[
https://issues.apache.org/jira/browse/WSS-535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-535.
-----------------------------------
> Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
> ------------------------------------------------------------------------
>
> Key: WSS-535
> URL: https://issues.apache.org/jira/browse/WSS-535
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.0.3
> Reporter: Modestas Vainius
> Assignee: Colm O hEigeartaigh
> Fix For: 2.0.4, 1.6.19, 2.1.0
>
>
> Hello,
> when <ds:Signature> is created with WSS4J, it contains
> <wsse:SecurityTokenReference> within it which uses *wsse* and *wsu*
> namespaces. Those namespaces are defined "above" <ds:Signature> tag in the
> XML document so <ds:Signature> does not validate as standalone fragment. For
> example:
> {code:xml}
> <ds:Signature Id="SIG-3E9A9AB1F5821FE8E81429475914581153"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="wsa soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
> <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914580148">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>n1FO7gH3mlf7xwN9NV7BtdhqqNM=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#TS-3E9A9AB1F5821FE8E81429475914579144">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="wsse wsa soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>8IPio9C93C+IYpVOtFUX+Ig6eFQ=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581149">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>T5t9Lg+/6tnL3XMUqi/XBa2RPgs=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581150">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>dNjOA0ZosOLeB7R1YnBWvW5RoWI=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581151">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>LqsYd2ZbZG39gMytaAfebfw0Jpc=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581152">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="soapenv urn"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue>KBXU/UkCBosBKxaP+pPv7qFfLmw=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>CKwqqOizXZUS21GUbOK0U87u2XL+OBLj9Sfy4GaRmovCGuj8Wfm855oxbzHNaBw2rl9cFzEIUp5Pz6PKglE/KFc9E9TtKqp8aRPcRjcUvsbBZk9ntfKeJtYDF30Vsfcr6NFahCg+I2N61Mv5B622LLc7UnM8xlrUVgcBLHJwAcbX6GcQCm9hwRhO2f8n/HgHzdWW7KFw9sUQdGRyzm+k7Vhz/A6FxyqpECwIt9FWjTCaAQMo8/jS899y05UkFEFzMZy8Y6z1aODOR1W4QBp5D3+kMrG2bZHgi6UsBlCOgCH5EjolhD5grkM7wfvDbsWBw+41eswdY+at8tBhYvUFog==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-3E9A9AB1F5821FE8E81429475914580146">
> <wsse:SecurityTokenReference
> wsu:Id="STR-3E9A9AB1F5821FE8E81429475914580147">
> <ds:X509Data>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
> <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> {code}
> This is generally fine. However, when <ds:Signature> is encrypted, some other
> platforms (for example, some versions of .NET) have trouble validating
> decrypted <ds:Signature> since they cannot resolve *wsse* and *wsu*
> namespaces (as they are not in the decrypted fragment). I suppose, they
> should put decrypted <ds:Signature> back to the context of the rest of XML
> but this does not happen.
> I think it would be a good idea to add definitions of wsse and wsu namespaces
> to the <wsse:SecurityTokenReference> in order to improve compatibility with
> WSS implementations from other vendors. Or at least make this behaviour
> configurable.
> The following patch always adds *wsse* and *wsu* definitions:
> {code}
> diff --git
> a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
>
> b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> index 0258f0c..35bd3ba 100644
> ---
> a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> +++
> b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
> @@ -181,6 +181,8 @@ public class WSSecSignature extends WSSecSignatureBase {
> if (!useCustomSecRef) {
> secRef = new SecurityTokenReference(doc);
> strUri = getWsConfig().getIdAllocator().createSecureId("STR-",
> secRef);
> + secRef.addWSSENamespace();
> + secRef.addWSUNamespace();
> secRef.setID(strUri);
>
> //
> {code}
> Then:
> {code:xml}
> ....
> <wsse:SecurityTokenReference
> wsu:Id="STR-906b1964-8e27-40a5-a2ed-7f4ac9dabd69"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
> <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> ...
> {code}
> As far as I can tell, the same problem is present in earlier versions (1.6)
> as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
