Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 83445 invoked from network); 9 Aug 2006 10:02:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 9 Aug 2006 10:02:19 -0000 Received: (qmail 24251 invoked by uid 500); 9 Aug 2006 10:02:17 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 24230 invoked by uid 500); 9 Aug 2006 10:02:17 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 24219 invoked by uid 99); 9 Aug 2006 10:02:17 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Aug 2006 03:02:17 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of raul.benito.garcia@gmail.com designates 64.233.182.190 as permitted sender) Received: from [64.233.182.190] (HELO nf-out-0910.google.com) (64.233.182.190) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Aug 2006 03:02:16 -0700 Received: by nf-out-0910.google.com with SMTP id x4so92881nfb for ; Wed, 09 Aug 2006 03:01:46 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=XWAdfoN50Ny2nDSnr2gRqPrxy0nRtvZeEynf1QMWgnwEzQhe/VIENqBHpQNqaHi+9AAnz5FZc3lt48i29j6BfFxuGb2N0ameyCGvu0vqN+TcW+2BZ2WFiehYMekYCRf5gnRmhRCjR3qLg3Nsow/W9CF3NzUsTtxrS3kbYbW6dpc= Received: by 10.78.116.19 with SMTP id o19mr248228huc; Wed, 09 Aug 2006 03:01:46 -0700 (PDT) Received: by 10.78.125.18 with HTTP; Wed, 9 Aug 2006 03:01:45 -0700 (PDT) Message-ID: <949ac9410608090301gc6c2767yf1e1dd1b2f7a8857@mail.gmail.com> Date: Wed, 9 Aug 2006 12:01:45 +0200 From: "Raul Benito" Sender: raul.benito.garcia@gmail.com To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly In-Reply-To: <487CFB40212D29498A776BD39F714D84B95D9F@srvexch.IMTF.LOCAL> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <487CFB40212D29498A776BD39F714D84B95D9F@srvexch.IMTF.LOCAL> X-Google-Sender-Auth: ade86cf9f883d5f7 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi Hess, Sadly it is going to take me more time to reprduce this. I have finished my vacation(that is when I work with xml-sec). I can revert my changes and go with the old 1.3 implementation of xpath2 filter, but it will be very sad, as it is very slow compare to the new one ( o(n2) vs. o(n) ). The problme is that the test cases only has one example of xpath2 transformation. If you can give us more I can debug the implementation better. If not I have to create them and check what should be the correct c14n, this takes me "long" time(1 hour, but currently I can only reserve half an hour for xml-sec hacking). So if you can provide me a failling example I can speed up this process. Sorry. Regards, Raul On 8/8/06, Hess Yvan wrote: > When you have a new version correcting the bug, please inform me and I wi= ll one more time execute my Junit tests and I will give you a feedback. > > Regards. Yvan > > -----Original Message----- > From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com] = On Behalf Of Raul Benito > Sent: lundi, 7. ao=FBt 2006 18:41 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to = reproduce it with a xfilter with only intersect nodes. > > Thanks, > Regards, > > Raul > > On 8/7/06, Hess Yvan wrote: > > I don't think so because I have a transform pointing into a element of my X= ML document that doesn't include the signature itself. As I said, it was wo= rking like that prior to version 1.4. > > > > -----Original Message----- > > From: raul.benito.garcia@gmail.com > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito > > Sent: lundi, 7. ao=FBt 2006 17:21 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Hi Hess, > > It seem to me that you need to use also enveloped signature transformat= ion. The Reference=3D"" is including the signature and this is a problem wh= en signing, it depends in the order of doing the reference your going to ob= tain different digest values. > > What do you think,can it be your case? > > > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan wrote: > > > It will be difficult to send you a test case because all my test case= s are based on my library (that is also bind to others library). I can try = to do debugging to help you to isolate the problem or to solve it :-). Firs= t a good Junit test case that you can introduce into XML security JUnit tes= ts is something similar to my TEST 2 (Signature with XML security and verif= ication with IBM toolkit XSS4J). In this case you are sure that the signatu= re has been corectly be generated and is valid. > > > > > > Here is the signature of my XML document I am using into the context = of my test case. As you can see I am signing one part of the XML document a= nd two external binary documents. The problem seems to come from the first= Reference (). The digest value doesn't match after = signature verification. The digest values of the two external reference mat= ches. > > > > > > > > > 2006-08-07T12:24:18 > > > Hess Yvan (first signature) > > > > > > > > > > > > > > > > > > > > > > > > /edoc:EDOC/edoc:Object > > > > > > > > > > > > 2jmj7l5rSw0yVb/vlWAYkK/YBwk=3D > > > > > > > > > > > > 7typFfsZFzJVtEsGinu58N8RtqE=3D > > > > > > > > > > > > oxwjv1Go+8Y0m97hiJLTKcYx4t8=3D > > > > > > > > > > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwP > > > GY > > > izLB4P > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjD > > > vMa8f4sHx8onoVt+UL > > > vMa8f4sHx8onoVt+dk9Zhw > > > vIN/+eBfirtyCcbTb1w=3D > > > > > > > > > > > > > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > > > > > > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplc= mxhbmQx.... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: raul.benito.garcia@gmail.com > > > [mailto:raul.benito.garcia@gmail.com] On Behalf Of Raul Benito > > > Sent: lundi, 7. ao=FBt 2006 16:21 > > > To: security-dev@xml.apache.org > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > Can you open a bug report and attach a test case? > > > This will help a lot. > > > > > > Regards, > > > > > > Raul > > > > > > On 8/7/06, Hess Yvan wrote: > > > > > > > > > > > > Hi, > > > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > > document correctly. I developped a Java library that uses XML > > > > security to sign/verify and to encrypt/decrypt XML documents. When > > > > I executed my JUNIT tests, they failed when XML document are verifi= ed. I have two tests that failed: > > > > > > > > TEST 1: The XML document is already signed (with XML security > > > > version > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > > This test failed using version 1.4 but was ok with precedent versio= ns. > > > > > > > > TEST 2: The XML document is signed with XML security V1.4Beta1 > > > > and is verified with IBM XSS4J toolkit. This test failed using > > > > version > > > > 1.4Beta1 but was ok with precedent versions. > > > > > > > > I think it is a critical bug...Please can you help me > > > > > > > > Regards. Yvan Hess > > > > > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > -- > > http://r-bg.com > > > > > > > > > -- > http://r-bg.com > > > --=20 http://r-bg.com