santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bradley Beddoes <>
Subject Re: interop problem java to C++
Date Thu, 18 Jan 2007 12:33:37 GMT

Additionally to ensure its absolutely clear as I didn't explicitly state 
it Signatures are always reported as valid by xmlsec-c for all document 


Bradley Beddoes wrote:
> Hi All,
> I am hoping that someone on this list may be able to give me some 
> assistance with a problem I have been looking into for the past 4 days 
> and can't seem to come up with any solution for.
> The problem manifests itself in the xml-security-c 3.0 code base (well 
> appears to me to at any rate) with references failing to verify, eg 
> Reference URI="#_12345-678901" failed to verify
> I am currently creating signatures with canicalization method of 
> exclusive with comments, an RSA SHA1 signature, a SHA1 digest and an 
> enveloped transform. Example at the end of this message.
> The XML document themselves are UTF-16 encoded and are created in Java, 
> I have tried both the xmldsig implementation (JSR105) from the Java web 
> services pack and the JSR105 implementation in the latest 1.4 java 
> security libs (binary distribution from web site).
> All generated documents from both JSR implementations validate correctly 
> in Java space. A generated document with a single enveloped signature 
> for the root node only will validate correctly in xmlsec-c.
> The problem of invalid references arises in xmlsec-c code base when 
> either a document has a single signature whose reference URI is some 
> child node of the document or when the root node has a signature AND 
> some child node of the document has a signature. (Validation with xerces 
> 2.7 always comes out correct)
> I believe this is something I am doing wrong, possibly in some kind of 
> setup but I can't pin point anything out of the ordinary, from debug 
> output I am getting from the xmlsec-c side the various details about the 
> reference such as the transform type and targetted URI seem to be in order.
> Any suggestions on why I might be seeing this issue would be much 
> appreciated. For reference I am using OpenSSL 0.9.8b, with no xalan 
> support on Linux. I have also tried the RC2 of 3.1 with the same results 
> as above. Please let me know if any other detail may be useful in 
> diagnosing this and thanks in advance for your time.
> regards,
> Bradley
>  For example:
> <ds:Signature xmlns:ds="">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod
> Algorithm="" />
>             <ds:SignatureMethod 
> Algorithm="" />
>             <ds:Reference URI="#_12345-67890">
>                 <ds:Transforms>
>                     <ds:Transform 
> Algorithm="" />
>                 </ds:Transforms>
>                 <ds:DigestMethod 
> Algorithm="" />
> <ds:DigestValue>p8iH5++jws3fFbJ6ry7j97JmazI=</ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>
> ZttbWswqnKdRMKb4OEChYeANHzpc+g9iX35iiVdigvPoOn0Hug8EwPXWT1GZgDSNfjbtAV47P2AO 
> jDM/dKlFB6wPqadsofi4sXYvvRU2uFWoKcNf8Y3t1hoFsjlx/s/G28pnIm7tJ4Qt+xUE51cPv2XA 
>             T2iIWSVRHypCFUejWlY=
>         </ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:KeyName>myrsakey</ds:KeyName>
>         </ds:KeyInfo>
>     </ds:Signature>

View raw message