Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
Java 1.4.2, Java 1.4.4
-
Security Level: Public (Public issues, viewable by everyone)
-
None
-
Operating System: All
Platform: All
-
50236
Description
This a minor cleanup issue but these samples should not validate signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC truncation length and since release 1.4.3, this signature causes a validation failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more information. If you run the mega-sample target, you will see this exception embedded in the output:
[java] org.apache.xml.security.signature.XMLSignatureException: HMACOutputLength must not be less than 160
[java] at org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown Source)
[java] at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
[java] at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
[java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown Source)
[java] at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown Source)