[jira] Commented: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Nitin Handa (JIRA) Thu, 30 Apr 2009 03:53:05 -0700

    [ 
https://issues.apache.org/jira/browse/WSS-181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704572#action_12704572
 ]


Nitin Handa commented on WSS-181:
---------------------------------

Hi Colm,

Realized that the issue is with AXIS. It is optimizing namespace declaration

For eg, owsm signed below element
------------------------------------------------
<wsse:BinarySecurityToken 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken>

But below element was sent somehow from oracle's webservices stack 
(after added default namespace):
------------------------------------------------
<wsse:BinarySecurityToken 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:BinarySecurityToken>

While below element is received by wss4j : (realized that somehow AXIS 
is doing optimization and removed prefix to give preference to default 
namespace:
------------------------------------------------
<BinarySecurityToken 
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</BinarySecurityToken>

I had a talk with web services team but they says that this should be ok 
for wss4j while doing exclusive canonicalization as they are also doing 
this as per standard specs so wss4j should also handle this.

Please let me know if anything can be done about this at wss4j end.

thanks
Nitin



> Signature verification should not fail due to default namespaces added after 
> singing when using exclusive canonicalization
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-181
>                 URL: https://issues.apache.org/jira/browse/WSS-181
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.7
>         Environment: tomcat + axis 1.4 + wss4j 1.5.7
>            Reporter: Nitin Handa
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Blocker
>
> Signature verification failing but it should not when using exclusive 
> canonicalization.
> Below timestamp element was signed by owsm:-
> <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created 
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires 
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
> while below timestamp element was received by wss4j:-
> <wsu:Timestamp 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> *xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  *wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created 
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires 
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
>  
> note that default namespace is also there so wss4j verification failed while 
> it should be ignored as this default namespace is unused.
> This same case is with STR and BST too..
> Canonicalized STR & BST at wss4j end used default namespace which 
> canonicalization

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] Commented: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

Reply via email to