AW: WSS4J Namespace Problems when signing

[Dittmann, Werner]

Oddbjorn,   emtpty xmlns tags are used to prvent somebody to introduce/put wrong default namespaces into the request, thus it is ok to have empty xmlns namespaces.   Looking at your request: this is the "raw" request as it is delievry from the security modules. Usually it should be canonicalized to remove superflous namespace attributes. The handlers associated with WSS4J (have a look into the "handler" package) perform this implicitly.   OTOH I don't see a problem with namespace prefiy and namespace declaration, the prefix and the delacration are in synch.   Regards, Werner Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. Dezember 2005 15:04 An: wss4j-dev@ws.apache.org Betreff: WSS4J Namespace Problems when signing Dear Developers,   Sorry for pasting on the developer list, but could not find another forum and have a suspicion that this might be a bug.   I am trying to do a simple XML-signature, but it seems like the library adds a number of additional namespace tags and the signature is not verified when received by a commercial XML gateway with the following message “The XPath _expression_ has selected no nodes, make sure the namespace and prefix match the required namespace http://www.w3.org/2000/09/xmldsig#”.   The code I am using is cut’n’paste from the examples on the website, with some alterations (mustunderstand=false and selection of alias for the keystore) and is included below.   Also included are the SOAP-envelope used as input (through a simple parser) and the resulting output. My main concern is the creation of empty xmlns-tags, i.e. xmlns="".   Appreciate your time and help,   Best regards,   Oddbjorn Heimdal   ---   import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import org.apache.ws.security.WSEncryptionPart; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.message.WSSignEnvelope; import org.w3c.dom.Document; import org.apache.ws.security.components.crypto.Merlin; import java.io.*;   /** * * @author Administrator */ public class Main {   /** Creates a new instance of Main */ public Main() { } /** * @param args the command line arguments */ public static void main(String[] args) { try{ String message = getSOAPEnvelope("quack quack"); Document envelope = parse(message); WSSignEnvelope signer = new WSSignEnvelope(); signer.setMustUnderstand(false); signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); signer.setUserInfo("user", "accenture");   Crypto crypto = CryptoFactory.getInstance("crypto.properties"); envelope = signer.build(envelope, crypto); String output = serialise(envelope); System.out.println(output); }catch(WSSecurityException e){ System.out.println(e.getMessage()); } }   <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <Echo xmlns="http://tempuri.org/"> <input>quack quack</input> </Echo> </soap:Body> </soap:Envelope>   <?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns=""> <soap:Header xmlns="" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ds:SignedInfo xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> <ds:Reference URI="#id-1729135" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ds:Transforms xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> <ds:DigestValue xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ZueXliVOFkvykLuyDP/EiCrjk18=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">GxULeCftQNQe9Zj7RDPVPVGlEQQGSZQYBHd7uZ6b1C8Ozwd3SBqSZA==</ds:SignatureValue> <ds:KeyInfo Id="KeyId-14651377" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-6308367" xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509IssuerSerial xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <ds:X509IssuerName xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">CN=Accenture Web Service Security Demo Authority,DC=wsdemo,DC=accenture,DC=loc</ds:X509IssuerName>   <ds:X509SerialNumber xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">82116573519794241798160</ds:X509SerialNumber> </ds:X509IssuerSerial></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature></wsse:Security></soap:Header> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1729135" xmlns="" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <Echo xmlns="http://tempuri.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <input xmlns="http://tempuri.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">quack quack</input> </Echo> </soap:Body></soap:Envelope>   ___________________________________________________________________ Oddbjorn Heimdal Accenture Global Technology Consulting - Security Techologies 449, route des Crêtes, BP99, 06902 Sophia Antipolis (France) Direct : +33 4 92.94.88.11 - Fax : +33 4 92.94.67.99 - Octel : 29/48811 [EMAIL PROTECTED]   This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.