santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: Canonicalizer issue ?
Date Wed, 27 Jun 2007 20:42:42 GMT
Frederic JEAN wrote:
> Hello,
> I'm trying to verify an XML signature I generated, and the
> Reference.verify() method finds that digests don't match on a reference.
> That reference is for an XML element inside a ds:Object inside the XML
> signature (see reference with URI = #XAdESSignedProperties in the
> signature at the end of the message)
> 
> When I debug , placing a breakpoint in
> /Reference.dereferenceURIandPerformTransforms(OutputStream os)/, I can
> see that  a call to i/nput.toString()/ gives exactly the same result
> when generating the signature and when generating it, here's what I get :
> 
> XMLSignatureInput/Element/<?xml version="1.0" encoding="UTF-16"?>
> 
> <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#" Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:37:41.033+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">CN="CA ROOT SNR,OU=Centre Organisationnel
Integration &amp; Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied/></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties>
exclude null comments:true/#XAdESSignedProperties
> 
> .
> Now, if instead of this I do a /new String(output.getBytes(),"UTF-8")/
> in the method /Reference.calculateDigest()/, I get different results at
> signing time and at verifying time. I get one more xmlns attribute on my
> node at verifying time.
> Here what I get when signing :
> 
> <SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA
ROOT SNR,OU=Centre Organisationnel Integration &amp; Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImpli
> ed></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties>
> 
> 
> And when verifying :
> 
> <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#" *xmlns:ds="http://www.w3.org/2000/09/xmldsig#"*
Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA
ROOT SNR,OU=Centre Organisationnel Integration &amp; Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialN
> umber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties>
> 
> When creating my signedProperties element I don't actual specify a xmlns
> attribute on it. the "http://uri.etsi.org/01903/v1.1.1" namespace is
> specified on a parent element (ds:Object actually).

This is a guess but I have seen problems like this before... for example
- see http://issues.apache.org/bugzilla/show_bug.cgi?id=41821

How did you specify the xmlns attribute on the Object element? You must
specifically add the attribute using the DOM Element.setAttributeNS (and
not setAttribute) method, otherwise it won't be visible at signing time.

--Sean

Mime
View raw message