DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40032>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40032 Summary: subtree canonicalization produces incorrect result Product: Security Version: Java 1.3 Platform: Other OS/Version: other Status: NEW Severity: major Priority: P1 Component: Canonicalization AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] The following XML is taken from the CanonSubtree sample app, but illustrates an issue that I've encountered, which is causing a signature verification interop problem (Keytools and xml-sec). I've slightly altered the XML from the CanonSubtree sample by adding xmlns="" to the CanonicalizationMethod element. The second chunk of XML is the result of Apache xml-sec 1.3 subtree (SignedInfo) canonicalization. <?xml version="1.0" encoding="UTF-8"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod xmlns="" Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI="http://www.w3.org/TR/xml-stylesheet";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue> </Reference> </SignedInfo> <Signature> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI="http://www.w3.org/TR/xml-stylesheet";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue> </Reference> </SignedInfo> Note that xmlns="" has been omitted from the CanonicalizationMethod element. This is correct in the context of the subtree prior to adding doc level namespaces to the subtree root (i.e. <SignedInfo> vs <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>), but is incorrect following the addition of the doc level namespace. The following code reproduces bug: package org.apache.xml.security.samples.canonicalization; import java.io.ByteArrayInputStream; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import org.apache.xml.security.c14n.Canonicalizer; import org.apache.xml.security.utils.Constants; import org.apache.xml.security.utils.XMLUtils; import org.apache.xpath.XPathAPI; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; /** * * <at> author Christian Geuer-Pollmann */ public class CanonSubTree { //J- static String input = "" + "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\";>\n" + " <SignedInfo><!-- comment inside -->\n" + " <CanonicalizationMethod xmlns=\"\" Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\"; />\n" + " <SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"; />\n" + " <Reference URI=\"http://www.w3.org/TR/xml-stylesheet\";>\n" + " <DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"; />\n" + " <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>\n" + " </Reference>\n" + " </SignedInfo>\n" + " <SignatureValue>\n" + " fKMmy9GYF2s8rLFrZdVugTOFuWx19ccX7jh5HqFd4vMOY7LWAj52ykjSdvtW3fNY\n" + " PPYGC4MFL19oPSId5GEsMtFMpGXB3XaCtoKjMCHQsN3+kom8YnGf7Ge1JNRcGty5\n" + " 0UsoP6Asj47+QR7QECT64uoziha4WRDVyXjDrg24W+U=\n" + " </SignatureValue>\n" + " <KeyInfo>\n" + " <KeyName>Lugh</KeyName>\n" + " </KeyInfo>\n" + "</Signature>\n" ; //J+ /** * Method main * * <at> param args * <at> throws Exception */ public static void main(String args[]) throws Exception { org.apache.xml.security.Init.init(); DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance(); dfactory.setNamespaceAware(true); dfactory.setValidating(true); DocumentBuilder documentBuilder = dfactory.newDocumentBuilder(); // this is to throw away all validation warnings documentBuilder .setErrorHandler(new org.apache.xml.security.utils .IgnoreAllErrorHandler()); byte inputBytes[] = input.getBytes(); Document doc = documentBuilder.parse(new ByteArrayInputStream(inputBytes)); Canonicalizer c14n = Canonicalizer .getInstance("http://www.w3.org/TR/2001/REC-xml-c14n-20010315";); Element nscontext = XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS); Node signedInfo = XPathAPI.selectSingleNode(doc, "//ds:SignedInfo", nscontext); byte outputBytes[] = c14n.canonicalizeSubtree(signedInfo); if (outputBytes != null) { System.out.println(new String(outputBytes)); } } } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
