DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace
https://issues.apache.org/bugzilla/show_bug.cgi?id=47853 --- Comment #8 from trat...@yahoo.com 2009-09-17 04:42:10 PDT --- Hi, I did another test without using the opensaml jar. I only used the xmlsec-1.4.2.jar - following is the manifest: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.7.0 Created-By: 1.4.2_17-b06 (Sun Microsystems Inc.) Built-By: mullan Name: xmlsec Implementation-Title: Apache-XML-Security-J Implementation-Version: 1.4.2 June 23 2008 Implementation-Vendor: Apache Software Foundation I checked the canonicalized references in the good signature and the bad signature and compared what is different according to the log. In the assertion that was signed there are no namespace declarations for soapenv (since the assertion was signed by itself - and only afterwards it was copy pasted into the soap wrapper): root SRM but during validation the canonicalized reference looks like this: http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; AssertionID="saml-2" ID="Assertion" IssueInstant="2008-08-15T02:12:44.179Z" Issuer="urn:test-sts" MajorVersion="1" MinorVersion="1"> root SRM As you can see, the xmlns declarations for soapenv and wsse were added to the saml:Assertion tag even though javax.xml.crypto.dsig.CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS is being used. This is why the reference validation is failing. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace
https://issues.apache.org/bugzilla/show_bug.cgi?id=47853 sean.mul...@sun.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #9 from sean.mul...@sun.com 2009-09-17 06:11:43 PDT --- Actually, you are using Inclusive C14N to canonicalize your Reference. This is the Reference in your signature: http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2000/09/xmldsig#sha1"/>LFkVUeisRZJTnIwrlZ7pMxp/oeM= If a Reference that produces a node-set does not specify a canonicalization algorithm as the last transform, then inclusive C14n is implicitly used. See section 4.3.3.2 of http://www.w3.org/TR/xmldsig-core/: "If the data object is a node-set and the next transform requires octets, the signature application MUST attempt to convert the node-set to an octet stream using Canonical XML [XML-C14N]." The CanonicalizationMethod specified in the SignedInfo element does not apply to the References, it only applies to the SignedInfo element. To fix this, you need to add an explicit exclusive C14N transform after the enveloped transform, ex: http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#";> http://www.w3.org/2000/09/xmldsig#sha1"/>LFkVUeisRZJTnIwrlZ7pMxp/oeM= You may want to check with Scott or the SAML forums as to the best practices when signing SAML assertions. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 47853] digital signature reference validation failure when wrapping xml with soap namespace
https://issues.apache.org/bugzilla/show_bug.cgi?id=47853 --- Comment #10 from trat...@yahoo.com 2009-09-17 07:39:38 PDT --- Hi, That was the problem. Thanks for you prompt support. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 47833] problem xml parsing: != test instead of !.equals cause a parse error
https://issues.apache.org/bugzilla/show_bug.cgi?id=47833 sean.mul...@sun.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #1 from sean.mul...@sun.com 2009-09-17 12:38:28 PDT --- 45637 should address this, by providing a configurable option for DOM implementations that don't intern namespaces. Therefore I am marking this as a duplicate. *** This bug has been marked as a duplicate of bug 45637 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 45637] Add configuration option for == vs .equals() String comparisons
https://issues.apache.org/bugzilla/show_bug.cgi?id=45637 sean.mul...@sun.com changed: What|Removed |Added CC||elisa.lan...@consulenti.csi ||.it --- Comment #2 from sean.mul...@sun.com 2009-09-17 12:38:28 PDT --- *** Bug 47833 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 47863] New: Fix findbugs warnings
https://issues.apache.org/bugzilla/show_bug.cgi?id=47863 Summary: Fix findbugs warnings Product: Security Version: Java 1.4.2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: sean.mul...@sun.com This is a bug to cleanup the various findbug warnings that are generated when run over the xmlsec library. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
