santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Charles Laurent <jclaur...@jeancoutu.com>
Subject Re: question
Date Wed, 28 May 2008 15:02:57 GMT
Thanks Brent for all your help and quick response.

We finaly talk to the client/3rd-party and convinced them that they were 
doing something wrong. They finaly admitted that they were removing 
carriage returns and blanks spaces in the signed info. 




Jean-Charles Laurent
Analyste / Analyst
Le Groupe Jean Coutu (PJC) Inc.
tél: 450-463-1890 (3363)
fax: 450-646-0567
jclaurent@jeancoutu.com




Brent Putman <putmanb@georgetown.edu> 
27/05/2008 06:10 PM

A
Jean-Charles Laurent <jclaurent@jeancoutu.com>, 
security-dev@xml.apache.org
cc

Objet
Re: question






(Please hit reply-to-all when you reply so that your email goes to the 
list and not just to me).



Jean-Charles Laurent wrote: 

Hi Brent, 

Yes I did write to a file and I validate it with a Java tool (found on the 
web) or with a Java program that I got in the sample directory of xml 
security package. I am quite sure what we are sending is a valid xml 
signature file. I think this is an issue with dot-net. 

Well, then ultimately it's not your problem, and if I were you, I 
personally would not waste my time trying to work around someone else's 
broken code.  Ask them to fix it. 




Here someone did a signature with a dot-net program and for it to validate 
on the peer side, they needed to use some dot-net parameter to prevent 
blanks or newline characters in the signature. We know that it is not 
being corrupted on the way (since we can send the dot-net result and it is 
valide). Their resulting sign XML file has the SignedInfo tag on a single 
line with no carriage return characters. This is what I am trying to 
reproduce with my Java application. 

I understand.  Good luck.  Even if you get the line breaks feature 
working, realize this very may not actually fix your problem, given 
everything that you've said.  I'd be very wary.

Out of curiosity: do you know whether the .NET code that is being used to 
validate is some standard .NET XML Signature library, or something that 
someone just wrote up for this particular application?  If the former, I'd 
be interested to know what it is, just for future reference...



I tried to set the parameter "org.apache.xml.security.ignoreLineBreaks" 
and I semm to have no effect on my signature. I must be doing something 
wrong. I tried as you suggested via the -D option ("java 
-Dorg.apache.xml.security.ignoreLineBreaks=true ..."). To make sure the 
parameter is set correctly, I do a 

         
System.out.println("ignoreLineBreaks="+System.getProperty("org.apache.xml.security.ignoreLineBreaks"));



which displays true. 


I haven't personally used this feature, perhaps someone on the Apache xml 
security dev team can comment.  But one thing is (and sorry I didn't 
realize this before): according to SVN the last Java xmlsec release 
(1.4.1) was tagged in May 2007, and this ignore line breaks feature wasn't 
added until October 2007, so you would have to be running with a xmlsec 
jar built from recent source, or perhaps try with the 1.4.2 beta (or 
release candidate?) that I believe Sean currently has out there somewhere.

--Brent


AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE

Ce message, incluant ses pieces jointes, est strictement reserve a l'usage de l'individu ou
de l'entite a qui il est
adresse et contient de l'information privilegiee et confidentielle. La dissemination, distribution
ou copie de cette
communication est strictement prohibee.  Si vous n'etes pas le destinataire projete veuillez
retourner
immediatement un courrier electronique a l'expediteur et effacez toutes les copies.


CONFIDENTIALITY WARNING

This message, including its attachments, is strictly intended for the use of the individual
or the entity to which it is addressed
and contains privileged and confidential information. Disclosure, distribution or copy of
this communication is strictly
prohibited. If you are not the intended recipient please notify us immediately by returning
the e-mail to the originator and
deleting all copies.

Mime
View raw message