'[jira] [Closed] (WSS-651) Incorrect signature if document has WSU_NS declared on SOAP Header or Enve'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webservices-general
Subject:    [jira] [Closed] (WSS-651) Incorrect signature if document has WSU_NS declared on SOAP Header or Enve
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2019-07-27 9:08:00
Message-ID: JIRA.13235685.1558897204000.59352.1564218480246 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh closed WSS-651.
-----------------------------------

> Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
> ------------------------------------------------------------------------------
> 
> Key: WSS-651
> URL: https://issues.apache.org/jira/browse/WSS-651
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.3
> Reporter: L
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: 2.3.0, 2.2.4
> 
> 
> I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is \
> rejecting some of documents signed by WSS4J 2.2.3. After some investigation I could \
> manage to reproduce it and make WSS4J reject its own signed documents. The problem \
> can be reproduced quite easily with modified \
> org.apache.wss4j.dom.message.SignatureTest: I have copy pasted method \
> testSignedTimestamp() and modified it slightly. This is full source code of the new \
> method: 
> {code:java}
> @Test
> public void testSignedTimestamp1() throws Exception {
> Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
> WSSecHeader secHeader = new WSSecHeader(doc);
> secHeader.insertSecurityHeader();
> WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
> timestamp.setTimeToLive(300);
> timestamp.build();
> WSSecSignature builder = new WSSecSignature(secHeader);
> builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
> // Makes no difference, tested with it and without it.
> // Added to test because my code sets it to false
> // builder.setAddInclusivePrefixes(false);
> WSEncryptionPart encP =
> new WSEncryptionPart(
> "Timestamp",
> WSConstants.WSU_NS,
> "");
> builder.getParts().add(encP);
> builder.prepare(crypto);
> List<javax.xml.crypto.dsig.Reference> referenceList =
> builder.addReferencesToSign(builder.getParts());
> builder.computeSignature(referenceList, false, null);
> String   outputString = XMLUtils.prettyDocumentToString(doc);
> if (LOG.isDebugEnabled()) {
> LOG.debug("After Signing....");
> LOG.debug(outputString);
> }
> // !!!!
> // Makes all the difference: validating just signed document works,
> // validating serialized and parsed document does not
> Document   doc2 = SOAPUtil.toSOAPPart(outputString);
> // Document   doc2 = doc;
> verify(doc2);
> }
> public static final String SAMPLE_SOAP_MSG_WSU_NS =
> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
> + "<SOAP-ENV:Envelope "
> +     "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
> +     "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
> +     "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
> // !!!!
> // Makes all the difference: uncomment it and validating the serialized
> // and parsed document fails
> // +     "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" \
> " +     ">"
> +     "<SOAP-ENV:Body>"
> +             "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
> +                     "<value xmlns=\"\">15</value>"
> +             "</add>"
> +     "</SOAP-ENV:Body>"
> + "</SOAP-ENV:Envelope>";{code}
> 
> 
> Important parts marked with '!!!!' comments:
> # You need to verify the document after it was serialized and parsed back. Then the \
> verification fails. Verifying the signed document "in memory" succeeds. # The \
> original, to be signed, document must have WSU_NS namespace with some prefix other \
> than 'wsu' declared on any ancestor of the to be inserted wsse:Security 
> 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic