santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raul Benito" <r...@apache.org>
Subject Re: Version 1.4 doesn't sign XML document correctly
Date Mon, 07 Aug 2006 16:40:42 GMT
Then it is a bug that I introduce rewriting xpath2 filter. I will try
to reproduce it with a xfilter with only intersect nodes.

Thanks,
Regards,

Raul

On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
pointing into a element of my XML document that doesn't include the signature itself. As I
said, it was working like that prior to version 1.4.
>
> -----Original Message-----
> From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com] On Behalf Of
Raul Benito
> Sent: lundi, 7. août 2006 17:21
> To: security-dev@xml.apache.org
> Subject: Re: Version 1.4 doesn't sign XML document correctly
>
> Hi Hess,
> It seem to me that you need to use also enveloped signature transformation. The Reference=""
is including the signature and this is a problem when signing, it depends in the order of
doing the reference your going to obtain different digest values.
> What do you think,can it be your case?
>
> Regards,
>
> Raul
>
> On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > It will be difficult to send you a test case because all my test cases are based
on my library (that is also bind to others library). I can try to do debugging to help you
to isolate the problem or to solve it :-). First a good Junit test case that you can introduce
into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security
and verification with IBM toolkit XSS4J). In this case you are sure that the signature has
been corectly be generated and is valid.
> >
> > Here is the signature of my XML document I am using into the context of my test
case. As you can see I am signing one part of the XML document and two  external binary documents.
The problem seems to come from the first Reference (<ds:Reference URI="">). The digest
value doesn't match after signature verification. The digest values of the two external reference
matches.
> >
> > <edoc:SignatureBlock id="Revision-1-Signature-1">
> >    <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate>
> >    <edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> >    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >       <ds:SignedInfo>
> >          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> >          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >          <ds:Reference URI="">
> >             <ds:Transforms>
> >                <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> >                   <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> >                </ds:Transform>
> >             </ds:Transforms>
> >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
> >          </ds:Reference>
> >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> >          </ds:Reference>
> >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465">
> >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue>
> >          </ds:Reference>
> >       </ds:SignedInfo>
> >       <ds:SignatureValue>
> > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwPGY
> > izLB4P
> > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjDUL
> > vMa8f4sHx8onoVt+dk9Zhw
> > vIN/+eBfirtyCcbTb1w=
> > </ds:SignatureValue>
> >       <ds:KeyInfo>
> >          <ds:X509Data>
> >             <ds:X509Certificate>
> > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG.....
> > </ds:X509Certificate>
> >             <ds:X509Certificate>
> > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx....
> > </ds:X509Certificate>
> >          </ds:X509Data>
> >       </ds:KeyInfo>
> >    </ds:Signature>
> > </edoc:SignatureBlock>
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: raul.benito.garcia@gmail.com
> > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > Sent: lundi, 7. août 2006 16:21
> > To: security-dev@xml.apache.org
> > Subject: Re: Version 1.4 doesn't sign XML document correctly
> >
> > Can you open a bug report and attach a test case?
> > This will help a lot.
> >
> > Regards,
> >
> > Raul
> >
> > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > >
> > >
> > > Hi,
> > >
> > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML
> > > document correctly. I developped a Java library that uses XML
> > > security to sign/verify and to encrypt/decrypt XML documents. When I
> > > executed my JUNIT tests, they failed when XML document are verified. I have
two tests that failed:
> > >
> > > TEST 1:  The XML document is already signed (with XML security
> > > version
> > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). This
> > > test failed using version 1.4 but was ok with precedent versions.
> > >
> > > TEST 2:  The XML document is signed with XML security V1.4Beta1 and
> > > is verified with IBM XSS4J toolkit. This test failed using version
> > > 1.4Beta1 but was ok with precedent versions.
> > >
> > > I think it is a critical bug...Please can you help me
> > >
> > > Regards. Yvan Hess
> > >
> > >
> >
> >
> > --
> > http://r-bg.com
> >
>
>
> --
> http://r-bg.com
>
>
>


-- 
http://r-bg.com

Mime
View raw message