[SANTUARIO-516] XMLSignature regression in Java 11+ when signing SOAP message with Enveloped signature and Id attribute reference - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: Java
Labels:
None

Description

Consider the attached code. This produces a valid enveloped signature in Java8. On Java 11+ an invalid enveloped signature is produced because the Signature element itself is canonicalized and signed.

The issue stems from `com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase`,
specifically the `canonicalizeSubTree(Node currentNode, NameSpaceSymbTable ns, Node endnode, int documentLevel)` method.
This method in Java 11+ canonicalizes the Signature element as well. This makes the whole signature invalid.

The reason the `Signature` node gets canonicalized is because the condition `if (currentNode == excludeNode)` is evaluated to `false` for the Signature node.
This is because at runtime `currentNode` is an instance of `com.sun.org.apache.xerces.internal.dom.ElementNSImpl`, while `excludeNode` is an instance of `com.sun.xml.messaging.saaj.soap.impl.ElementImpl`.

Workaround:

pass the parent node of the node you are signing to DOMSignContext
after signing move the signature into the node that was signed as the last child

Note:

I am using jaxws-ri v2.3.2 dependency for the SOAP classes

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

signsoap.txt
11/Dec/19 20:36
3 kB
Ivan Novak
SANTUARIO-516.zip
12/Dec/19 20:34
18 kB
Ivan Novak
SANTUARIO-516.patch
17/Dec/19 13:07
19 kB
Colm O hEigeartaigh

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Ivan Novak

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/Dec/19 20:07

Updated:: 15/Jan/20 12:11

Resolved:: 15/Jan/20 12:11