On 7/10/13 11:14 AM, "Mingfa Ma" <mingfa...@deepnetsecurity.com> wrote: > >Actually I tried Java code (not Apache library, but >javax.xml.crypto.dsig.*, very simple) and passed the core validation on >my samples, so I never doubt the apache's correct handling on XML >canonicalization.
Ok, then I'm fairly confident in the conclusions. >There are two reasons why I dig into checksig utility, > >1, I showed F5 my Java code, but they seemed blind on that. Probably >their product is developed with C(C++), they are more like to see C >implementation. What's relevant is you have two independent sources pointing to they've got the bug, which shifts the burden in such cases. >After a deeper dive into checksig, I finally got the answer, > >The CanonicalizationMethod (in my case, >"http://www.w3.org/2001/10/xml-exc-c14n#"; ) defined in SignedInfo should >be ONLY used on the second step of core validation - Signature >Validation. >However, F5 also employed the same method onto the first step (Reference >Validation), which I think is wrong. I think that's what I was trying to explain when you first posted the issue. It appeared to me they were confused about how Reference validation works. Sorry if I wasn't clear. -- Scott
