Bug 50236 - VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-enveloping-hmac-sha1-40.xml
Summary: VerifyMerlinsExamplesFifteen/Sixteen.java samples should ignore signature-env...
Status: NEW
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature (show other bugs)
Version: Java 1.4.2
Hardware: All All
: P2 minor
Target Milestone: ---
Assignee: XML Security Developers Mailing List
Depends on:
Reported: 2010-11-08 12:59 UTC by sean.mullan
Modified: 2010-11-08 12:59 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description sean.mullan 2010-11-08 12:59:19 UTC
This a minor cleanup issue but these samples should not validate signature-enveloping-hmac-sha1-40.xml. This signature uses an insecure HMAC truncation length and since release 1.4.3, this signature causes a validation failure. See https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 for more information. If you run the mega-sample target, you will see this exception embedded in the output:

     [java] org.apache.xml.security.signature.XMLSignatureException: HMACOutputLength must not be less than 160
     [java]     at org.apache.xml.security.algorithms.implementations.IntegrityHmac.engineVerify(Unknown Source)
     [java]     at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(Unknown Source)
     [java]     at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
     [java]     at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.verifyHMAC(Unknown Source)
     [java]     at org.apache.xml.security.samples.signature.VerifyMerlinsExamplesFifteen.main(Unknown Source)