WSS4J
  1. WSS4J
  2. WSS-222

SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9, 1.6
    • Component/s: WSS4J Core
    • Labels:
      None

      Description

      SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.

      This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.

      1. patch.txt
        21 kB
        David Valeri

        Issue Links

          Activity

          David Valeri made changes -
          Link This issue blocks CXF-2913 [ CXF-2913 ]
          Colm O hEigeartaigh made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Colm O hEigeartaigh made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Colm O hEigeartaigh made changes -
          Fix Version/s 1.5.9 [ 12314133 ]
          Fix Version/s 1.6 [ 12313718 ]
          Affects Version/s 1.5.9 [ 12314133 ]
          Colm O hEigeartaigh made changes -
          Assignee Ruchith Udayanga Fernando [ ruchith ] Colm O hEigeartaigh [ coheigea ]
          David Valeri made changes -
          Field Original Value New Value
          Attachment patch.txt [ 12430436 ]
          David Valeri created issue -

            People

            • Assignee:
              Colm O hEigeartaigh
              Reporter:
              David Valeri
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development