[jboss-dev-forums] [Design of JBoss Web Services] - Signatures and CRs

[alessio.soldano@jboss.com]

Hi Folks,
I spent some time on http://jira.jboss.org/jira/browse/JBWS-2011, I think there aren't straightforward solutions for this, may be somebody else have interesting idea ;-)
Here is my analysis: the reason why the signature verification fails when signing messages containing CR (\r i.e. #x0d) is that the WS-Security implementation works with the soap message element that is created parsing the incoming xml message. As you can read here http://www.w3.org/TR/REC-xml/#sec-line-ends CRs must be converted in line feeds when parsing. Xerces does this of course, thus the message bytes change and signature (which is obtained using the message containing the CR) is not valid anymore when processing the request message at server side.
We might strip out CR from messages before signing but that would be a poor fix since thirdparty implementations could still produce signatures over messages containing CRs.
Btw, if you're wondering whether this should be done by the canonicalization happening before the actual signature is computed, here http://www.w3.org/TR/2001/REC-xml-c14n-20010315#Example-Chars is an example showing the CR is processed and not discarder (we actually use the Exclusive XML canonicalization, but afaik this shouldn't change).

Fortunately this issue only happens when the message is not encrypted. Signature+encryption prevents this since the xml parser works with the encrypted element data.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4131875#4131875

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4131875