Hi Hess, It seem to me that you need to use also enveloped signature transformation. The Reference="" is including the signature and this is a problem when signing, it depends in the order of doing the reference your going to obtain different digest values. What do you think,can it be your case?
Regards, Raul On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
It will be difficult to send you a test case because all my test cases are based on my library (that is also bind to others library). I can try to do debugging to help you to isolate the problem or to solve it :-). First a good Junit test case that you can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security and verification with IBM toolkit XSS4J). In this case you are sure that the signature has been corectly be generated and is valid. Here is the signature of my XML document I am using into the context of my test case. As you can see I am signing one part of the XML document and two external binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't match after signature verification. The digest values of the two external reference matches. <edoc:SignatureBlock id="Revision-1-Signature-1"> <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> </ds:Reference> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> </ds:Reference> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwPGYizLB4P vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjDULdk9Zhw vIN/+eBfirtyCcbTb1w= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... </ds:X509Certificate> <ds:X509Certificate> MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </edoc:SignatureBlock> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: lundi, 7. août 2006 16:21 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly Can you open a bug report and attach a test case? This will help a lot. Regards, Raul On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > Hi, > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML document > correctly. I developped a Java library that uses XML security to > sign/verify and to encrypt/decrypt XML documents. When I executed my > JUNIT tests, they failed when XML document are verified. I have two tests that failed: > > TEST 1: The XML document is already signed (with XML security version > 1.2) and it is verified with the version 1.4 (beta0 and beta1). This > test failed using version 1.4 but was ok with precedent versions. > > TEST 2: The XML document is signed with XML security V1.4Beta1 and is > verified with IBM XSS4J toolkit. This test failed using version > 1.4Beta1 but was ok with precedent versions. > > I think it is a critical bug...Please can you help me > > Regards. Yvan Hess > > -- http://r-bg.com
-- http://r-bg.com
