Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 77572 invoked from network); 16 Aug 2005 04:07:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 16 Aug 2005 04:07:44 -0000 Received: (qmail 2231 invoked by uid 500); 16 Aug 2005 04:07:43 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 1841 invoked by uid 500); 16 Aug 2005 04:07:42 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 1828 invoked by uid 99); 16 Aug 2005 04:07:41 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Aug 2005 21:07:41 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [66.98.150.92] (HELO ensim.smarty-host.com) (66.98.150.92) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Aug 2005 21:08:01 -0700 Received: from [127.0.0.1] (ensim.smarty-host.com [66.98.150.92]) by ensim.smarty-host.com (8.11.6/8.11.6) with ESMTP id j7G47cl25880 for ; Tue, 16 Aug 2005 14:07:38 +1000 Message-ID: <43016689.40608@brettingham-moore.net> Date: Tue, 16 Aug 2005 14:07:37 +1000 From: Clive Brettingham-Moore User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc3 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: security-dev@xml.apache.org Subject: Re: xml-sec 1.3Beta1 References: <949ac9410508082351677b91a8@mail.gmail.com> <42F96886.7050302@brettingham-moore.net> <42FA0F12.8060804@Sun.COM> <42FAAAB5.2030407@brettingham-moore.net> <430095F8.6050601@sun.com> In-Reply-To: <430095F8.6050601@sun.com> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Sean Mullan wrote: >> The only other modification of the library I am using at the moment >> is to parse reference lists correctly (at all?) during decryption. >> For my application (OASIS WS-Security implementation), what ends up >> happening with encryption is that you have an encrypted key in the >> SOAP header using a reference list to indicate the encrypted data in >> the body (probably not a common pattern free form encryption, but >> pretty much the usage described in the recommendation >> http://www.w3.org/TR/xmlenc-core/#sec-ReferenceList ) >> >> The current implementation appears to attempt parsing validation of >> the URI references; it is definitely broken for lists of more than >> one element, and fails to handle relative URIs (since they cant be >> parsed without a base URI). >> My fix just gives up on parsing (and actually walks the list ;) I >> haven't attempted to handle child elements, but then neither does the >> current version. >> >> For the patch its probably easiest to look at my original message >> (it's against 1.34 but there aren't may changes): >> http://mail-archives.apache.org/mod_mbox/xml-security-dev/200502.mbox/%3c3811.147.109.250.24.1109123868.squirrel@www.brettingham-moore.net%3e > > > > I have applied your patch, thanks for that. Please test out the 1.3 RC > jar when it is released later this week. BTW, just FYI, but the best > way to ensure your bug is not forgotten is to file a report at > issues.apache.org/bugzilla (in the "security" category). > > --Sean Thanks, looking foward to it. (D'oh. I followed the contrib proceedure on the site; somehow sending the email first must have given me a mental block on using bugzilla, and then there was the was 'omg it's not going to make the release' panic) C