Problem:

When signing A SOAP request using the transformation algorithms per this spec: http://www.w3.org/TR/2001/REC-xml-c14n-20010315

The following logging is displayed:

WARNING 173 com.l7tech.security.xml.processor.WssProcessorImpl: Signature not valid. null
Element : java.lang.NullPointerException

WARNING 173 com.l7tech.server.message: Message was not processed: Bad Request (400)

Cause:

In version 6.1.5 and later, the Gateway was modified to address WS-Security processing vulnerable to XML Bomb (Entity expansion attack) by modifying the supported list of Transformation Algorithms to no longer permit:

http://www.w3.org/2000/09/xmldsig#base64
http://www.w3.org/TR/2000/CR-xml-c14n-20001026
http://www.w3.org/TR/2000/CR-xml-c14n-20001026#WithComments
http://www.w3.org/TR/2000/WD-xml-c14n-20000601
http://www.w3.org/TR/2000/WD-xml-c14n-20000613
http://www.w3.org/TR/2000/WD-xml-c14n-20001011
http://www.w3.org/TR/2000/WD-xml-c14n-20001011#WithComments
http://www.w3.org/TR/2001/REC-xml-c14n-20010315
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithCommen

Resolution:

You can re-enable these Transformation Algorithms through the cluster wide property "security.xml.dsig.permittedTransformAlgorithms" by adding the following line:

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform,http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform,http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform,http://www.w3.org/2000/09/xmldsig#enveloped-signature,http://www.w3.org/2001/10/xml-exc-c14n#,http://www.w3.org/2001/10/xml-exc-c14n#WithComments,http://www.w3.org/TR/2001/REC-xml-c14n-20010315

Note: This CWP is not listed by default in the product. It would need to be added manually.

Note: Doing this is considered a WS-Security vulnerability as API Gateway uses its own version of this transform.