What think you - should we see if we can escalate with the Xerces people? Am happy to do so!
Cheers,
BerinDittmann Werner wrote:
Berin,
actually there were (are) some problems during
the encryption processing in Content mode, in particular
the serialization of Document fragments (Document
fragments may have Text nodes as first level
child nodes - its a fragment).
The first problems was that Content mode didn't
serialize the whole Document fragment, it serialized
Element nodes _only_.
Because of this problem the encryption effectivley
changed the contents of the data to encrypt, e.g. by
not serializing first level Text nodes. These non-Element
nodes were just ignored. If you signed the data before encryption then you couldn't verfiy the data after decryption
To make it work for SOAP requests we fixed that problem (quick fix that serializes Element nodes and Text nodes, but not any other node types). That works ok for SOAP (they usually don't have any CDATA or Comment nodes :-) ).
For the encryption of generic XML Document in content mode the whole Document fragment shall correctly serialized.
(IMO, encryption shall _never_ modify its input data, it shall take it literally (as far as possible) and encrypt it.)
To do this I tried the Xerces serialization. During the tests I discovered a problem in Xerces serialization too
(it didn't handle Document Fragment correctly, chokes on CDATA and Comments at least, didn't check PI nodes).
The proposed bug fix was not yet included in Xerces code (checked yesterday in commit e-mail archive). Thus we can't enable the according fix in xml-sec (mailed some time ago).
Regards, Werner
-----Ursprüngliche Nachricht-----
Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] Gesendet: Montag, 2. Februar 2004 23:03
An: [EMAIL PROTECTED]
Betreff: Re: AW: Verification after decrypt
Werner,
I thought the problems were around CDATA and handling thereof when
decrypting and moving the decrypted byes back to DOM.
I *think* (although I may well have forgotten something vital :>) that the
canonicalisation that happens during signature verification should bypass
all of this. (CDATA gets "transformed" to straight text in any case at
this point.)
Cheers,
Berin
Heyjung
as I understand it you first sign, then encrypt your XML document (decrypt/verify to check it).
Depending on the xmlsec-jar you use there may be problems in the encryption mehtods.
The problem in some case (note: XML encryption is in beta)
is that the
encryption _may_ change contents of your XML data you just signed. This breaks the signature. This happens e.g. if you use Content mode as opposed to Element mode, also if your XML contains CDATA or comments it may break.
Please refer to some mails about this in the mail archive
(December and
January). There was a fix for one particular problem but not as a overall solution.
Regards, Werner
-----Ursprüngliche Nachricht----- Von: Hye-Jung Kim [mailto:[EMAIL PROTECTED] Gesendet: Montag, 2. Februar 2004 00:51 An: [EMAIL PROTECTED] Betreff: Verification after decrypt
Hello,
I am trying to decrypt and verify data( signed & encrypted
) using the
XML security suite and the
signature.checkSignatureValue(cert) returns
false which means the signature varification has failed. I
am not sure
why it failed since verification for signed only data and
decrypt for
encrypted only data work fine. Can I simply decrypt the signed &
encrypted data first then pass it to my verifier to create
XMLSignature
to call checkSignatureValue ? Please advise! Thanks in advance.
Hyejung
