to finally succeed.
> • WSS4J first decrypts the Body, then performs a canonical transformation
> prior to validation.  An empty namespace in one of the tags seem to show up
> in our application when we use WSS4J 2.0.1 but it does not show up when
> using WSS4J 1.6.
>
> An illustrative example: the decoded Body is:
>
> http://ebs.health.ontario.ca/; xmlns:b="
> http://msa.ebs.health.ontario.ca/; xmlns:c="http://hcv.health.ontario.ca/;
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd">676345d6-
> 3fc4-434c-96b3-012c73672b6a1286844022 healthNumber>Ask the cardholder to either visit the local
> ServiceOntario office or call 1 800-268-1154.<
> responseCode>10The Health Number
> submitted does not exist on the ministry's system<
> responseID>FAILED_MOD10YX versionCode>
>
> … and the Body after canonical transformation is:
>
> http://schemas.xmlsoap.org/soap/envelope/;
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-42a8192d-3065-
> 451d-bfeb-1156ae118da4">http://hcv.health.
> ontario.ca/">676345d6-
> 3fc4-434c-96b3-012c73672b6a1286844022 healthNumber>Ask the cardholder to either visit the local
> ServiceOntario office or call 1 800-268-1154.<
> responseCode>10The Health Number
> submitted does not exist on the ministry's system<
> responseID>FAILED_MOD10YX versionCode>
>
> I had to manually change
>
> 
>
> to the following:
>
> 
>
> A manual check of the SHA1 digest tells me it would now pass validation.
> I am not sure why the empty namespace appears when using WSS4J 2.0.1 and
> not 1.6.  Did I miss a configuration when updated  them?
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Validation failing due to empty namespace in tag

2018-03-04 Thread Al Ramsey 
We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our 
integration tests to the service provider is now failing.  A highlighted 
overview is given below:

• In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) 
Body.  Validation of (1) the Timestamp SHA1 digest against the expected value 
passes, but it fails for (2) the Body.  WSS4J decrypts the Body successfully, 
but fails in the validation. 
• We made some changes with our WSS4J configuration based on the 
recommendations from the WSS4J Migration Guide (link: 
https://ws.apache.org/wss4j/migration/wss4j20.html).
• When I manually removed an empty namespace in one of the tags, a manual check 
of the SHA1 digest appears to finally succeed.
• WSS4J first decrypts the Body, then performs a canonical transformation prior 
to validation.  An empty namespace in one of the tags seem to show up in our 
application when we use WSS4J 2.0.1 but it does not show up when using WSS4J 
1.6.
 
An illustrative example: the decoded Body is:

http://ebs.health.ontario.ca/; 
xmlns:b="http://msa.ebs.health.ontario.ca/; 
xmlns:c="http://hcv.health.ontario.ca/; 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask
 the cardholder to either visit the local ServiceOntario office or call 1 
800-268-1154.10The
 Health Number submitted does not exist on the ministry's 
systemFAILED_MOD10YX

… and the Body after canonical transformation is:

http://schemas.xmlsoap.org/soap/envelope/; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
 wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4">http://hcv.health.ontario.ca/;>676345d6-3fc4-434c-96b3-012c73672b6a1286844022Ask
 the cardholder to either visit the local ServiceOntario office or call 1 
800-268-1154.10The
 Health Number submitted does not exist on the ministry's 
systemFAILED_MOD10YX

I had to manually change 



to the following:



A manual check of the SHA1 digest tells me it would now pass validation.  I am 
not sure why the empty namespace appears when using WSS4J 2.0.1 and not 1.6.  
Did I miss a configuration when updated  them?