Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 1.4.5, Java 1.5.1
-
Security Level: Public (Public issues, viewable by everyone)
-
None
Description
When we are encrypting multiple elements like this:
for (int i = 0; i < elems.length; i++) {
cipher.doFinal(doc, elems[i])
}
We are reusing the same canonicalizer. Unfortunately, the default canonicalizer behaves differently the first time it is called, so we get different results for identical subtrees. See the firstCall member used in Canonicalizer20010315.handleAttributesSubtree()
The sample test case reproduces this problem. The sample code encrypts the <elem> elements and decrypts them.
The input document:
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xlsoap.org/soap/envelope/"><env:Body><elem>11</elem><elem>22</elem></env:Body></env:Envelope>
becomes:
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><elem>11</elem><elem xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">22</elem></env:Body></env:Envelope>
The XML Encryption spec says the encrypted subtree must be serialized following the rules of the XML 1.0 spec and the characters converted to bytes in UTF-8. The XML Encryption spec does not mandate a specific canonicalization. In fact, it warns in section 4.3.3 that Inclusive XML and Exclusive XML both have problems. (See SANTUARIO-309). Here the first Element encrypted is <elem>22</elem>, but I would not conclude it is serialized better than the subsequent elements.
Attachments
Attachments
Issue Links
- is superceded by
-
SANTUARIO-309 Default XMLCipher canonicalizer may decrypt element to the wrong namespace
- Closed