Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-28889

XML signature implementation classloading order has been changed in JBoss EAP 7.4.9+

XMLWordPrintable

    • Icon: Component Upgrade Component Upgrade
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Web Services
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      XML signature implementation classloading order for application modules is preferred to JDK's one over org.apache.santuario.xmlsec module since JBoss EAP 7.4.9+ and 8.0.0+, caused by JBEAP-23866 which is included WSS-661, changeset.

      As a side effect of this change in class load priority, it looks like that line breaks are being inserted into XML signatures

      JBoss EAP 7.4.8 or earlier[1]

      <?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>/juoQ4bDxElf1M+KJauO20euW+QAvvPP0nDCruCQooM=</DigestValue></Reference></SignedInfo><SignatureValue>WY+z1yTacQ5dnkQZ++XAPpsDS4S3wYYrNVJraQBCCs85KFOYe8Z4oLweY0x4Stjz63X2ZXrWClOHl17zKTNRA6SRzYdffWdrwVpHZlxH1/XKVRodxty/n1ehVXngandqDHz15vvd1biIBUDwXi3W+1jkij/gcsVjZmB0R2EstYy0foNHd2sFRq+gZtQa7U3Vk01h9PcUrJQhM8QkghUb/vFfJ+iU6wINx18/wPkATSu/n+CfA/1o8h228CpihRCHojPxL/XHwUGSR0r7iBk7/45lzqxpONBdc1OpGsFbztG2ZTENjQ054zlvZ7fh1C3esGougSKOw/o+JgJsynaBjg==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>vX/mlkkS+TTQSP66uIYc+wH6PgHw0zVgCZLD6gROmAUZNEhbHOr+zLJLqb69q5pEjT8siJ9+AOtSCfIvGPD6iOg2N/Iews1vQq3icA6L+6lSisjwQX2DF3Oli3Im7J639P+GvwbX7QHnSYYlmHqemBXUVzLk/5u6TGCoZDdeZavWCwWiXpsVKR/rGX2lj4UBe6X1A/DXhJXpS5FdC/EctN6gcMQC9Ma1pIsGNPSN7eQQfzpjl3pUpYijZg0bR72YxBzzhnEzKbY3ASslYEdcBjPUi2c0DsaRy9szdvBmfXGB5D6k7g5k2Ox6Ba1Cm8J5aUgDgssgFsmFcQg6bwXc0w==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></Envelope>

      JBoss EAP 7.4.9+ and 8.0.0+[2]

      <?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:envelope">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>/juoQ4bDxElf1M+KJauO20euW+QAvvPP0nDCruCQooM=</DigestValue></Reference></SignedInfo><SignatureValue>P6velcy/Iix9WE7+eMrcHw3A1IAVt54jdSmi2n+EIBfRclMjD1yQvQcG5HvcFD4BEmg+kG3TE58T&#13;
vcdGavBRsoxax2wUVykVAB6Xs9gZrlpCeArisan8JyfOMVrX8xgkDyG6H+yO6QVNsF6fPiQ6p9NJ&#13;
eUNCIrzFtEmG5T6TL5rduFmkZ1Eh5blSdL8u8mTbbFYRCGTXta4E1MzxcP8PimR8WeA+qFEz1bqs&#13;
26V0b/VoGpA52FkrM2HRua77gO5xaQafMDpczuzp+KutdpCBq8bs87nYj5xYaJiOHZlyomTv3CHf&#13;
vpU/pWOHGuuvat6oRqFGByLVhaDghO+TpSPuYA==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>3L3v4KkSuIm4l3v1X7RJTYDxUmIuPuvMvFI8FkDn/NEkEPMuHhD9mNqU65OOhmQZZTh3ICBLyNr6&#13;
89EhW5K6Xw56eABhfBBZeUG3/CVGcH4Rkmf+gMd9ntiB7SSTOBG/EWenHNKbkPwWitavllgAdLD5&#13;
X+jiqdQ0cIiPx10iwWdjOsXRC76XKxAQoKKIW4Oy8LfJvOPbwOT7Dohwri/bCdwJuUu28MQUtyve&#13;
SzMpSafTMsHLCgZtolRS/JGBsIdAXIfDOdmwE7QzXYmherGTdAfG//Hc+DIQnSxB37M8Pxs2yw5f&#13;
MrSRxE5iVAIxFMJciboobz0USeVNE6j023Hpbw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></Envelope>

      Question:
      Is this expected change, or is it a possible regression issue?

      I created a simple and small reproducer app for this issue. The attachment does not contain the customer's sensitive information. So we can share the attached code in public JIRAs.

      Steps to reproduce:

      // we can use JDK8 or JDK11
cp xml-signature-eap7.war jboss-eap-7.4.8/standalone/deployments/
jboss-eap-7.4.8/bin/standalone.sh
curl 127.0.0.1:8080/xml-signature/signature
cat jboss-eap-7.4.8/configuration/signed.xml
<omitted, we can see signed xml with no line breaks as the above [1]>

cp xml-signature-eap7.war jboss-eap-7.4.9/standalone/deployments/
jboss-eap-7.4.9/bin/standalone.sh
curl 127.0.0.1:8080/xml-signature/signature
cat jboss-eap-7.4.9/configuration/signed.xml
<omitted, we can see signed xml with line breaks as the above [2]>

              ropalka Richard Opalka
              rhn-engineering-ema Jim Ma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: