Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-535

Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0.3
    • 2.0.4, 1.6.19, 2.1.0
    • WSS4J Core
    • None
    • Patch

    Description

      Hello,

      when <ds:Signature> is created with WSS4J, it contains <wsse:SecurityTokenReference> within it which uses wsse and wsu namespaces. Those namespaces are defined "above" <ds:Signature> tag in the XML document so <ds:Signature> does not validate as standalone fragment. For example:

      <ds:Signature Id="SIG-3E9A9AB1F5821FE8E81429475914581153" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ec:InclusiveNamespaces PrefixList="wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
    </ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
    <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914580148">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>n1FO7gH3mlf7xwN9NV7BtdhqqNM=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#TS-3E9A9AB1F5821FE8E81429475914579144">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="wsse wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>8IPio9C93C+IYpVOtFUX+Ig6eFQ=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581149">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>T5t9Lg+/6tnL3XMUqi/XBa2RPgs=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581150">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>dNjOA0ZosOLeB7R1YnBWvW5RoWI=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581151">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>LqsYd2ZbZG39gMytaAfebfw0Jpc=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581152">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>KBXU/UkCBosBKxaP+pPv7qFfLmw=</ds:DigestValue>
    </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>CKwqqOizXZUS21GUbOK0U87u2XL+OBLj9Sfy4GaRmovCGuj8Wfm855oxbzHNaBw2rl9cFzEIUp5Pz6PKglE/KFc9E9TtKqp8aRPcRjcUvsbBZk9ntfKeJtYDF30Vsfcr6NFahCg+I2N61Mv5B622LLc7UnM8xlrUVgcBLHJwAcbX6GcQCm9hwRhO2f8n/HgHzdWW7KFw9sUQdGRyzm+k7Vhz/A6FxyqpECwIt9FWjTCaAQMo8/jS899y05UkFEFzMZy8Y6z1aODOR1W4QBp5D3+kMrG2bZHgi6UsBlCOgCH5EjolhD5grkM7wfvDbsWBw+41eswdY+at8tBhYvUFog==</ds:SignatureValue>
  <ds:KeyInfo Id="KI-3E9A9AB1F5821FE8E81429475914580146">
    <wsse:SecurityTokenReference wsu:Id="STR-3E9A9AB1F5821FE8E81429475914580147">
      <ds:X509Data>
        <ds:X509IssuerSerial>
          <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
          <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
        </ds:X509IssuerSerial>
      </ds:X509Data>
    </wsse:SecurityTokenReference>
  </ds:KeyInfo>
</ds:Signature>

      This is generally fine. However, when <ds:Signature> is encrypted, some other platforms (for example, some versions of .NET) have trouble validating decrypted <ds:Signature> since they cannot resolve wsse and wsu namespaces (as they are not in the decrypted fragment). I suppose, they should put decrypted <ds:Signature> back to the context of the rest of XML but this does not happen.

      I think it would be a good idea to add definitions of wsse and wsu namespaces to the <wsse:SecurityTokenReference> in order to improve compatibility with WSS implementations from other vendors. Or at least make this behaviour configurable.

      The following patch always adds wsse and wsu definitions:

      diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
index 0258f0c..35bd3ba 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
@@ -181,6 +181,8 @@ public class WSSecSignature extends WSSecSignatureBase {
         if (!useCustomSecRef) {
             secRef = new SecurityTokenReference(doc);
             strUri = getWsConfig().getIdAllocator().createSecureId("STR-", secRef);
+            secRef.addWSSENamespace();
+            secRef.addWSUNamespace();
             secRef.setID(strUri);
             
             //

      Then:

      ....
<wsse:SecurityTokenReference wsu:Id="STR-906b1964-8e27-40a5-a2ed-7f4ac9dabd69" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ds:X509Data>
        <ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>          <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
        </ds:X509IssuerSerial>
      </ds:X509Data>

        </ds:X509IssuerSerial>
      </ds:X509Data>
    </wsse:SecurityTokenReference>
...

      As far as I can tell, the same problem is present in earlier versions (1.6) as well.

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            modax Modestas Vainius
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: