DO NOT REPLY [Bug 46888] New: Unable to Create XMLX509IssuerSerial from valid Element

Sun, 22 Mar 2009 11:00:30 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=46888

           Summary: Unable to Create XMLX509IssuerSerial from valid
                    Element
           Product: Security
           Version: unspecified
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Encryption
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: edgar.j.higg...@gmail.com


Created an attachment (id=23397)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23397)
Java Program that Reproduces the bug

---Overview---
I am receiving an XMLSecurityException ("Cannot create a
http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial from a
http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial element") when trying to
create an XMLX509IssuerSerial - public XMLX509IssuerSerial(Element element,
String baseURI)

---Steps to Reproduce---
I have attached a short java program that reproduces this issue.  This program
creates a DOM that should be a valid IssuerSerial block in the correct
namespace.  The IssuerSerial Element is then passed to the constructor of
XMLX509IssuerSerial - public XMLX509IssuerSerial(Element element, String
baseURI).

---Actual Results---
An XMLSecurityException ("Cannot create a
http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial from a
http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial element") is thrown by the
constructor.

---Expected Results---
The XMLX509KIssuerSerial Constructor returns normally

---Build---
According to the Manifest - this is version 1.4.2_17-b06

---Platform---
-Windows XP SP3
-Bea Weblogic 10.3
-Sun JDK 1.6.0_05

---Additional Information---
I ran across this bug when parsing a SOAP Response from a Web Service call. 
The SOAP response is encrypted.

I looked through the source, and I found that ElementCheckerImpl uses != to
verify the namespace instead of a !x.equals(y).

I first encountered this bug when moving my code from Tomcat 6 to Weblogic
10.3.  It worked correctly on Tomcat, but not on Weblogic.  While debugging, I
found that Weblogic and Tomcat use a different libraries for parsing the SOAP
Response.  My guess is that when the Tomcat library builds the SOAP Response,
it references org.apache.xml.security.utils.Constants.SignatureSpecNS, while
Weblogic references a different String.  Therefore, when ElementCheckerImpl
executes and compares the namespace to
org.apache.xml.security.utils.Constants.SignatureSpecNS, it fails on Weblogic,
but passes on Tomcat.

I believe the fix should be to change the != to !x.equals(y) in
ElementCheckerImpl.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to