Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6.9
-
None
-
None
Description
I have an incoming request that is being rejected due to a failure in signature validation. The message has a signature over a STR (using key identifier) and is produced by a different security engine (Oracle OSB).
I suspected some issues / different implementations in the canonicalization process, so I checked logs on the client side and finally compared the canonicalized fragments being digested on both sides.
The problem is that afaics they look different, basically the fragment on server side seem to be missing the 'EncodingType' attribute in the element that's built in WSS4J (1.6.x) STRTransformUtil#createBSTX509.