santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <canto...@osu.edu>
Subject Re: XML canonicalization
Date Wed, 10 Jul 2013 15:19:54 GMT
On 7/10/13 11:14 AM, "Mingfa Ma" <mingfa.ma@deepnetsecurity.com> wrote:
>
>Actually I tried Java code (not Apache library, but
>javax.xml.crypto.dsig.*, very simple) and passed the core validation on
>my samples, so I never doubt the apache's correct handling on XML
>canonicalization.

Ok, then I'm fairly confident in the conclusions.

>There are two reasons why I dig into checksig utility,
>
>1,  I showed F5 my Java code, but they seemed blind on that. Probably
>their product is developed with C(C++), they are more like to see C
>implementation.

What's relevant is you have two independent sources pointing to they've
got the bug, which shifts the burden in such cases.

>After a deeper dive into checksig, I finally got the answer,
>
>The CanonicalizationMethod (in my case,
>"http://www.w3.org/2001/10/xml-exc-c14n#" ) defined in SignedInfo should
>be ONLY used on the second step of core validation - Signature
>Validation.
>However, F5 also employed the same method onto the first step (Reference
>Validation), which I think is wrong.

I think that's what I was trying to explain when you first posted the
issue. It appeared to me they were confused about how Reference validation
works. Sorry if I wasn't clear.

-- Scott



Mime
View raw message