xmlsec 2.0.x - transformer adds empty namespaces

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

xmlsec 2.0.x - transformer adds empty namespaces

Szymon.LUBIENIECKI

Hello,

I'm fighting with cxf 3.0.9 for more than a week and finally found problem in xmlsec library.

Starting from version 2.0.0 the Canonicalizer20010315_ExclOmitCommentsTransformer transformer works incorrectly.

When the list of inclusive namespaces is added the transformer adds empty namespaces declarations at the root element if the namespace is not defined already at this element.

 

So, here's example:

inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9"

 

output root:

<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ec="" xmlns:ec1="" xmlns:ns0="" xmlns:ns1="" xmlns:ns11="" xmlns:ns2="" xmlns:ns4="" xmlns:ns9="" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1465203363337-2063525437">

 

 

As you can see the empty declarations have been added causing the calculated digest doesn't match, so the message is not passing the signature verification.

 

Attached are: sample code and the transformation result. Example was tested with xmlspec 2.0.0 and xmlspec 2.0.6.

Old versions 1.5.7, 1.5.8 are working fine – please take a look at: Canonicalizer20010315Excl.java, starting from line 201 -> it's not adding all prefixes defined in "inclusiveNamespaces" but only those for which there's a need.

 

Please help!

 

Best regards,

Szymon

 

 


NamespaceBug.java (5K) Download Attachment
transformation-result.xml (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: xmlsec 2.0.x - transformer adds empty namespaces

Colm O hEigeartaigh-2
You're actually using the streaming canonicalizers here, in which it appears that there's a bug. If you switch to use the DOM canonicalizers (the same ones as in 1.5.x) then it appears the output is OK:

org.apache.xml.security.c14n.implementations..Canonicalizer20010315Excl transformer =
    new org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments();
InputStream stream = new ByteArrayInputStream(message.getBytes("UTF-8"));
String inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9";
byte[] output = transformer.engineCanonicalize(new XMLSignatureInput(stream), inclusiveNamespaces);
String result = new String(output, "UTF-8");

I'll log a JIRA for the streaming canonicalizers.

Colm.

On Mon, Jun 6, 2016 at 12:26 PM, <[hidden email]> wrote:

Hello,

I'm fighting with cxf 3.0.9 for more than a week and finally found problem in xmlsec library.

Starting from version 2.0.0 the Canonicalizer20010315_ExclOmitCommentsTransformer transformer works incorrectly.

When the list of inclusive namespaces is added the transformer adds empty namespaces declarations at the root element if the namespace is not defined already at this element.

 

So, here's example:

inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9"

 

output root:

<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ec="" xmlns:ec1="" xmlns:ns0="" xmlns:ns1="" xmlns:ns11="" xmlns:ns2="" xmlns:ns4="" xmlns:ns9="" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1465203363337-2063525437">

 

 

As you can see the empty declarations have been added causing the calculated digest doesn't match, so the message is not passing the signature verification.

 

Attached are: sample code and the transformation result. Example was tested with xmlspec 2.0.0 and xmlspec 2.0.6.

Old versions 1.5.7, 1.5.8 are working fine – please take a look at: Canonicalizer20010315Excl.java, starting from line 201 -> it's not adding all prefixes defined in "inclusiveNamespaces" but only those for which there's a need.

 

Please help!

 

Best regards,

Szymon

 

 




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Loading...