Sean Mullan wrote:
The only other modification of the library I am using at the moment
is to parse reference lists correctly (at all?) during decryption.
For my application (OASIS WS-Security implementation), what ends up
happening with encryption is that you have an encrypted key in the
SOAP header using a reference list to indicate the encrypted data in
the body (probably not a common pattern free form encryption, but
pretty much the usage described in the recommendation
http://www.w3.org/TR/xmlenc-core/#sec-ReferenceList )
The current implementation appears to attempt parsing validation of
the URI references; it is definitely broken for lists of more than
one element, and fails to handle relative URIs (since they cant be
parsed without a base URI).
My fix just gives up on parsing (and actually walks the list ;) I
haven't attempted to handle child elements, but then neither does the
current version.
For the patch its probably easiest to look at my original message
(it's against 1.34 but there aren't may changes):
http://mail-archives.apache.org/mod_mbox/xml-security-dev/200502.mbox/[EMAIL PROTECTED]
I have applied your patch, thanks for that. Please test out the 1.3 RC
jar when it is released later this week. BTW, just FYI, but the best
way to ensure your bug is not forgotten is to file a report at
issues.apache.org/bugzilla (in the "security" category).
--Sean
Thanks, looking foward to it.
(D'oh. I followed the contrib proceedure on the site; somehow sending
the email first must have given me a mental block on using bugzilla, and
then there was the was 'omg it's not going to make the release' panic)
C
