Dims, in my workspace for xmlsec I have a version that uses a c14n serializer to do the work. Because its a xmlsec c14n serializer this eliminates the Xerces dependency.
The main difference between this solution and the Xerces based solution is the different handling of CDATA serialization. (c14n: CDATA handled like a text node, Xerces: make a real CDATA string) Haven't tested PI yet. Please refer also to my E-mail dated January, 5th to the group that included a first version of the patch. I create a new patch this evening (MET) that usees the c14n serializer per default and not as an option as it is in the original patch. Lets check it and decide how to proceed afterwards. Another nice feature of the c14n solution: the caller may decide which c14n to use, i.e. with or without comment, etc. If nothing is specified fall back to configured standard c14n serializer (latter function with new patch) Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: Davanum Srinivas [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 3. Februar 2004 16:11 > An: [EMAIL PROTECTED] > Betreff: Re: AW: AW: AW: Verification after decrypt > > > Werner, > > We can't depend on a specific version of Xerces EVEN if they > fix problems in their code. So is > there a possibility of patching xml-security itself? (Write > custom serializers just like we do in > Axis) > > thanks, > dims > > --- Dittmann Werner <[EMAIL PROTECTED]> wrote: > > Berin, > > > > AFAIK Dims wrote an e-mail to somebody of the > > Xerces group and asked if they would fix the problem. > > Don't know about the outcome. > > > > After all, the Xerces guys are heavily working > > on the serialization matter. But i'm not > > aware if they fix it soon. > > > > BTW, the Xerces Bugzilla # 25853 describes the > > problem, also attached a fix. > > > > Would be nice if we had the problem solved, then > > we could enable the bug fix of the encryption code. > > > > Regards, > > Werner > > > > > -----Urspr�ngliche Nachricht----- > > > Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > > > Gesendet: Dienstag, 3. Februar 2004 12:30 > > > An: [EMAIL PROTECTED] > > > Betreff: Re: AW: AW: Verification after decrypt > > > > > > > > > Ahh. Yes. Apologies - had forgotten the part about the bug! > > > > > > What think you - should we see if we can escalate with the Xerces > > > people? Am happy to do so! > > > > > > Cheers, > > > Berin > > > > > > > > > Dittmann Werner wrote: > > > > > > > Berin, > > > > > > > > actually there were (are) some problems during > > > > the encryption processing in Content mode, in particular > > > > the serialization of Document fragments (Document > > > > fragments may have Text nodes as first level > > > > child nodes - its a fragment). > > > > > > > > The first problems was that Content mode didn't > > > > serialize the whole Document fragment, it serialized > > > > Element nodes _only_. > > > > > > > > Because of this problem the encryption effectivley > > > > changed the contents of the data to encrypt, e.g. by > > > > not serializing first level Text nodes. These non-Element > > > > nodes were just ignored. If you signed the data before > > > > encryption then you couldn't verfiy the data after > > > > decryption > > > > > > > > To make it work for SOAP requests we fixed that problem > > > > (quick fix that serializes Element nodes and Text nodes, > > > > but not any other node types). That works ok for SOAP > > > > (they usually don't have any CDATA or Comment nodes :-) ). > > > > > > > > For the encryption of generic XML Document in content > > > > mode the whole Document fragment shall correctly > > > > serialized. > > > > > > > > (IMO, encryption shall _never_ modify its input data, it > > > > shall take it literally (as far as possible) and encrypt > > > > it.) > > > > > > > > To do this I tried the Xerces serialization. During the > > > > tests I discovered a problem in Xerces serialization too > > > > (it didn't handle Document Fragment correctly, chokes on > > > > CDATA and Comments at least, didn't check PI nodes). > > > > > > > > The proposed bug fix was not yet included in Xerces code > > > > (checked yesterday in commit e-mail archive). Thus we > > > > can't enable the according fix in xml-sec (mailed some > > > > time ago). > > > > > > > > Regards, > > > > Werner > > > > > > > > > > > > > > > >>-----Urspr�ngliche Nachricht----- > > > >>Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > > > >>Gesendet: Montag, 2. Februar 2004 23:03 > > > >>An: [EMAIL PROTECTED] > > > >>Betreff: Re: AW: Verification after decrypt > > > >> > > > >> > > > >>Werner, > > > >> > > > >>I thought the problems were around CDATA and handling > thereof when > > > >>decrypting and moving the decrypted byes back to DOM. > > > >>I *think* (although I may well have forgotten something vital > > > >>:>) that the > > > >>canonicalisation that happens during signature verification > > > >>should bypass > > > >>all of this. (CDATA gets "transformed" to straight text in > > > >>any case at > > > >>this point.) > > > >>Cheers, > > > >> Berin > > > >> > > > >> > > > >>>Heyjung > > > >>> > > > >>>as I understand it you first sign, then encrypt your > XML document > > > >>>(decrypt/verify to check it). > > > >>> > > > >>>Depending on the xmlsec-jar you use there may be > problems in the > > > >>>encryption mehtods. > > > >>> > > > >>>The problem in some case (note: XML encryption is in beta) > > > >> > > > >>is that the > > > >> > > > >>>encryption _may_ change contents of your XML data you just > > > >>>signed. This breaks the signature. This happens e.g. if you use > > > >>>Content mode as opposed to Element mode, also if your XML > > > >>>contains CDATA or comments it may break. > > > >>> > > > >>>Please refer to some mails about this in the mail archive > > > >> > > > >>(December and > > > >> > > > >>>January). There was a fix for one particular problem > but not as a > > > >>>overall solution. > > > >>> > > > >>>Regards, > > > >>>Werner > > > >>> > > > >>>-----Urspr�ngliche Nachricht----- > > > >>>Von: Hye-Jung Kim [mailto:[EMAIL PROTECTED] > > > >>>Gesendet: Montag, 2. Februar 2004 00:51 > > > >>>An: [EMAIL PROTECTED] > > > >>>Betreff: Verification after decrypt > > > >>> > > > >>> > > > >>>Hello, > > > >>>I am trying to decrypt and verify data( signed & encrypted > > > >> > > > >>) using the > > > >> > > > >>>XML security suite and the > > > >> > > > >>signature.checkSignatureValue(cert) returns > > > >> > > > >>>false which means the signature varification has failed. I > > > >> > > > >>am not sure > > > >> > > > >>>why it failed since verification for signed only data and > > > >> > > > >>decrypt for > > > >> > > > >>>encrypted only data work fine. Can I simply decrypt > the signed & > > > >>>encrypted data first then pass it to my verifier to create > > > >> > > > >>XMLSignature > > > >> > > > >>>to call checkSignatureValue ? Please advise! Thanks > in advance. > > > >>> > > > >>>Hyejung > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >> > > > >> > > > >> > > > > > > > > > > > > > > ===== > Davanum Srinivas - http://webservices.apache.org/~dims/ >
