Re: [jira] Commented: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Nitin Handa Thu, 30 Apr 2009 03:40:03 -0700

Hi Colm,

Realized that the issue is with AXIS. It is optimizing namespace declaration


For eg, owsm signed below element
------------------------------------------------

<wsse:BinarySecurityTokenxmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken>

But below element was sent somehow from oracle's webservices stack(after added default namespace):

------------------------------------------------

<wsse:BinarySecurityTokenxmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken>

While below element is received by wss4j : (realized that somehow AXISis doing optimization and removed prefix to give preference to defaultnamespace:

------------------------------------------------

<BinarySecurityTokenxmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</BinarySecurityToken>

I had a talk with web services team but they says that this should be okfor wss4j while doing exclusive canonicalization as they are also doingthis as per standard specs so wss4j should also handle this.


Please let me know if anything can be done about this at wss4j end.

thanks
Nitin

Colm O hEigeartaigh (JIRA) wrote:

[ https://issues.apache.org/jira/browse/WSS-181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704550#action_12704550 ]

Colm O hEigeartaigh commented on WSS-181:
-----------------------------------------


Who's adding the extra default namespaces (and why)? Are they added at the owsm 
client or the Axis server end? Can you attach the client request?

Signature verification should not fail due to default namespaces added after 
singing when using exclusive canonicalization
--------------------------------------------------------------------------------------------------------------------------

                Key: WSS-181
                URL: https://issues.apache.org/jira/browse/WSS-181
            Project: WSS4J
         Issue Type: Bug
         Components: WSS4J Core
   Affects Versions: 1.5.7
        Environment: tomcat + axis 1.4 + wss4j 1.5.7
           Reporter: Nitin Handa
           Assignee: Ruchith Udayanga Fernando
           Priority: Blocker

Signature verification failing but it should not when using exclusive 
canonicalization.
Below timestamp element was signed by owsm:-
<wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
<wsu:Created 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
<wsu:Expires 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
while below timestamp element was received by wss4j:-
<wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
*xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
*wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
<wsu:Created 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>

<wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>note that default namespace is also there so wss4j verification failed while it should be ignored as this default namespace is unused.

This same case is with STR and BST too..
Canonicalized STR & BST at wss4j end used default namespace which 
canonicalization


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [jira] Commented: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Reply via email to