DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace

Wed, 16 Sep 2009 07:51:54 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

sean.mul...@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from sean.mul...@sun.com 2009-09-16 07:51:27 PDT ---
(In reply to comment #0)
> I am using opensaml 2 to validate digital signature. Open saml uses the xmlsec
> jar for validation.
> This works fine when the saml assertion is validated as is.
> The problem happens when the signed assertion is wrapped inside a soap
> envelope.
> The soap has the soap namespace added to it.
> 
> The problem is that the xmlns declaration is added to the SignedInfo during 
> the
> validation.
> 
> The xml being validated looks like:
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
>     <SignedInfo>
>         <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments";>
> 
> 
> but if I check the canonicalized signed info with
> signature.getSignedInfo().getCanonicalizedData();
> I get:
> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
>     <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments";>
> 
> The xmlns="http://www.w3.org/2000/09/xmldsig#"; was added into the SignedInfo
> and this is why the reference validation is failing.
> (The signature is validated successfully, but the reference validation fails
> because the extra namespace declaration was added).
> 
> How can this be solved?

This is not the reason the signature is invalid. SignedInfo validation is part
of the signature validation and not the reference validation. You need to check
the canonicalized data of the Reference(s) instead. Compare the data when you
validate it before and after you move it into the Soap envelope. It is likely a
problem in that you are using inclusive C14n instead of exclusive C14N and a
namespace in the Soap envelope is being include in the canonicalized Reference
and thus invalidating the digest and breaking the signature.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to