Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-651

Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.3
    • Fix Version/s: 2.3.0, 2.2.4
    • Component/s: WSS4J Core
    • Labels:
      None

      Description

      I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting some of documents signed by WSS4J 2.2.3.

      After some investigation I could manage to reproduce it and make WSS4J reject its own signed documents.

      The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:

      I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source code of the new method:

       

          @Test
          public void testSignedTimestamp1() throws Exception {
              Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
              WSSecHeader secHeader = new WSSecHeader(doc);
              secHeader.insertSecurityHeader();
      
              WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
              timestamp.setTimeToLive(300);
              timestamp.build();
      
              WSSecSignature builder = new WSSecSignature(secHeader);
              builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
      
              // Makes no difference, tested with it and without it.
              // Added to test because my code sets it to false
              // builder.setAddInclusivePrefixes(false);
      
              WSEncryptionPart encP =
                  new WSEncryptionPart(
                      "Timestamp",
                      WSConstants.WSU_NS,
                      "");
              builder.getParts().add(encP);
      
              builder.prepare(crypto);
      
              List<javax.xml.crypto.dsig.Reference> referenceList =
                  builder.addReferencesToSign(builder.getParts());
      
              builder.computeSignature(referenceList, false, null);
      
              String  outputString = XMLUtils.prettyDocumentToString(doc);
      
              if (LOG.isDebugEnabled()) {
                  LOG.debug("After Signing....");
                  LOG.debug(outputString);
              }
      
              // !!!!
              // Makes all the difference: validating just signed document works,
              // validating serialized and parsed document does not
              Document  doc2 = SOAPUtil.toSOAPPart(outputString);
              // Document  doc2 = doc;
      
              verify(doc2);
          }
      
          public static final String SAMPLE_SOAP_MSG_WSU_NS =
              "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
              + "<SOAP-ENV:Envelope "
              +   "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
              +   "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
              +   "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
              // !!!!
              // Makes all the difference: uncomment it and validating the serialized
              // and parsed document fails
              // +   "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" "
              +   ">"
              +   "<SOAP-ENV:Body>"
              +       "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
              +           "<value xmlns=\"\">15</value>"
              +       "</add>"
              +   "</SOAP-ENV:Body>"
              + "</SOAP-ENV:Envelope>";

       

       

      Important parts marked with '!!!!' comments:

      1. You need to verify the document after it was serialized and parsed back. Then the verification fails. Verifying the signed document "in memory" succeeds.
      2. The original, to be signed, document must have WSU_NS namespace with some prefix other than 'wsu' declared on any ancestor of the to be inserted wsse:Security

       

       

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              klv_m72 L
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: