Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-250

VerifyMerlinsExamplesFifteen/TwentyThree.java samples should ignore signature-enveloping-hmac-sha1-40.xml

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Java 1.4.2, Java 1.4.4
    • Fix Version/s: Java 1.4.5, Java 1.5
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: All
    • Bugzilla Id:
      50236

      Description

      This a minor cleanup issue but these samples should not validate signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC truncation length and since release 1.4.3, this signature causes a validation failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more information. If you run the mega-sample target, you will see this exception embedded in the output:

      [java] org.apache.xml.security.signature.XMLSignatureException: HMACOutputLength must not be less than 160
      [java] at org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown Source)
      [java] at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
      [java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
      [java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown Source)
      [java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown Source)

        Attachments

          Activity

            People

            • Assignee:
              sean.mullan@oracle.com sean.mullan
              Reporter:
              sean.mullan@oracle.com sean.mullan
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: