santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bradley Beddoes <bedd...@intient.com>
Subject Re: interop problem java to C++
Date Tue, 23 Jan 2007 08:53:05 GMT
Hi Berin,
Yes confirmed to solve the problem with the latest svn code.

Any rough eta on 1.3.1 official release yet?

bradley

-- 
Bradley Beddoes
Lead Software Architect

Intient - "Open Source, Open Standards"

Berin Lautenbach wrote:
> Sorry - I've not been close to email lately :<.
> 
> Does the code in SVN fix the problem?  If not - let me know, and if you 
> can provide a test signature as a separate file that should validate but 
> which doesn't and I'll look see if I can track it down.
> 
> Cheers,
>     Berin
> 
> Bradley Beddoes wrote:
>> Hi,
>> Seems my suspicions were correct it was a c14n issue.
>>
>> I just found this post from Scott, 
>> http://mail-archives.apache.org/mod_mbox/xml-security-dev/200610.mbox/%3c000401c6ecef$26b84ff0$6501a8c0@oit.ohiostate.edu%3e

>>
>>
>> With my few small tests tonight (I intend to thrash it out more in the 
>> morning) it seems to have also corrected my issues.
>>
>> regards,
>> Bradley
>>
>>
>> Bradley Beddoes wrote:
>>> Bradley Beddoes wrote:
>>>> After more investigation I found a few problems with my usage of 
>>>> Xerces and also some issues with the JAXP validator which I have now 
>>>> stopped using which were causing problems with root node signatures.
>>>>-- 
Bradley Beddoes
Lead Software Architect

Intient - "Open Source, Open Standards"
>>>> Verification of a signature at the root node is now successful in 
>>>> both C++ and Java, 
>>>
>>> Just in case this wasn't 100% clear a signature on the root node is 
>>> successful with or without additional enveloped signatures on child 
>>> nodes in both languages.
>>>
>>> however embedded enveloped signatures continue to fail
>>>> with incorrect references. (The documents however still fully 
>>>> validate in the language they were created in)
>>>>
>>>> Additionally an embedded sig reference will fail even when it is not 
>>>> wrapped inside a root node signature and there is definitely no 
>>>> base64 content present in my current test documents regular child 
>>>> nodes.
>>>>
>>>> I intend to do some more work tomorrow I am currently suspicious of 
>>>> c14n inconsistencies, but I thought I might ask if anyone may have 
>>>> any suggestions for other areas I should perhaps be looking at so I 
>>>> don't waste a lot of time I don't really have.
>>>>
>>>> regards,
>>>> Bradley
>>>>
>>>> Scott Cantor wrote:
>>>>>> The problem of invalid references arises in xmlsec-c code base when
>>>>>> either a document has a single signature whose reference URI is some
>>>>>> child node of the document or when the root node has a signature
AND
>>>>>> some child node of the document has a signature. (Validation with

>>>>>> xerces
>>>>>> 2.7 always comes out correct)
>>>>>
>>>>> If you're validating, that might be your problem, but most of the 
>>>>> issues
>>>>> around that were fixed in Xerces-C 2.7. Earlier versions would 
>>>>> require that
>>>>> you disable data type normalization, and that would break any nested
>>>>> signature cases where you were signing base-64. But I would try 
>>>>> disabling
>>>>> validation and make sure that's not involved.
>>>>>
>>>>> Otherwise, what you want to do is actually get a trace of the octet 
>>>>> string
>>>>> being digested in C++ and compare that XML to what you think the 
>>>>> c14n should
>>>>> produce.
>>>>>
>>>>> -- Scott
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>



Mime
View raw message