santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raul Benito" <r...@apache.org>
Subject Re: Version 1.4 doesn't sign XML document correctly
Date Wed, 09 Aug 2006 10:01:45 GMT
Hi Hess,
  Sadly it is going to take me more time to reprduce this. I have
finished my vacation(that is when I work with xml-sec).
  I can revert my changes and go with the old 1.3 implementation of
xpath2 filter, but it will be very sad, as it is very slow compare to
the new one ( o(n2) vs. o(n) ).
  The problme is that the test cases only has one example of xpath2
transformation. If you can give us more I can debug the implementation
better. If not I have to create them and check what should be the
correct c14n, this takes me "long" time(1 hour, but currently I can
only reserve half an hour for xml-sec hacking).
  So if you can provide me a failling example I can speed up this process.
  Sorry.

Regards,

Raul

On 8/8/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> When you have a new version correcting the bug, please inform me and I will one more
time execute my Junit tests and I will give you a feedback.
>
> Regards. Yvan
>
> -----Original Message-----
> From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com] On Behalf Of
Raul Benito
> Sent: lundi, 7. août 2006 18:41
> To: security-dev@xml.apache.org
> Subject: Re: Version 1.4 doesn't sign XML document correctly
>
> Then it is a bug that I introduce rewriting xpath2 filter. I will try to reproduce it
with a xfilter with only intersect nodes.
>
> Thanks,
> Regards,
>
> Raul
>
> On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
pointing into a element of my XML document that doesn't include the signature itself. As I
said, it was working like that prior to version 1.4.
> >
> > -----Original Message-----
> > From: raul.benito.garcia@gmail.com
> > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > Sent: lundi, 7. août 2006 17:21
> > To: security-dev@xml.apache.org
> > Subject: Re: Version 1.4 doesn't sign XML document correctly
> >
> > Hi Hess,
> > It seem to me that you need to use also enveloped signature transformation. The
Reference="" is including the signature and this is a problem when signing, it depends in
the order of doing the reference your going to obtain different digest values.
> > What do you think,can it be your case?
> >
> > Regards,
> >
> > Raul
> >
> > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > It will be difficult to send you a test case because all my test cases are
based on my library (that is also bind to others library). I can try to do debugging to help
you to isolate the problem or to solve it :-). First a good Junit test case that you can introduce
into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security
and verification with IBM toolkit XSS4J). In this case you are sure that the signature has
been corectly be generated and is valid.
> > >
> > > Here is the signature of my XML document I am using into the context of my
test case. As you can see I am signing one part of the XML document and two  external binary
documents. The problem seems to come from the first Reference (<ds:Reference URI="">).
The digest value doesn't match after signature verification. The digest values of the two
external reference matches.
> > >
> > > <edoc:SignatureBlock id="Revision-1-Signature-1">
> > >    <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate>
> > >    <edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> > >    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > >       <ds:SignedInfo>
> > >          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> > >          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > >          <ds:Reference URI="">
> > >             <ds:Transforms>
> > >                <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> > >                   <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> > >                </ds:Transform>
> > >             </ds:Transforms>
> > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > >             <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
> > >          </ds:Reference>
> > >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > >             <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> > >          </ds:Reference>
> > >          <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465">
> > >             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > >             <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue>
> > >          </ds:Reference>
> > >       </ds:SignedInfo>
> > >       <ds:SignatureValue>
> > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwP
> > > GY
> > > izLB4P
> > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjD
> > > vMa8f4sHx8onoVt+UL
> > > vMa8f4sHx8onoVt+dk9Zhw
> > > vIN/+eBfirtyCcbTb1w=
> > > </ds:SignatureValue>
> > >       <ds:KeyInfo>
> > >          <ds:X509Data>
> > >             <ds:X509Certificate>
> > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG.....
> > > </ds:X509Certificate>
> > >             <ds:X509Certificate>
> > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx....
> > > </ds:X509Certificate>
> > >          </ds:X509Data>
> > >       </ds:KeyInfo>
> > >    </ds:Signature>
> > > </edoc:SignatureBlock>
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: raul.benito.garcia@gmail.com
> > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito
> > > Sent: lundi, 7. août 2006 16:21
> > > To: security-dev@xml.apache.org
> > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > >
> > > Can you open a bug report and attach a test case?
> > > This will help a lot.
> > >
> > > Regards,
> > >
> > > Raul
> > >
> > > On 8/7/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> > > >
> > > >
> > > > Hi,
> > > >
> > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML
> > > > document correctly. I developped a Java library that uses XML
> > > > security to sign/verify and to encrypt/decrypt XML documents. When
> > > > I executed my JUNIT tests, they failed when XML document are verified.
I have two tests that failed:
> > > >
> > > > TEST 1:  The XML document is already signed (with XML security
> > > > version
> > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1).
> > > > This test failed using version 1.4 but was ok with precedent versions.
> > > >
> > > > TEST 2:  The XML document is signed with XML security V1.4Beta1
> > > > and is verified with IBM XSS4J toolkit. This test failed using
> > > > version
> > > > 1.4Beta1 but was ok with precedent versions.
> > > >
> > > > I think it is a critical bug...Please can you help me
> > > >
> > > > Regards. Yvan Hess
> > > >
> > > >
> > >
> > >
> > > --
> > > http://r-bg.com
> > >
> >
> >
> > --
> > http://r-bg.com
> >
> >
> >
>
>
> --
> http://r-bg.com
>
>
>


-- 
http://r-bg.com

Mime
View raw message