Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Not A Problem
-
None
-
None
-
None
Description
Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.
The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.
The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)` is evaluated to `false` for the Signature node.
This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.
Workaround:
- pass the parent node of the node you are signing to DOMSignContext
- after signing move the signature into the node that was signed as the last child
Note:
- I am using jaxws-ri v2.3.2 dependency for the SOAP classes