wsit
  1. wsit
  2. WSIT-1656

Exclusive XML Canonicalization changed in 2.2 comparing to 2.1

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.2
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      Windows 7

      Description

      After upgrading to Metro 2.2, we noticed that the exclusive XML canonicalization (StAXEXC14nCanonicalizerImpl) produces different result comparing to Metro 2.1
      The difference in canonicalization causes different digest being produced. Below are example of canonicalization being produced in 2.1 and 2.2, notice that 2.2 contains extra xmlns="" attributes in the default namespace elements. We identified that the changes were made in SVN r6737, part of WSS1717 (WSIT-1546) fix.

      Metro 2.1:
      <S:Body xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_5003">
      <ns9:GetAllForceModuleCompositeRequest xmlns:ns9="http://metadata.dod.mil/mdr/ns/NECC-AP/JFW/rr">
      <itemsPerPage>2000</itemsPerPage>
      <includeTotalCount>true</includeTotalCount>
      <planId>94TC5</planId>
      </ns9:GetAllForceModuleCompositeRequest>
      </S:Body>

      Metro 2.2:
      <S:Body xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_5003">
      <ns9:GetAllForceModuleCompositeRequest xmlns:ns9="http://metadata.dod.mil/mdr/ns/NECC-AP/JFW/rr">
      <itemsPerPage xmlns="">2000</itemsPerPage>
      <includeTotalCount xmlns="">true</includeTotalCount>
      <planId xmlns="">94TC5</planId>
      </ns9:GetAllForceModuleCompositeRequest>
      </S:Body>

        Activity

        Hide
        kumarjayanti added a comment -

        Sounds like one of my fixes is causing this regression. Can you post the details of SVN r6737 here. I don't actively work on this project, but would like to fix this.

        Show
        kumarjayanti added a comment - Sounds like one of my fixes is causing this regression. Can you post the details of SVN r6737 here. I don't actively work on this project, but would like to fix this.
        Hide
        btse added a comment -

        There were multiple file changes in r6737. I think the specific changes that caused the bug were in:
        com.sun.xml.wss.impl.c14n.StAXEXC14nCanonicalizerImpl.writeNamespace(String, String)
        where the original empty prefix and namespace check was removed.

        Please note that, there are specific cases, per W3C, that xmlns="" is necessary
        Reference: http://www.w3.org/TR/xml-exc-c14n/#sec-Specification

        Show
        btse added a comment - There were multiple file changes in r6737. I think the specific changes that caused the bug were in: com.sun.xml.wss.impl.c14n.StAXEXC14nCanonicalizerImpl.writeNamespace(String, String) where the original empty prefix and namespace check was removed. Please note that, there are specific cases, per W3C, that xmlns="" is necessary Reference: http://www.w3.org/TR/xml-exc-c14n/#sec-Specification
        Hide
        symonchang added a comment -

        This is a regression, and should be fixed in this release.

        Show
        symonchang added a comment - This is a regression, and should be fixed in this release.
        Hide
        btse added a comment -

        Bump.
        Can this be included in upcoming releases?

        Show
        btse added a comment - Bump. Can this be included in upcoming releases?
        Hide
        hle added a comment -

        Is there any update on this? We cannot upgrade from version 2.1.1 due to this regression.

        Show
        hle added a comment - Is there any update on this? We cannot upgrade from version 2.1.1 due to this regression.

          People

          • Assignee:
            symonchang
            Reporter:
            btse
          • Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated: