Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.2.3
-
None
Description
I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting some of documents signed by WSS4J 2.2.3.
After some investigation I could manage to reproduce it and make WSS4J reject its own signed documents.
The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:
I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source code of the new method:
@Test public void testSignedTimestamp1() throws Exception { Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS); WSSecHeader secHeader = new WSSecHeader(doc); secHeader.insertSecurityHeader(); WSSecTimestamp timestamp = new WSSecTimestamp(secHeader); timestamp.setTimeToLive(300); timestamp.build(); WSSecSignature builder = new WSSecSignature(secHeader); builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); // Makes no difference, tested with it and without it. // Added to test because my code sets it to false // builder.setAddInclusivePrefixes(false); WSEncryptionPart encP = new WSEncryptionPart( "Timestamp", WSConstants.WSU_NS, ""); builder.getParts().add(encP); builder.prepare(crypto); List<javax.xml.crypto.dsig.Reference> referenceList = builder.addReferencesToSign(builder.getParts()); builder.computeSignature(referenceList, false, null); String outputString = XMLUtils.prettyDocumentToString(doc); if (LOG.isDebugEnabled()) { LOG.debug("After Signing...."); LOG.debug(outputString); } // !!!! // Makes all the difference: validating just signed document works, // validating serialized and parsed document does not Document doc2 = SOAPUtil.toSOAPPart(outputString); // Document doc2 = doc; verify(doc2); } public static final String SAMPLE_SOAP_MSG_WSU_NS = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope " + "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" " + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " // !!!! // Makes all the difference: uncomment it and validating the serialized // and parsed document fails // + "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" " + ">" + "<SOAP-ENV:Body>" + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" + "<value xmlns=\"\">15</value>" + "</add>" + "</SOAP-ENV:Body>" + "</SOAP-ENV:Envelope>";
Important parts marked with '!!!!' comments:
- You need to verify the document after it was serialized and parsed back. Then the verification fails. Verifying the signed document "in memory" succeeds.
- The original, to be signed, document must have WSU_NS namespace with some prefix other than 'wsu' declared on any ancestor of the to be inserted wsse:Security