santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject RE: Invalid Signature problem through Empty elements are converted to start-end tag pairs
Date Tue, 27 Jan 2009 19:54:14 GMT
In case it isn't obvious (it wasn't to me at first), the fact that an
element appears as "<param/>" in the signed document does not mean those
are the bytes that were used in generating the signature.  The point of
canonicalization is that a canonical form of the document is used to
calculate the hash, but the document that contains the resulting
signature may not be (and generally is not) rewritten in canonical form.

Put differently, the canonicalized document is a temporary copy.

Sorry if you already knew this.  Since you said "it seems that java
signed empty tags" a certain way, not that you were certain this is the
case, I thought it worth pointing out that this might not in fact be the
problem.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Tuesday, January 27, 2009 2:31 PM
To: security-dev@xml.apache.org
Subject: RE: Invalid Signature problem through Empty elements are
converted to start-end tag pairs

Harakiri wrote on 2009-01-27:
> however it seems that java signed empty tags as:
> 
> <param name="myparam"/>
> 
> but apache security correctly validates as
> 
> <param name="myparam"></param>
> 
> Since i cant just change existing signatures, how can I modify the
apache
> xmldsig validation so that it will not compute the hash over the empty
tags
> as <param></param> but as <param/> ?

If you're using c14n (either version) as defined today, the signature
digest
is over the <tag></tag> form, not the other form. That's part of c14n. I
doubt what you're using is really doing that wrong, unless it's one-off
signing code that isn't interoperable at all.

But you can't make Apache's code do this wrong, no.

-- Scott



Mime
View raw message