Hi Ashique, On 1/9/07, Ashique <[EMAIL PROTECTED]> wrote:
Hi, You were right that it is best practice not to touch the soap message after signing.I would rather not to touch the signed part cause i managed to add some header while body is signed. But theoratically, if i simply copy the signed part and paste somewherelse keeping namespaces intatct the signature verification should be fine.Is not it? for example if i simply copy the whole signed body in an arbitrary header and introduce any new body the validation of the signature should be OK!!!
Correct ! and its a well known attack to replace the signed body! (This can be prevented by using validation of the signature results or by using xpath filtering). But seems like you endup modifying the body signed content or the SingnedInfo structure. For example C14N will preserve newlines if they were introduced after signature and will cause a sig failure. IMHO you should try to add your custom header before signing the msg. Thanks, Ruchith -- www.ruchith.org www.wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
