[
https://issues.apache.org/jira/browse/WSS-181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704671#action_12704671
]
Colm O hEigeartaigh commented on WSS-181:
-----------------------------------------
Hi Nitin,
This is a problem with Axis, not WSS4J. WSS4J can handle the case where it
signs:
<wsu:Timestamp xmlns:wsu="..." wsu:Id="...">...
I then added the default (wsu) namespace to the request:
<wsu:Timestamp xmlns="..." xmlns:wsu="..." wsu:Id="...">...
and it verifies fine (it removes the default namespace). However, if I use Axis
after I add the default namespace, it converts it to:
<Timestamp xmlns="..." xmlns:wsu="..." wsu:Id>...
Although this is semantically equivalent XML, from what little I know about
canonicalization, this will break signature verification.
http://www.ibm.com/developerworks/xml/library/x-c14n/
"I mentioned the potential variance caused by the choice of prefixes. XML
Namespaces stipulates that prefixes are inconsequential, and so two files that
vary only in choice of namespace prefixes should be treated as the same.
Unfortunately, c14n does not cover this case. Some perfectly valid XML
processing operations may modify prefixes, so beware of this potential issue."
So I think this issue should be raised with Axis and closed here.
Colm.
> Signature verification should not fail due to default namespaces added after
> singing when using exclusive canonicalization
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: WSS-181
> URL: https://issues.apache.org/jira/browse/WSS-181
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Environment: tomcat + axis 1.4 + wss4j 1.5.7
> Reporter: Nitin Handa
> Assignee: Ruchith Udayanga Fernando
> Priority: Blocker
> Attachments: wss4j.log
>
>
> Signature verification failing but it should not when using exclusive
> canonicalization.
> Below timestamp element was signed by owsm:-
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
> while below timestamp element was received by wss4j:-
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> *xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> *wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires
> ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
>
> note that default namespace is also there so wss4j verification failed while
> it should be ignored as this default namespace is unused.
> This same case is with STR and BST too..
> Canonicalized STR & BST at wss4j end used default namespace which
> canonicalization
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
