[jboss-jira] [JBoss JIRA] (WFLY-13763) WS-Sec Regression with WFLY18+ following upgrade to SAAJ 1.4

Andreas Weise (Jira) issues at jboss.org
Wed Aug 12 11:00:00 EDT 2020 

    [ https://issues.redhat.com/browse/WFLY-13763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14386034#comment-14386034 ] 

Andreas Weise commented on WFLY-13763:
--------------------------------------

I don't think [https://github.com/apache/santuario-java/blob/xmlsec-2.1.4/src/main/java/org/apache/xml/security/c14n/implementations/CanonicalizerBase.java#L289-L291] should be changed. Comparing instances is good there, and not the root cause. I simply tried to say, that the root cause is something else (in SAAJ), which creates new instances instead of passing references.

I have no good view over metro-saaj project, but [https://github.com/javaee/metro-saaj/commit/148757613467ee3c60ac8db364c80cc842348713] seems quite large, is part of saaj-impl 1.4.x and so very likely related to this issue.

> WS-Sec Regression with WFLY18+ following upgrade to SAAJ 1.4
> ------------------------------------------------------------
>
>                 Key: WFLY-13763
>                 URL: https://issues.redhat.com/browse/WFLY-13763
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web Services
>            Reporter: Brian Stansberry
>            Assignee: Jim Ma
>            Priority: Major
>
> This was reported by Andreas Weise at https://groups.google.com/g/wildfly/c/B4Gk4ljbrqE:
> After upgrading to WFY20 we are facing a regression regarding WS-Security that was introduced with Upgrade of com.sun.xml.messaging.saaj:saaj-impl in https://issues.redhat.com/browse/WFLY-12442 with WFLY18. When downgrading com.sun.xml.messaging.saaj:saaj-impl to 1.3.x the regression is fixed also in WFLY18+. We did not locate the root cause in saaj-impl 1.4+.
> The Bug was spotted within our signing algorithm used for our SOAP Web Services (which uses javax.xml.crypto.dsig Packages).
> The Bug can be reproduced easily via https://github.com/weand/wildfly-xml-sig-reproducer, which contains the most basic reproducer code of our scenario:
> Reproducer contains a Web Service implementation which uses XML Signature and more specifically the enveloped-signature transform algorithm (https://www.w3.org/TR/xmldsig-core1/#sec-EnvelopedSignature). This standard transform algorithm basically removes the whole Signature element from the digest calculation. And thats not stable since WFLY18 as the Signature element is not removed anymore! The repo also contains an arquillian test testing the SOAP webservice response using rest-assured.
> Run good scenario: Test on WFLY17 
> 1) mvn clean install -Pwfly17
> 2) Test passes
> 3) see proper 'Pre-digested input' as DEBUG output of org.apache.jcp Logger (here I pretty formatted the XML):
> {code}
> 17:58:04,494 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (default task-1) Pre-digested input:
> 17:58:04,494 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (default task-1) <soap:Body xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" ID="Body">
> 	<ns1:echoResponse
> 		xmlns:ns1="http://reproducer.sig.xml.wildfly.weand.github.com/">
> 		<return>hello test</return>
> 	</ns1:echoResponse>
> </soap:Body>
> 17:58:04,495 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) Reference object uri = #Body
> 17:58:04,495 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) Reference digesting completed
> {code}
> Run failing scenario: Test on WFLY18+ 
> 1) mvn clean install    (which defaults to 20.0.1.Final)
> 2) Test fails
> {code}
> [ERROR] testService(com.github.weand.wildfly.xml.sig.reproducer.test.XmlSignatureIT)  Time elapsed: 0.874 s  <<< FAILURE!
> java.lang.AssertionError: 
> Expected: Expected text value '0FCBFaURtUN+0kxupRbO3pp93rPY+9d1bf7ffAw77lQ=' but was 'A+XljxuKgY2Va+YDk/Ho66i/+JQLeA9QoTH8kap7Zdk=' - comparing <DigestValue ...>0FCBFaURtUN+0kxupRbO3pp93rPY+9d1bf7ffAw77lQ=</DigestValue> at /Envelope[1]/Body[1]/Signature[1]/SignedInfo[1]/Reference[1]/DigestValue[1]/text()[1] to <DigestValue ...>A+XljxuKgY2Va+YDk/Ho66i/+JQLeA9QoTH8kap7Zdk=</DigestValue> at /Envelope[1]/Body[1]/Signature[1]/SignedInfo[1]/Reference[1]/DigestValue[1]/text()[1]:
> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">0FCBFaURtUN+0kxupRbO3pp93rPY+9d1bf7ffAw77lQ=</DigestValue>
>      but: result was: 
> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">A+XljxuKgY2Va+YDk/Ho66i/+JQLeA9QoTH8kap7Zdk=</DigestValue>
>         at com.github.weand.wildfly.xml.sig.reproducer.test.XmlSignatureIT.testService(XmlSignatureIT.java:71)
> {code}
> 3) see invalid 'Pre-digested input' as DEBUG output of org.apache.jcp Logger:
> {code}
> 18:03:42,888 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (default task-1) Pre-digested input:
> 18:03:42,888 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (default task-1) <soap:Body xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" ID="Body">
> 	<ns1:echoResponse
> 		xmlns:ns1="http://reproducer.sig.xml.wildfly.weand.github.com/">
> 		<return>hello test</return>
> 	</ns1:echoResponse>
> 	<Signature
> 		xmlns="http://www.w3.org/2000/09/xmldsig#">
> 		<SignedInfo>
> 			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> 			<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
> 			<Reference URI="#Body">
> 				<Transforms>
> 					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> 				</Transforms>
> 				<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
> 				<DigestValue></DigestValue>
> 			</Reference>
> 		</SignedInfo>
> 		<SignatureValue></SignatureValue>
> 	</Signature>
> </soap:Body>
> 18:03:42,888 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) Reference object uri = #Body
> 18:03:42,888 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) Reference digesting completed
> {code}
> Again the digest with enveloped-signature transform algorithm works properly when downgrading saaj-impl to 1.3.x in WFLY18+.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list