Re: xmlsec 2.0.x - transformer adds empty namespaces

Tue, 07 Jun 2016 02:12:12 -0700 

You're actually using the streaming canonicalizers here, in which it
appears that there's a bug. If you switch to use the DOM canonicalizers
(the same ones as in 1.5.x) then it appears the output is OK:

org.apache.xml.security.c14n.implementations..Canonicalizer20010315Excl
transformer =
    new
org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments();
InputStream stream = new ByteArrayInputStream(message.getBytes("UTF-8"));
String inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9";
byte[] output = transformer.engineCanonicalize(new
XMLSignatureInput(stream), inclusiveNamespaces);
String result = new String(output, "UTF-8");

I'll log a JIRA for the streaming canonicalizers.

Colm.

On Mon, Jun 6, 2016 at 12:26 PM, <[email protected]>
wrote:

> Hello,
>
> I'm fighting with cxf 3.0.9 for more than a week and finally found problem
> in xmlsec library.
>
> Starting from version 2.0.0 the
> *Canonicalizer20010315_ExclOmitCommentsTransformer* transformer works
> incorrectly.
>
> When the list of inclusive namespaces is added the transformer adds empty
> namespaces declarations at the root element if the namespace is not defined
> already at this element.
>
>
>
> So, here's example:
>
> inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9"
>
>
>
> output root:
>
> <SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"*
> xmlns:ec="" xmlns:ec1="" xmlns:ns0="" xmlns:ns1="" xmlns:ns11=""
> xmlns:ns2="" xmlns:ns4="" xmlns:ns9=""* xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="XWSSGID-1465203363337-2063525437">
>
>
>
>
>
> As you can see the empty declarations have been added causing the
> calculated digest doesn't match, so the message is not passing the
> signature verification.
>
>
>
> Attached are: sample code and the transformation result. Example was
> tested with xmlspec 2.0.0 and xmlspec 2.0.6.
>
> Old versions 1.5.7, 1.5.8 are working fine – please take a look at:
> Canonicalizer20010315Excl.java, starting from line 201 -> it's not adding
> all prefixes defined in "inclusiveNamespaces" but only those for which
> there's a need.
>
>
>
> Please help!
>
>
>
> Best regards,
>
> Szymon
>
>
>
>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to