'[jira] [Updated] (WSS-699) org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spe'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Updated] (WSS-699) org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spe
From:       "Colm O hEigeartaigh (Jira)" <jira () apache ! org>
Date:       2023-07-12 10:47:00
Message-ID: JIRA.13542314.1688396068000.146376.1689158820039 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh updated WSS-699:
------------------------------------
    Fix Version/s: 2.4.2
                   3.0.1

> org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec
> --------------------------------------------------------------------------
> 
> Key: WSS-699
> URL: https://issues.apache.org/jira/browse/WSS-699
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.4.1
> Reporter: Luigi De Masi
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
> Fix For: 2.4.2, 3.0.1
> 
> 
> According to Oracle specification, implementor of transform method of class   \
> javax.xml.crypto.dsig.Transform should return null if the data was written to the \
> OutputStream parameter:   \
> https://docs.oracle.com/en/java/javase/17/docs/api/java.xml.crypto/javax/xml/crypto/ \
> dsig/Transform.html#transform(javax.xml.crypto.Data,javax.xml.crypto.XMLCryptoContext,java.io.OutputStream)
>  but this commit break the specification, changing the return value from null to an \
> empty XMLSignatureInput object: \
> https://github.com/apache/ws-wss4j/commit/20e8e4e0406b3053cf26f82b39e882d8dd33da9a \
> This is causing some issues during signature validation: {code}
> Caused by: javax.xml.crypto.dsig.XMLSignatureException: \
> javax.xml.crypto.dsig.TransformException: java.lang.RuntimeException: unrecoverable \
> error retrieving nodeset at \
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:552)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:385)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:278)
>  at my.company.test.SignatureValidator.validateSignature(SignatureValidator.java:148)
>  at my.company.test.SignatureValidator.validateSecurityHeader(SignatureValidator.java:125)
>  at my.company.test.SignatureValidator.validate(SignatureValidator.java:82)
> at my.company.test.SignatureValidatorTest.testSaml1Original(SignatureValidatorTest.java:66)
>                 
> ... 70 more
> Caused by: javax.xml.crypto.dsig.TransformException: java.lang.RuntimeException: \
> unrecoverable error retrieving nodeset at \
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:174)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:108)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMCanonicalXMLC14NMethod.transform(DOMCanonicalXMLC14NMethod.java:73)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:493)
>                 
> ... 76 more
> Caused by: java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:53)
>  at java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:159)
>                 
> ... 79 more
> Caused by: java.lang.RuntimeException: getNodeSet() called but no input data \
> present at org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:228)
>  at org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:190)
>  at org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:50)
>                 
> ... 80 more
> {code}
> 
> 
> 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic