santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hess Yvan" <Yvan.H...@imtf.ch>
Subject RE: Version 1.4 doesn't sign XML document correctly
Date Mon, 14 Aug 2006 09:30:48 GMT
1. I opened a bug report http://issues.apache.org/bugzilla/show_bug.cgi?id=40245 to keep trace
of the problem.
2. For the moment, I don't have a performance test. I plan to do it.
3. It will great if you can send me a new jar with the correction. I will execute my test
cases and give you a feedback
4. I understand that testing with an other toolkit doesn't garanty that the used one is ok(I
also found some bugs into XSS4J into encryption context :-) ), but if your signature is validated
with both, it should be a garanty that the generation of signature is correct.

Regards. Yvan

-----Original Message-----
From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul
Benito
Sent: dimanche, 13. août 2006 21:42
To: security-dev@xml.apache.org
Subject: Re: Version 1.4 doesn't sign XML document correctly

Fixed,
a single condition in an if statement
I was over-pruning. Now your test case pass.
I can send you a jar, if you want. but please write a bug entry with the document, so we can
keep track of the problems.

Regarding your sugestion of using other xml digital signature implementation look interesting.
But I think we can have the same having more correct and incorrect signatures like you send.

Anyway feel free to prove me wrong.

And really thank for the bug report. One question do you have any performance testing?
If you do, I hope you see the outcome of your problems.

Regards,

Raul

On 8/10/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> Raul,
>
> Here is the example of signed XML document. Let me know if you need more resources. What
I have that can help you is a class that validates an XML document using IBM XSS4J toolkit
(XML document having external reference or not). This can help you to check if the signed
XML documents are valid or not according an other toolkit.
>
> Regards. Yvan Hess
>
>
> -----Original Message-----
> From: raul.benito.garcia@gmail.com 
> [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> Sent: mercredi, 9. août 2006 20:44
> To: security-dev@xml.apache.org
> Subject: Re: Version 1.4 doesn't sign XML document correctly
>
> That will be great.
>
> There is already a regression test but still it does not  contain a lot of xpath2 transformations
examples(indeed only one).
> Feel free to send you patches for more tests ;)
>
> Regards,
>
> Raul
>
> On 8/9/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > Raul,
> >
> > I can send you a signed XML document without external references (it's easier to
manage) that have been signed using XML Security V1.3.
> >
> > - The document is valid with Apache XML Version 1.3
> > - The document is valid with IBM XSS4J toolkit
> > - the document is NOT valid with Apache XML version 1.4
> >
> > Is It what you need ? Moreover, I think it will be great to add a regression test
as I have. Document signed with version 1.3 must be valid with higher version.
> >
> > Regards. Yvan Hess
> >
> > -----Original Message-----
> > From: raul.benito.garcia@gmail.com
> > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > Sent: mercredi, 9. août 2006 12:02
> > To: security-dev@xml.apache.org
> > Subject: Re: Version 1.4 doesn't sign XML document correctly
> >
> > Hi Hess,
> >   Sadly it is going to take me more time to reprduce this. I have finished my vacation(that
is when I work with xml-sec).
> >   I can revert my changes and go with the old 1.3 implementation of
> > xpath2 filter, but it will be very sad, as it is very slow compare to the new one
( o(n2) vs. o(n) ).
> >   The problme is that the test cases only has one example of xpath2 transformation.
If you can give us more I can debug the implementation better. If not I have to create them
and check what should be the correct c14n, this takes me "long" time(1 hour, but currently
I can only reserve half an hour for xml-sec hacking).
> >   So if you can provide me a failling example I can speed up this process.
> >   Sorry.
> >
> > Regards,
> >
> > Raul
> >
> > On 8/8/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > When you have a new version correcting the bug, please inform me and I will
one more time execute my Junit tests and I will give you a feedback.
> > >
> > > Regards. Yvan
> > >
> > > -----Original Message-----
> > > From: raul.benito.garcia@gmail.com 
> > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > > Sent: lundi, 7. août 2006 18:41
> > > To: security-dev@xml.apache.org
> > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > >
> > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to reproduce
it with a xfilter with only intersect nodes.
> > >
> > > Thanks,
> > > Regards,
> > >
> > > Raul
> > >
> > > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > > I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
pointing into a element of my XML document that doesn't include the signature itself. As I
said, it was working like that prior to version 1.4.
> > > >
> > > > -----Original Message-----
> > > > From: raul.benito.garcia@gmail.com 
> > > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > > > Sent: lundi, 7. août 2006 17:21
> > > > To: security-dev@xml.apache.org
> > > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > > >
> > > > Hi Hess,
> > > > It seem to me that you need to use also enveloped signature transformation.
The Reference="" is including the signature and this is a problem when signing, it depends
in the order of doing the reference your going to obtain different digest values.
> > > > What do you think,can it be your case?
> > > >
> > > > Regards,
> > > >
> > > > Raul
> > > >
> > > > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > > > It will be difficult to send you a test case because all my test
cases are based on my library (that is also bind to others library). I can try to do debugging
to help you to isolate the problem or to solve it :-). First a good Junit test case that you
can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature with
XML security and verification with IBM toolkit XSS4J). In this case you are sure that the
signature has been corectly be generated and is valid.
> > > > >
> > > > > Here is the signature of my XML document I am using into the context
of my test case. As you can see I am signing one part of the XML document and two  external
binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">).
The digest value doesn't match after signature verification. The digest values of the two
external reference matches.
> > > > >
> > > > > <edoc:SignatureBlock id="Revision-1-Signature-1">
> > > > >    <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate>
> > > > >    <edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> > > > >    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > > > >       <ds:SignedInfo>
> > > > >          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> > > > >          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > > > >          <ds:Reference URI="">
> > > > >             <ds:Transforms>
> > > > >                <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> > > > >                   <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> > > > >                </ds:Transform>
> > > > >             </ds:Transforms>
> > > > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > > >             <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
> > > > >          </ds:Reference>
> > > > >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> > > > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > > >             <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> > > > >          </ds:Reference>
> > > > >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465">
> > > > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > > >             <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue>
> > > > >          </ds:Reference>
> > > > >       </ds:SignedInfo>
> > > > >       <ds:SignatureValue>
> > > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9Isw
> > > > > W9
> > > > > ZO
> > > > > wP
> > > > > GY
> > > > > izLB4P
> > > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjs
> > > > > vMa8f4sHx8onoVt+go
> > > > > vMa8f4sHx8onoVt+4f
> > > > > vMa8f4sHx8onoVt+jD
> > > > > vMa8f4sHx8onoVt+UL
> > > > > vMa8f4sHx8onoVt+dk9Zhw
> > > > > vIN/+eBfirtyCcbTb1w=
> > > > > </ds:SignatureValue>
> > > > >       <ds:KeyInfo>
> > > > >          <ds:X509Data>
> > > > >             <ds:X509Certificate> 
> > > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG.....
> > > > > </ds:X509Certificate>
> > > > >             <ds:X509Certificate> 
> > > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx....
> > > > > </ds:X509Certificate>
> > > > >          </ds:X509Data>
> > > > >       </ds:KeyInfo>
> > > > >    </ds:Signature>
> > > > > </edoc:SignatureBlock>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: raul.benito.garcia@gmail.com 
> > > > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > > > > Sent: lundi, 7. août 2006 16:21
> > > > > To: security-dev@xml.apache.org
> > > > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > > > >
> > > > > Can you open a bug report and attach a test case?
> > > > > This will help a lot.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Raul
> > > > >
> > > > > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > > > >
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the 
> > > > > > XML document correctly. I developped a Java library that 
> > > > > > uses XML security to sign/verify and to encrypt/decrypt XML
documents.
> > > > > > When I executed my JUNIT tests, they failed when XML document
are verified. I have two tests that failed:
> > > > > >
> > > > > > TEST 1:  The XML document is already signed (with XML 
> > > > > > security version
> > > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1).
> > > > > > This test failed using version 1.4 but was ok with precedent
versions.
> > > > > >
> > > > > > TEST 2:  The XML document is signed with XML security
> > > > > > V1.4Beta1 and is verified with IBM XSS4J toolkit. This test

> > > > > > failed using version
> > > > > > 1.4Beta1 but was ok with precedent versions.
> > > > > >
> > > > > > I think it is a critical bug...Please can you help me
> > > > > >
> > > > > > Regards. Yvan Hess
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://r-bg.com
> > > > >
> > > >
> > > >
> > > > --
> > > > http://r-bg.com
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > http://r-bg.com
> > >
> > >
> > >
> >
> >
> > --
> > http://r-bg.com
> >
> >
> >
>
>
> --
> http://r-bg.com
>
>
>
>
>


--
http://r-bg.com



Mime
View raw message