DO NOT REPLY [Bug 47527] XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 Scott Cantor canto...@osu.edu changed: What|Removed |Added Status|RESOLVED|CLOSED --

Re: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass

making a final version available early next week. Thanks, Sean bugzi...@apache.org wrote: https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 Summary: XML signature HMAC truncation authentication bypass Product: Security Version: Java 1.4.2 Platform

DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 Summary: XML signature HMAC truncation authentication bypass Product: Security Version: Java 1.4.2 Platform: All OS/Version: All Status: NEW Severity: critical

DO NOT REPLY [Bug 47526] XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 sean.mul...@sun.com changed: What|Removed |Added Status|NEW |RESOLVED

DO NOT REPLY [Bug 47527] New: XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 Summary: XML signature HMAC truncation authentication bypass Product: Security Version: C++ 1.5.0 Platform: All URL: http://www.kb.cert.org/vuls/id/466161 OS/Version: All

Re: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass

/show_bug.cgi?id=47526 Summary: XML signature HMAC truncation authentication bypass Product: Security Version: Java 1.4.2 Platform: All OS/Version: All Status: NEW Severity: critical Priority: P1 Component: Signature

DO NOT REPLY [Bug 47527] XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 Scott Cantor canto...@osu.edu changed: What|Removed |Added Status|NEW |RESOLVED

RE: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass

Sean Mullan wrote on 2009-07-14: I have just putback a fix for this vulnerability to the source code repository. This patch will be included in the (Java) version 1.4.3 release. Because of the potential severity of this issue, we are planning an expedited release process for 1.4.3. I plan to

Re: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass

A jar is now available for testing: http://people.apache.org/~mullan/dist/xmlsec-1.4.3beta1.jar Here is a complete list of what bugs have been fixed: Fixed Bug 47526: XML signature HMAC truncation authentication bypass Fixed Bug 47525: Fix checkstyle problems with source and tests

Need help with the HMAC example

need to do: 1. Crate an XML file, prepare the signature element including digest value and save it to a file 2. a second application will read the file, find the hash and sign this hash with a HMAC key and plase the result in the ds:SignatureValue 3. other application verify the signature Problems i

DO NOT REPLY [Bug 38604] New: - HMAC signature verification leaks with OpenSSL

/show_bug.cgi?id=38604 Summary: HMAC signature verification leaks with OpenSSL Product: Security Version: unspecified Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: C++ Signature

Newbie question on HMAC signature

Hi, I'm signing an xml document using hmac-sha1. I was just wondering what do peoplenormally fill in for the keyinfo element? I assume that you don't incorporate thiskeyinfo element into the document because you can't/shouldn't storethe secret in it. Or is there someway to incorporate

Re: HMAC

that useHMAC == false, but here is how SignatureMethod was defined: ds:SignatureMethod Algorithm=*http://www.w3.org/2000/09/xmldsig#hmac-sha1*; / Anyone have any idea why? Thank you, Milan