DO NOT REPLY [Bug 45586] New: Signature verification fails, C14N transform returns null

Thu, 07 Aug 2008 02:34:56 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45586

           Summary: Signature verification fails, C14N transform returns
                    null
           Product: Security
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Signature
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


I am facing a issue with validating the xml signature. I have enveloped 
transform followed by ex-C14N. I did search xmlsec mail archive but to 
no success. Then I tried with debugging the xmlsec src code:

 The Reference object loops through all the configured transforms, in my case
it is http://www.w3.org/2000/09/xmldsig#enveloped-signature 
   transform which returns a (modified, i assume) XMLSignatureInput followed by
  C14N and it returns null! When I tried debugging, i find this:

CanonicalizerBase.engineCanonicalizeXPathNodeSetInternal() method:

           this.canonicalizeXPathNodeSet(doc,doc);
           System.out.println("canonicalizeXPathNodeSet is ok i  
 guess...");
           this._writer.close();
           if (this._writer instanceof ByteArrayOutputStream) {
              byte []  
 sol=((ByteArrayOutputStream)this._writer).toByteArray();
              if (reset) {
                ((ByteArrayOutputStream)this._writer).reset();
              }
                return sol;
           }  else if (this._writer instanceof  
 UnsyncByteArrayOutputStream) {
                 byte  
 []result=((UnsyncByteArrayOutputStream)this._writer).toByteArray();
               if (reset) {
                   ((UnsyncByteArrayOutputStream)this._writer).reset();
               }
                 return result;
           }
           return null;   <------ returns this null!

 The _writer instance in this case was created in Reference.java method  
 calculateDigest. Thus the ByteArrayOutputStreams of CanonicalizeBase do not
 match with the BufferedOutputStreams of Reference class, causing it to return
 null.

           MessageDigestAlgorithm mda = this.getMessageDigestAlgorithm();

           mda.reset();
           DigesterOutputStream diOs=new DigesterOutputStream(mda);
           OutputStream os=new UnsyncBufferedOutputStream(diOs);   <---  
 not check via instanceof in CanonicalizerBase
           XMLSignatureInput  
 output=this.dereferenceURIandPerformTransforms(os);
           output.updateOutputStream(os);
           os.flush();

Pls help me in resolving this. I am attachin a sample signed SAML token file
that was generated in my app. Note that while this problem comes, we have not
yet reached the actual digest value comparision.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to