santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raul Benito <raul.benito.gar...@gmail.com>
Subject Re: XML Security 1.1.1 vs 1.2.1
Date Fri, 20 May 2005 08:07:33 GMT
I think that your problem resides in modifying and removing the
signature from the DOM before verifing it:
in your  removeXMLSignature(...) method you have:
           Node ParentNode = sigElement.getParentNode();
            ParentNode.removeChild(sigElement);
            XMLUtils.outputDOM(doc, output);
            doc = null;

            signature.addResourceResolver(resolver);

            // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
System.out);
            KeyInfo ki = signature.getKeyInfo();
            //Then you verify here.
The problem is when signing the signedInfo it doesn't get the parente
namespaces so it fails verifiying(that's why it works without xmlns in
the parent).
You have two possible solutions:
    * Remove after verifiying the signature.
    * Or setting to exclusive c14n method the signature.


Regards,




On 5/19/05, Carolyn Cole <cam156@psu.edu> wrote:
> Hello,
> 
> My answers are incorporated bellow.  Any additional insight would be
> appreciated.
> 
> -- Carolyn
> 
> At 05:18 AM 5/19/2005, Raul Benito wrote:
> >Excuse me,
> >  I haven't time to look in too much detail to your code, so perhaps
> >some questions are stupid ones:
> >       but why are you using offlineresolver without calling any register?.
> 
> 
> I am only using the resolver for items that are in the XML-security data
> location. I have made a slight modification to the resolver to register
> this area automatically when it initilizes.
> 
> 
> >      What do you want: a detach signature(i.e. one that signs a
> >external document that it doesn't contain) or just an enveloping
> >signature?, and then why are you  using enveloped transformations?
> 
> 
> I really do want an enveloped signature.  The issue is not the type of
> signature, or the signature creation.  It is the fact that the signature
> does not validate under  XML Security 1.2.1 if there is a namespace in the
> root XML node.  It does validate correctly under XML Security 1.1.1.
> 
> 
> 
> >Regards,
> >
> >p.s.
> >just for clarity
> >enveloped signatures are: <thing to sign><signature/></thing to sign>,
> >enveloping signatures are:<signature><thing to sign/></signature>
> >
> >
> >
> >On 5/18/05, Carolyn Cole <cam156@psu.edu> wrote:
> > > Hello,
> > >
> > > I am currently trying to upgrade from XML Security 1.1.1 to XML
> > Security 1.2.1.
> > >
> > > My code that previously worked to insert and enveloped signature and verify
> > > that signature in 1.1.1 now does not work.
> > >
> > > I have attached the code, which I built from the samples:
> > UAIMSecurity.java.
> > >
> > > I have noted that the code runs under 1.2.1 if the xml does not include a
> > > name space.
> > >
> > > The other item I noted in the debug I have attached is that 1.1.1 uses my
> > > bouncy castle provider.  1.2.1 for some reason uses Sun's provider.
> > >
> > > The only difference when I run the programs is the XML security jars.
> > >
> > > I am actually using the 1.2.1 data files for the 1.1.1 run as well as the
> > > 1.2.1 run.
> > >
> > > Does anyone have any ideas on how to get 1.2.1 running?
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks!
> > >
> > > -- Carolyn
> > >
> > >
> > >
> > >
> > >
> >
> >
> >--
> >http://r-bg.com
> 
> 
> 


-- 
http://r-bg.com

Mime
View raw message