Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 1.4.5, Java 1.5.1
-
Security Level: Public (Public issues, viewable by everyone)
-
None
Description
The default XMLCipher canonicalizer is Inclusive XML C14N with comments. This canonicalization has the problem described in the XML Encryption spec section 4.3.3. If the encrypted element <elem> undeclares the default namespace inherited from its parent, the resulting decrypted element is missing the undeclaration and therefore the element lays in the wrong namespace.
In this example, <elem> moves from the global namespace to the http://default.com namespace.
<env:Envelope xmlns="http://default.com" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><elem xmlns="">11</elem></env:Body></env:Envelope>"
It would be tempting to use Exclusive XML C14N, but this algorithm also has problems. It removes namespace declarations that are not visibly used. If the namespace prefix is used only in text mode, the algorithm cannot detect it.
I would argue that the best way to solve this problem is to create a non-standard canonicalization that simply emits the nodes as is. This is like a pretty-printer without indenting.
Attachments
Attachments
Issue Links
- supercedes
-
-
- Closed
-