[jira] Created: (WSS-19) c14n algorithm doesn't support default namespaces

Tue, 06 Sep 2005 01:06:32 -0700 

c14n algorithm doesn't support default namespaces
-------------------------------------------------

         Key: WSS-19
         URL: http://issues.apache.org/jira/browse/WSS-19
     Project: WSS4J
        Type: Bug
 Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as part 
of JBoss 4.0.2)
    Reporter: Chris Nappin
 Assigned to: Davanum Srinivas 


There appears to be a fault with the c14n algorithm in wss4j, in that it 
doesn't handle default namespaces correctly, and valid documents fail 
verification.

When signing and sending the following SOAP body with WSS4J:

<Nominal xmlns="http://www.test.com/Test";>
    <name>Bert</name>
    <number>1234</number>
</Nominal>

The c14n algorithm changes it to:

<ns1:Nominal xmlns="http://www.test.com/Test"; 
xmlns:ns1="http://www.test.com/Test";>
    <ns1:name>Bert</ns1:name>
    <ns1:number>1234</ns1:number>
</ns1:Nominal>

Note it hasn't understood the default namespace, but has left it on.

On the server side, this document always fails to validate and WSS4J throws a 
security exception, for example:

Verification failed for URI "#id-20214052"
org.apache.ws.security.WSSecurityException: The signature verification failed at
org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
..etc..

If the client and server code and configuration is left identical, but the 
document changed to use explicit namespaces as follows:

<myns:Nominal xmlns:myns="http://www.test.com/Test";>
    <myns:name>Bert</myns:name>
    <myns:number>1234</myns:number>
</myns:Nominal>

This is then unaltered by the wss4j on the wire, and the server verifies the 
signature as valid.

If you require any any further details (e.g. the full client code, property 
files etc), please email me.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to