[jira] Created: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Nitin Handa (JIRA) Wed, 29 Apr 2009 10:37:01 -0700

Signature verification should not fail due to default namespaces added after 
singing when using exclusive canonicalization
--------------------------------------------------------------------------------------------------------------------------


                 Key: WSS-181
                 URL: https://issues.apache.org/jira/browse/WSS-181
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 1.5.7
         Environment: tomcat + axis 1.4 + wss4j 1.5.7
            Reporter: Nitin Handa
            Assignee: Ruchith Udayanga Fernando
            Priority: Blocker


Signature verification failing but it should not when using exclusive 
canonicalization.

Below timestamp element was signed by owsm:-
<wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
<wsu:Created 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
<wsu:Expires 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>

while below timestamp element was received by wss4j:-
<wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
*xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 *wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
<wsu:Created 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
<wsu:Expires 
ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
 

note that default namespace is also there so wss4j verification failed while it 
should be ignored as this default namespace is unused.

This same case is with STR and BST too..
Canonicalized STR & BST at wss4j end used default namespace which 
canonicalization

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] Created: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Reply via email to