[jbossws-issues] [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request

Christoph Hennes (JIRA) jira-events at lists.jboss.org
Mon Apr 6 03:53:22 EDT 2009 

     [ https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christoph Hennes updated JBWS-2594:
-----------------------------------

    Description: 
If we are using WS-Security encryption with the token reference type 'x509IssuerSerial':

	<encrypt type="x509v3" alias="alias1" tokenReference="x509IssuerSerial" />

the generated XML fragment is missing the enclosing X509Data element.

Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
  <ds:X509Data>
    <ds:X509IssuerSerial>
      <ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
      <ds:X509SerialNumber>12345678</X509SerialNumber>
    </ds:X509IssuerSerial>
  </ds:X509Data>
</wsse:SecurityTokenReference>

Generated XML fragment:

<wsse:SecurityTokenReference wsu:Id='reference-x'>
  <ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>

I have investigated the class org.jboss.ws.extensions.security.element.X509IssuerSerial and think that its method  public Element getElement() is the possible source of this bug. The local variable element is always overriden and any previously generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.

 public Element getElement()
   {
      if (cachedElement != null)
         return cachedElement;

      Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509Data");
      Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerSerial");
      element.appendChild(issuerSerial);

      element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerName");
      element.appendChild(doc.createTextNode(issuer));
      issuerSerial.appendChild(element);

      element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509SerialNumber");
      element.appendChild(doc.createTextNode(serial));
      issuerSerial.appendChild(element);

      cachedElement = element;
      return cachedElement;
   }


  was:
If we are using ws-security encryption with the token reference type 'x509IssuerSerial':


<wsse:SecurityTokenReference>
354 <ds:X509Data>
355 <ds:X509IssuerSerial>
356 <ds:X509IssuerName>
357 DC=ACMECorp, DC=com
358 </ds:X509IssuerName>
359 <ds:X509SerialNumber>12345678</X509SerialNumber>
360 </ds:X509IssuerSerial>
361 </ds:X509Data>



> X509IssuerSerial reference token creates invalid xml request
> ------------------------------------------------------------
>
>                 Key: JBWS-2594
>                 URL: https://jira.jboss.org/jira/browse/JBWS-2594
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: ws-security
>    Affects Versions: jbossws-native-3.0.5
>         Environment: JBoss Portal 2.7.2
>            Reporter: Christoph Hennes
>
> If we are using WS-Security encryption with the token reference type 'x509IssuerSerial':
> 	<encrypt type="x509v3" alias="alias1" tokenReference="x509IssuerSerial" />
> the generated XML fragment is missing the enclosing X509Data element.
> Example in WS-Security 1.0 Spec:
> <wsse:SecurityTokenReference>
>   <ds:X509Data>
>     <ds:X509IssuerSerial>
>       <ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
>       <ds:X509SerialNumber>12345678</X509SerialNumber>
>     </ds:X509IssuerSerial>
>   </ds:X509Data>
> </wsse:SecurityTokenReference>
> Generated XML fragment:
> <wsse:SecurityTokenReference wsu:Id='reference-x'>
>   <ds:X509SerialNumber>y</ds:X509SerialNumber>
> </wsse:SecurityTokenReference>
> I have investigated the class org.jboss.ws.extensions.security.element.X509IssuerSerial and think that its method  public Element getElement() is the possible source of this bug. The local variable element is always overriden and any previously generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.
>  public Element getElement()
>    {
>       if (cachedElement != null)
>          return cachedElement;
>       Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509Data");
>       Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerSerial");
>       element.appendChild(issuerSerial);
>       element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerName");
>       element.appendChild(doc.createTextNode(issuer));
>       issuerSerial.appendChild(element);
>       element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509SerialNumber");
>       element.appendChild(doc.createTextNode(serial));
>       issuerSerial.appendChild(element);
>       cachedElement = element;
>       return cachedElement;
>    }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list