santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bradley Beddoes <bedd...@intient.com>
Subject Re: interop problem java to C++
Date Mon, 22 Jan 2007 14:52:05 GMT
Hi,
Seems my suspicions were correct it was a c14n issue.

I just found this post from Scott, 
http://mail-archives.apache.org/mod_mbox/xml-security-dev/200610.mbox/%3c000401c6ecef$26b84ff0$6501a8c0@oit.ohiostate.edu%3e

With my few small tests tonight (I intend to thrash it out more in the 
morning) it seems to have also corrected my issues.

regards,
Bradley


Bradley Beddoes wrote:
> Bradley Beddoes wrote:
>> After more investigation I found a few problems with my usage of 
>> Xerces and also some issues with the JAXP validator which I have now 
>> stopped using which were causing problems with root node signatures.
>>
>> Verification of a signature at the root node is now successful in both 
>> C++ and Java, 
> 
> Just in case this wasn't 100% clear a signature on the root node is 
> successful with or without additional enveloped signatures on child 
> nodes in both languages.
> 
> however embedded enveloped signatures continue to fail
>> with incorrect references. (The documents however still fully validate 
>> in the language they were created in)
>>
>> Additionally an embedded sig reference will fail even when it is not 
>> wrapped inside a root node signature and there is definitely no base64 
>> content present in my current test documents regular child nodes.
>>
>> I intend to do some more work tomorrow I am currently suspicious of 
>> c14n inconsistencies, but I thought I might ask if anyone may have any 
>> suggestions for other areas I should perhaps be looking at so I don't 
>> waste a lot of time I don't really have.
>>
>> regards,
>> Bradley
>>
>> Scott Cantor wrote:
>>>> The problem of invalid references arises in xmlsec-c code base when
>>>> either a document has a single signature whose reference URI is some
>>>> child node of the document or when the root node has a signature AND
>>>> some child node of the document has a signature. (Validation with 
>>>> xerces
>>>> 2.7 always comes out correct)
>>>
>>> If you're validating, that might be your problem, but most of the issues
>>> around that were fixed in Xerces-C 2.7. Earlier versions would 
>>> require that
>>> you disable data type normalization, and that would break any nested
>>> signature cases where you were signing base-64. But I would try 
>>> disabling
>>> validation and make sure that's not involved.
>>>
>>> Otherwise, what you want to do is actually get a trace of the octet 
>>> string
>>> being digested in C++ and compare that XML to what you think the c14n 
>>> should
>>> produce.
>>>
>>> -- Scott
>>>
>>>
>>
>>
> 
> 


-- 
Bradley Beddoes
Lead Software Architect

Intient - "Open Source, Open Standards"

Mime
View raw message