Berin, actually there were (are) some problems during the encryption processing in Content mode, in particular the serialization of Document fragments (Document fragments may have Text nodes as first level child nodes - its a fragment).
The first problems was that Content mode didn't serialize the whole Document fragment, it serialized Element nodes _only_. Because of this problem the encryption effectivley changed the contents of the data to encrypt, e.g. by not serializing first level Text nodes. These non-Element nodes were just ignored. If you signed the data before encryption then you couldn't verfiy the data after decryption To make it work for SOAP requests we fixed that problem (quick fix that serializes Element nodes and Text nodes, but not any other node types). That works ok for SOAP (they usually don't have any CDATA or Comment nodes :-) ). For the encryption of generic XML Document in content mode the whole Document fragment shall correctly serialized. (IMO, encryption shall _never_ modify its input data, it shall take it literally (as far as possible) and encrypt it.) To do this I tried the Xerces serialization. During the tests I discovered a problem in Xerces serialization too (it didn't handle Document Fragment correctly, chokes on CDATA and Comments at least, didn't check PI nodes). The proposed bug fix was not yet included in Xerces code (checked yesterday in commit e-mail archive). Thus we can't enable the according fix in xml-sec (mailed some time ago). Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 2. Februar 2004 23:03 > An: [EMAIL PROTECTED] > Betreff: Re: AW: Verification after decrypt > > > Werner, > > I thought the problems were around CDATA and handling thereof when > decrypting and moving the decrypted byes back to DOM. > I *think* (although I may well have forgotten something vital > :>) that the > canonicalisation that happens during signature verification > should bypass > all of this. (CDATA gets "transformed" to straight text in > any case at > this point.) > Cheers, > Berin > > > Heyjung > > > > as I understand it you first sign, then encrypt your XML document > > (decrypt/verify to check it). > > > > Depending on the xmlsec-jar you use there may be problems in the > > encryption mehtods. > > > > The problem in some case (note: XML encryption is in beta) > is that the > > encryption _may_ change contents of your XML data you just > > signed. This breaks the signature. This happens e.g. if you use > > Content mode as opposed to Element mode, also if your XML > > contains CDATA or comments it may break. > > > > Please refer to some mails about this in the mail archive > (December and > > January). There was a fix for one particular problem but not as a > > overall solution. > > > > Regards, > > Werner > > > > -----Urspr�ngliche Nachricht----- > > Von: Hye-Jung Kim [mailto:[EMAIL PROTECTED] > > Gesendet: Montag, 2. Februar 2004 00:51 > > An: [EMAIL PROTECTED] > > Betreff: Verification after decrypt > > > > > > Hello, > > I am trying to decrypt and verify data( signed & encrypted > ) using the > > XML security suite and the > signature.checkSignatureValue(cert) returns > > false which means the signature varification has failed. I > am not sure > > why it failed since verification for signed only data and > decrypt for > > encrypted only data work fine. Can I simply decrypt the signed & > > encrypted data first then pass it to my verifier to create > XMLSignature > > to call checkSignatureValue ? Please advise! Thanks in advance. > > > > Hyejung > > > > > > > > > > > > > > > > > > >
