Then it is a bug that I introduce rewriting xpath2 filter. I will try to reproduce it with a xfilter with only intersect nodes.
Thanks, Regards, Raul On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a element of my XML document that doesn't include the signature itself. As I said, it was working like that prior to version 1.4. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: lundi, 7. août 2006 17:21 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly Hi Hess, It seem to me that you need to use also enveloped signature transformation. The Reference="" is including the signature and this is a problem when signing, it depends in the order of doing the reference your going to obtain different digest values. What do you think,can it be your case? Regards, Raul On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > It will be difficult to send you a test case because all my test cases are based on my library (that is also bind to others library). I can try to do debugging to help you to isolate the problem or to solve it :-). First a good Junit test case that you can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security and verification with IBM toolkit XSS4J). In this case you are sure that the signature has been corectly be generated and is valid. > > Here is the signature of my XML document I am using into the context of my test case. As you can see I am signing one part of the XML document and two external binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't match after signature verification. The digest values of the two external reference matches. > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI=""> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwPGY > izLB4P > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjDUL > vMa8f4sHx8onoVt+dk9Zhw > vIN/+eBfirtyCcbTb1w= > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate> > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > </ds:X509Certificate> > <ds:X509Certificate> > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > </edoc:SignatureBlock> > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: lundi, 7. août 2006 16:21 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Can you open a bug report and attach a test case? > This will help a lot. > > Regards, > > Raul > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > Hi, > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > document correctly. I developped a Java library that uses XML > > security to sign/verify and to encrypt/decrypt XML documents. When I > > executed my JUNIT tests, they failed when XML document are verified. I have two tests that failed: > > > > TEST 1: The XML document is already signed (with XML security > > version > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). This > > test failed using version 1.4 but was ok with precedent versions. > > > > TEST 2: The XML document is signed with XML security V1.4Beta1 and > > is verified with IBM XSS4J toolkit. This test failed using version > > 1.4Beta1 but was ok with precedent versions. > > > > I think it is a critical bug...Please can you help me > > > > Regards. Yvan Hess > > > > > > > -- > http://r-bg.com > -- http://r-bg.com
-- http://r-bg.com
