Berin, AFAIK Dims wrote an e-mail to somebody of the Xerces group and asked if they would fix the problem. Don't know about the outcome.
After all, the Xerces guys are heavily working on the serialization matter. But i'm not aware if they fix it soon. BTW, the Xerces Bugzilla # 25853 describes the problem, also attached a fix. Would be nice if we had the problem solved, then we could enable the bug fix of the encryption code. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 3. Februar 2004 12:30 > An: [EMAIL PROTECTED] > Betreff: Re: AW: AW: Verification after decrypt > > > Ahh. Yes. Apologies - had forgotten the part about the bug! > > What think you - should we see if we can escalate with the Xerces > people? Am happy to do so! > > Cheers, > Berin > > > Dittmann Werner wrote: > > > Berin, > > > > actually there were (are) some problems during > > the encryption processing in Content mode, in particular > > the serialization of Document fragments (Document > > fragments may have Text nodes as first level > > child nodes - its a fragment). > > > > The first problems was that Content mode didn't > > serialize the whole Document fragment, it serialized > > Element nodes _only_. > > > > Because of this problem the encryption effectivley > > changed the contents of the data to encrypt, e.g. by > > not serializing first level Text nodes. These non-Element > > nodes were just ignored. If you signed the data before > > encryption then you couldn't verfiy the data after > > decryption > > > > To make it work for SOAP requests we fixed that problem > > (quick fix that serializes Element nodes and Text nodes, > > but not any other node types). That works ok for SOAP > > (they usually don't have any CDATA or Comment nodes :-) ). > > > > For the encryption of generic XML Document in content > > mode the whole Document fragment shall correctly > > serialized. > > > > (IMO, encryption shall _never_ modify its input data, it > > shall take it literally (as far as possible) and encrypt > > it.) > > > > To do this I tried the Xerces serialization. During the > > tests I discovered a problem in Xerces serialization too > > (it didn't handle Document Fragment correctly, chokes on > > CDATA and Comments at least, didn't check PI nodes). > > > > The proposed bug fix was not yet included in Xerces code > > (checked yesterday in commit e-mail archive). Thus we > > can't enable the according fix in xml-sec (mailed some > > time ago). > > > > Regards, > > Werner > > > > > > > >>-----Ursprüngliche Nachricht----- > >>Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > >>Gesendet: Montag, 2. Februar 2004 23:03 > >>An: [EMAIL PROTECTED] > >>Betreff: Re: AW: Verification after decrypt > >> > >> > >>Werner, > >> > >>I thought the problems were around CDATA and handling thereof when > >>decrypting and moving the decrypted byes back to DOM. > >>I *think* (although I may well have forgotten something vital > >>:>) that the > >>canonicalisation that happens during signature verification > >>should bypass > >>all of this. (CDATA gets "transformed" to straight text in > >>any case at > >>this point.) > >>Cheers, > >> Berin > >> > >> > >>>Heyjung > >>> > >>>as I understand it you first sign, then encrypt your XML document > >>>(decrypt/verify to check it). > >>> > >>>Depending on the xmlsec-jar you use there may be problems in the > >>>encryption mehtods. > >>> > >>>The problem in some case (note: XML encryption is in beta) > >> > >>is that the > >> > >>>encryption _may_ change contents of your XML data you just > >>>signed. This breaks the signature. This happens e.g. if you use > >>>Content mode as opposed to Element mode, also if your XML > >>>contains CDATA or comments it may break. > >>> > >>>Please refer to some mails about this in the mail archive > >> > >>(December and > >> > >>>January). There was a fix for one particular problem but not as a > >>>overall solution. > >>> > >>>Regards, > >>>Werner > >>> > >>>-----Ursprüngliche Nachricht----- > >>>Von: Hye-Jung Kim [mailto:[EMAIL PROTECTED] > >>>Gesendet: Montag, 2. Februar 2004 00:51 > >>>An: [EMAIL PROTECTED] > >>>Betreff: Verification after decrypt > >>> > >>> > >>>Hello, > >>>I am trying to decrypt and verify data( signed & encrypted > >> > >>) using the > >> > >>>XML security suite and the > >> > >>signature.checkSignatureValue(cert) returns > >> > >>>false which means the signature varification has failed. I > >> > >>am not sure > >> > >>>why it failed since verification for signed only data and > >> > >>decrypt for > >> > >>>encrypted only data work fine. Can I simply decrypt the signed & > >>>encrypted data first then pass it to my verifier to create > >> > >>XMLSignature > >> > >>>to call checkSignatureValue ? Please advise! Thanks in advance. > >>> > >>>Hyejung > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > > > > >
