DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace

Thu, 17 Sep 2009 04:42:55 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47853

--- Comment #8 from trat...@yahoo.com 2009-09-17 04:42:10 PDT ---
Hi,

I did another test without using the opensaml jar. I only used the
xmlsec-1.4.2.jar - following is the manifest:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.0
Created-By: 1.4.2_17-b06 (Sun Microsystems Inc.)
Built-By: mullan

Name: xmlsec
Implementation-Title: Apache-XML-Security-J
Implementation-Version: 1.4.2 June 23 2008
Implementation-Vendor: Apache Software Foundation


I checked the canonicalized references in the good signature and the
bad signature and compared what is different according to the log.

In the assertion that was signed there are no namespace declarations for
soapenv (since the assertion was signed by itself - and only afterwards it was
copy pasted into the soap wrapper):


<saml:Assertion AssertionID="saml-2" ID="Assertion"
IssueInstant="2008-08-15T02:12:44.179Z" Issuer="urn:test-sts" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Conditions NotBefore="2008-11-03T05:00:00.000Z"
NotOnOrAfter="2009-12-01T03:08:59.000Z"/>
  <saml:Advice/>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">root</saml:NameID>
    </saml:Subject>
    <saml:Attribute Name="AppId">
      <saml:AttributeValue>SRM</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>



 but during validation the canonicalized reference looks like this:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
AssertionID="saml-2" ID="Assertion" IssueInstant="2008-08-15T02:12:44.179Z"
Issuer="urn:test-sts" MajorVersion="1" MinorVersion="1">
  <saml:Conditions NotBefore="2008-11-03T05:00:00.000Z"
NotOnOrAfter="2009-12-01T03:08:59.000Z"></saml:Conditions>
  <saml:Advice></saml:Advice>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">root</saml:NameID>
    </saml:Subject>
    <saml:Attribute Name="AppId">
      <saml:AttributeValue>SRM</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>


As you can see, the xmlns declarations for soapenv and wsse were added to the
saml:Assertion tag even though
javax.xml.crypto.dsig.CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS is being
used.
This is why the reference validation is failing.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to