Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-535

Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.3
    • Fix Version/s: 2.0.4, 1.6.19, 2.1.0
    • Component/s: WSS4J Core
    • Labels:
      None
    • Flags:
      Patch

      Description

      Hello,

      when <ds:Signature> is created with WSS4J, it contains <wsse:SecurityTokenReference> within it which uses wsse and wsu namespaces. Those namespaces are defined "above" <ds:Signature> tag in the XML document so <ds:Signature> does not validate as standalone fragment. For example:

      <ds:Signature Id="SIG-3E9A9AB1F5821FE8E81429475914581153" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
          <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914580148">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>n1FO7gH3mlf7xwN9NV7BtdhqqNM=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-3E9A9AB1F5821FE8E81429475914579144">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="wsse wsa soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>8IPio9C93C+IYpVOtFUX+Ig6eFQ=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581149">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>T5t9Lg+/6tnL3XMUqi/XBa2RPgs=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581150">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>dNjOA0ZosOLeB7R1YnBWvW5RoWI=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581151">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>LqsYd2ZbZG39gMytaAfebfw0Jpc=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-3E9A9AB1F5821FE8E81429475914581152">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
            <ds:DigestValue>KBXU/UkCBosBKxaP+pPv7qFfLmw=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CKwqqOizXZUS21GUbOK0U87u2XL+OBLj9Sfy4GaRmovCGuj8Wfm855oxbzHNaBw2rl9cFzEIUp5Pz6PKglE/KFc9E9TtKqp8aRPcRjcUvsbBZk9ntfKeJtYDF30Vsfcr6NFahCg+I2N61Mv5B622LLc7UnM8xlrUVgcBLHJwAcbX6GcQCm9hwRhO2f8n/HgHzdWW7KFw9sUQdGRyzm+k7Vhz/A6FxyqpECwIt9FWjTCaAQMo8/jS899y05UkFEFzMZy8Y6z1aODOR1W4QBp5D3+kMrG2bZHgi6UsBlCOgCH5EjolhD5grkM7wfvDbsWBw+41eswdY+at8tBhYvUFog==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-3E9A9AB1F5821FE8E81429475914580146">
          <wsse:SecurityTokenReference wsu:Id="STR-3E9A9AB1F5821FE8E81429475914580147">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      

      This is generally fine. However, when <ds:Signature> is encrypted, some other platforms (for example, some versions of .NET) have trouble validating decrypted <ds:Signature> since they cannot resolve wsse and wsu namespaces (as they are not in the decrypted fragment). I suppose, they should put decrypted <ds:Signature> back to the context of the rest of XML but this does not happen.

      I think it would be a good idea to add definitions of wsse and wsu namespaces to the <wsse:SecurityTokenReference> in order to improve compatibility with WSS implementations from other vendors. Or at least make this behaviour configurable.

      The following patch always adds wsse and wsu definitions:

      diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
      index 0258f0c..35bd3ba 100644
      --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
      +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
      @@ -181,6 +181,8 @@ public class WSSecSignature extends WSSecSignatureBase {
               if (!useCustomSecRef) {
                   secRef = new SecurityTokenReference(doc);
                   strUri = getWsConfig().getIdAllocator().createSecureId("STR-", secRef);
      +            secRef.addWSSENamespace();
      +            secRef.addWSUNamespace();
                   secRef.setID(strUri);
                   
                   //
      

      Then:

      ....
      <wsse:SecurityTokenReference wsu:Id="STR-906b1964-8e27-40a5-a2ed-7f4ac9dabd69" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <ds:X509Data>
              <ds:X509IssuerSerial>
      <ds:X509IssuerName>CN=CERT,OU=Development,O=Org,L=City,ST=State,C=US</ds:X509IssuerName>          <ds:X509SerialNumber>13887123756357751743</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
      
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
      ...
      

      As far as I can tell, the same problem is present in earlier versions (1.6) as well.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              modax Modestas Vainius
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: