Surely it's better to say "if you have this bug then download a version of Xerces greater than x.x" rather than "fixing" a bug in someone else's code with a hack in yours? That's just asking for maintenance headaches isn't it?
-----Original Message----- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: 03 February 2004 15:11 To: [EMAIL PROTECTED] Subject: Re: AW: AW: AW: Verification after decrypt Werner, We can't depend on a specific version of Xerces EVEN if they fix problems in their code. So is there a possibility of patching xml-security itself? (Write custom serializers just like we do in Axis) thanks, dims --- Dittmann Werner <[EMAIL PROTECTED]> wrote: > Berin, > > AFAIK Dims wrote an e-mail to somebody of the > Xerces group and asked if they would fix the problem. > Don't know about the outcome. > > After all, the Xerces guys are heavily working > on the serialization matter. But i'm not > aware if they fix it soon. > > BTW, the Xerces Bugzilla # 25853 describes the > problem, also attached a fix. > > Would be nice if we had the problem solved, then > we could enable the bug fix of the encryption code. > > Regards, > Werner > > > -----Ursprüngliche Nachricht----- > > Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > > Gesendet: Dienstag, 3. Februar 2004 12:30 > > An: [EMAIL PROTECTED] > > Betreff: Re: AW: AW: Verification after decrypt > > > > > > Ahh. Yes. Apologies - had forgotten the part about the bug! > > > > What think you - should we see if we can escalate with the Xerces > > people? Am happy to do so! > > > > Cheers, > > Berin > > > > > > Dittmann Werner wrote: > > > > > Berin, > > > > > > actually there were (are) some problems during > > > the encryption processing in Content mode, in particular > > > the serialization of Document fragments (Document > > > fragments may have Text nodes as first level > > > child nodes - its a fragment). > > > > > > The first problems was that Content mode didn't > > > serialize the whole Document fragment, it serialized > > > Element nodes _only_. > > > > > > Because of this problem the encryption effectivley > > > changed the contents of the data to encrypt, e.g. by > > > not serializing first level Text nodes. These non-Element > > > nodes were just ignored. If you signed the data before > > > encryption then you couldn't verfiy the data after > > > decryption > > > > > > To make it work for SOAP requests we fixed that problem > > > (quick fix that serializes Element nodes and Text nodes, > > > but not any other node types). That works ok for SOAP > > > (they usually don't have any CDATA or Comment nodes :-) ). > > > > > > For the encryption of generic XML Document in content > > > mode the whole Document fragment shall correctly > > > serialized. > > > > > > (IMO, encryption shall _never_ modify its input data, it > > > shall take it literally (as far as possible) and encrypt > > > it.) > > > > > > To do this I tried the Xerces serialization. During the > > > tests I discovered a problem in Xerces serialization too > > > (it didn't handle Document Fragment correctly, chokes on > > > CDATA and Comments at least, didn't check PI nodes). > > > > > > The proposed bug fix was not yet included in Xerces code > > > (checked yesterday in commit e-mail archive). Thus we > > > can't enable the according fix in xml-sec (mailed some > > > time ago). > > > > > > Regards, > > > Werner > > > > > > > > > > > >>-----Ursprüngliche Nachricht----- > > >>Von: Berin Lautenbach [mailto:[EMAIL PROTECTED] > > >>Gesendet: Montag, 2. Februar 2004 23:03 > > >>An: [EMAIL PROTECTED] > > >>Betreff: Re: AW: Verification after decrypt > > >> > > >> > > >>Werner, > > >> > > >>I thought the problems were around CDATA and handling thereof when > > >>decrypting and moving the decrypted byes back to DOM. > > >>I *think* (although I may well have forgotten something vital > > >>:>) that the > > >>canonicalisation that happens during signature verification > > >>should bypass > > >>all of this. (CDATA gets "transformed" to straight text in > > >>any case at > > >>this point.) > > >>Cheers, > > >> Berin > > >> > > >> > > >>>Heyjung > > >>> > > >>>as I understand it you first sign, then encrypt your XML document > > >>>(decrypt/verify to check it). > > >>> > > >>>Depending on the xmlsec-jar you use there may be problems in the > > >>>encryption mehtods. > > >>> > > >>>The problem in some case (note: XML encryption is in beta) > > >> > > >>is that the > > >> > > >>>encryption _may_ change contents of your XML data you just > > >>>signed. This breaks the signature. This happens e.g. if you use > > >>>Content mode as opposed to Element mode, also if your XML > > >>>contains CDATA or comments it may break. > > >>> > > >>>Please refer to some mails about this in the mail archive > > >> > > >>(December and > > >> > > >>>January). There was a fix for one particular problem but not as a > > >>>overall solution. > > >>> > > >>>Regards, > > >>>Werner > > >>> > > >>>-----Ursprüngliche Nachricht----- > > >>>Von: Hye-Jung Kim [mailto:[EMAIL PROTECTED] > > >>>Gesendet: Montag, 2. Februar 2004 00:51 > > >>>An: [EMAIL PROTECTED] > > >>>Betreff: Verification after decrypt > > >>> > > >>> > > >>>Hello, > > >>>I am trying to decrypt and verify data( signed & encrypted > > >> > > >>) using the > > >> > > >>>XML security suite and the > > >> > > >>signature.checkSignatureValue(cert) returns > > >> > > >>>false which means the signature varification has failed. I > > >> > > >>am not sure > > >> > > >>>why it failed since verification for signed only data and > > >> > > >>decrypt for > > >> > > >>>encrypted only data work fine. Can I simply decrypt the signed & > > >>>encrypted data first then pass it to my verifier to create > > >> > > >>XMLSignature > > >> > > >>>to call checkSignatureValue ? Please advise! Thanks in advance. > > >>> > > >>>Hyejung > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >> > > >> > > >> > > > > > > > > ===== Davanum Srinivas - http://webservices.apache.org/~dims/
