XML Digital Signature throws NAMESPACE_ERR exception under OpenJDK 11 that works under Java SE 8, 9 and 10

Open eSignForms yozons at gmail.com
Fri Feb 15 20:11:57 UTC 2019 

XML namespaces are pretty confusing.  From what little I gather, 
unprefixed attributes don't belong to any namespace, not even the 
default one.

I think I can see the bug in the debugging output.

On Java 8 and 10 and 11, I'd guess that the marshaling/canonicalization 
has issues when combining differently namespaced objects.

In my working code (also works on Java 11), when my ETSI/XADES 
QualifyingProperties element is created specifying my namespace (the 
default namespace for the XML document that I'm signing), it works 
fine.  If I change my document's default namespace to be the XADES one, 
it also works.  But I cannot make them work when both are in use.  The 
reason seems to be as follows.

1) The signedXML generated looks great and sensible, with the xades 
namespace as expected.

     <ds:Object>
         <xades:QualifyingProperties Id="QualifyingProperties_ID" 
Target="#OpenESignForms_Seal" 
*xmlns:xades="http://uri.etsi.org/01903/v1.4.1#"*>
             <xades:SignedProperties>
                 <xades:SignedSignatureProperties>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime>
                 </xades:SignedSignatureProperties>
                 <xades:SignedDataObjectProperties>
                     <xades:DataObjectFormat 
ObjectReference="#Payload_Reference_ID">
<xades:Description>description</xades:Description>
<xades:MimeType>text/html</xades:MimeType>
                     </xades:DataObjectFormat>
                 </xades:SignedDataObjectProperties>
             </xades:SignedProperties>
         </xades:QualifyingProperties>
     </ds:Object>

2) But using the debugging options, it shows this element during SIGNING 
(presuming canonicalization) that makes /*no sense*/. It's added both 
the default namespace, the 'dsig' namespace, but doesn't include the 
xades namespace.  Wwhat does the 'xades' prefix even refer to in this 
XML for the signing digest?

     <xades:QualifyingProperties 
*xmlns="http://open.esignforms.com/XMLSchema/2011" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"*Id="QualifyingProperties_ID" 
Target="#OpenESignForms_Seal">
         <xades:SignedProperties>
             <xades:SignedSignatureProperties>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime>
             </xades:SignedSignatureProperties>
             <xades:SignedDataObjectProperties>
                 <xades:DataObjectFormat 
ObjectReference="#Payload_Reference_ID">
<xades:Description>description</xades:Description>
<xades:MimeType>text/html</xades:MimeType>
                 </xades:DataObjectFormat>
             </xades:SignedDataObjectProperties>
         </xades:SignedProperties>
     </xades:QualifyingProperties>

3) And again, the debugger shows this element during VERIFICATION 
(presuming canonicalization) that is excessive, but at least makes some 
sense (though there are no default elements nor 'dsig' elements).  It's 
added all three namespaces: our default namespace, the 'dsig' namespace 
AND the 'xades' namespace.

    <xades:QualifyingProperties 
*xmlns="http://open.esignforms.com/XMLSchema/2011" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
xmlns:xades="http://uri.etsi.org/01903/v1.4.1#"* 
Id="QualifyingProperties_ID" Target="#OpenESignForms_Seal">
         <xades:SignedProperties>
             <xades:SignedSignatureProperties>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime>
             </xades:SignedSignatureProperties>
             <xades:SignedDataObjectProperties>
                 <xades:DataObjectFormat 
ObjectReference="#Payload_Reference_ID">
<xades:Description>description</xades:Description>
<xades:MimeType>text/html</xades:MimeType>
                 </xades:DataObjectFormat>
             </xades:SignedDataObjectProperties>
         </xades:SignedProperties>
     </xades:QualifyingProperties

So the libraries are oddly creating two distinct canonicalized XML for 
digesting, with the signing phase seeming to miss the important 'xades' 
namespace declaration entirely.  This is no doubt why this is the only 
Reference that fails verification as the two.  I'm guessing that the 
verification digest is correct when using multiple namespaced 
objects/references, but the signing digest is not since it doesn't 
include the 'xades' namespace declaration.

This seems to hold true for Java 8, 10 and 11.  That is, by specifying 
null namespaces on atrributes, the code fails the same under under Java 
11, and the debugging output shows the same odd namespaces above.  If I 
use a single namespace, then it signs fine under Java 8, 10 and 11.

David


On 2/15/19 11:12 AM, Sean Mullan wrote:
> On 2/14/19 9:32 PM, Open eSignForms wrote:
>>
>> Yes, indeed that's the issue.  But I don't know why/how all those 
>> xmlns attributes are added, since I don't directly add them.
>>
>> I found the only way I can make it work under Java 8, 10 and 11 is to 
>> use my common namespace (XML_NAMESPACE_2011 = 
>> "http://open.esignforms.com/XMLSchema/2011") for all the XADES 
>> elements with the null namespace on all their attributes.  Even if I 
>> put that same namespace on the attributes, it then fails.
>>
>> When I do that, the signed XML generates clean looking XML like this:
>>
>>     <ds:Object>
>>         <QualifyingProperties Id="QualifyingProperties_ID" 
>> Target="#OpenESignForms_Seal">
>> <SignedProperties><SignedSignatureProperties>
>> <SigningTime>2019-02-14T17:37:39-08:00</SigningTime>
>>             </SignedSignatureProperties>
>>             <SignedDataObjectProperties>
>>                 <DataObjectFormat 
>> ObjectReference="#Payload_Reference_ID">
>> <Description>description</Description>
>>                     <MimeType>text/html</MimeType>
>>                 </DataObjectFormat>
>>             </SignedDataObjectProperties>
>>             </SignedProperties>
>>         </QualifyingProperties>
>>     </ds:Object>
>>     <ds:Object>
>>         <ds:SignatureProperties>
>>             <ds:SignatureProperty*Id="OpenESignForms_Seal_ID" 
>> Target="#OpenESignForms_Seal"*>
>>                 <OpenESignForms_XmlDigitalSignatureSeal 
>> DeploymentHostAddress="192.1.1.1" 
>> DeploymentHostName="open.esignforms.com" DeploymentId="1.1.1.1" 
>> SignerAddress="192.1.1.1" SignerAgent="No-Browser-Test" 
>> Timestamp="2019-02-14T17:37:39-08:00" Version="19.1.19"/>
>>             </ds:SignatureProperty>
>>         </ds:SignatureProperties>
>>     </ds:Object>
>>
>> But even above, as you can see, the second ds:Object shows 
>> ds:SignatureProperty, yet the Id and Target attributes do not include 
>> a 'ds:' prefix, which it's my understanding to mean that they default 
>> to our XML payload's default namespace.
>>
> I don't think that's correct, I think attributes w/o a prefix by 
> default belong to the namespace of the element in which they are 
> defined, which in this case is SignatureProperties and the dsig namespace.
>
> Regarding below, I would forget about JDK 11 for the time being and 
> focus on generating a signature with proper XMLNS definitions on JDK 
> 10. If you have any problems verifying with that on JDK 10 or prior, 
> let me know. The reason is that we will likely be restoring JDK 11 
> (and later) to the same state it was in for JDK 10. There were some 
> changes to the marshalling code in JDK 11 which is causing these and 
> other problems which will likely be backed out.
>
> --Sean
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190215/8cbcc672/attachment.htm>

More information about the security-dev mailing list