Hi Hess,
 Sadly it is going to take me more time to reprduce this. I have
finished my vacation(that is when I work with xml-sec).
 I can revert my changes and go with the old 1.3 implementation of
xpath2 filter, but it will be very sad, as it is very slow compare to
the new one ( o(n2) vs. o(n) ).
 The problme is that the test cases only has one example of xpath2
transformation. If you can give us more I can debug the implementation
better. If not I have to create them and check what should be the
correct c14n, this takes me "long" time(1 hour, but currently I can
only reserve half an hour for xml-sec hacking).
 So if you can provide me a failling example I can speed up this process.
 Sorry.

Regards,

Raul

On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
When you have a new version correcting the bug, please inform me and I will one 
more time execute my Junit tests and I will give you a feedback.

Regards. Yvan

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
Sent: lundi, 7. août 2006 18:41
To: security-dev@xml.apache.org
Subject: Re: Version 1.4 doesn't sign XML document correctly

Then it is a bug that I introduce rewriting xpath2 filter. I will try to 
reproduce it with a xfilter with only intersect nodes.

Thanks,
Regards,

Raul

On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> I don't think so because I have a transform <ds:Transform 
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a element of my 
XML document that doesn't include the signature itself. As I said, it was working like that prior 
to version 1.4.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> Sent: lundi, 7. août 2006 17:21
> To: security-dev@xml.apache.org
> Subject: Re: Version 1.4 doesn't sign XML document correctly
>
> Hi Hess,
> It seem to me that you need to use also enveloped signature transformation. The 
Reference="" is including the signature and this is a problem when signing, it 
depends in the order of doing the reference your going to obtain different digest values.
> What do you think,can it be your case?
>
> Regards,
>
> Raul
>
> On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > It will be difficult to send you a test case because all my test cases are 
based on my library (that is also bind to others library). I can try to do debugging 
to help you to isolate the problem or to solve it :-). First a good Junit test case 
that you can introduce into XML security JUnit tests is something similar to my TEST 
2 (Signature with XML security and verification with IBM toolkit XSS4J). In this case 
you are sure that the signature has been corectly be generated and is valid.
> >
> > Here is the signature of my XML document I am using into the context of my test case. As 
you can see I am signing one part of the XML document and two  external binary documents. The problem 
seems to come from the first Reference (<ds:Reference URI="">). The digest value 
doesn't match after signature verification. The digest values of the two external reference matches.
> >
> > <edoc:SignatureBlock id="Revision-1-Signature-1">
> >    <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate>
> >    <edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> >    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >       <ds:SignedInfo>
> >          <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> >          <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >          <ds:Reference URI="">
> >             <ds:Transforms>
> >                <ds:Transform 
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
> >                   <dsig-xpath:XPath 
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; 
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> >                </ds:Transform>
> >             </ds:Transforms>
> >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
> >          </ds:Reference>
> >          <ds:Reference 
URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> >          </ds:Reference>
> >          <ds:Reference 
URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465">
> >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue>
> >          </ds:Reference>
> >       </ds:SignedInfo>
> >       <ds:SignatureValue>
> > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwP
> > GY
> > izLB4P
> > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjD
> > vMa8f4sHx8onoVt+UL
> > vMa8f4sHx8onoVt+dk9Zhw
> > vIN/+eBfirtyCcbTb1w=
> > </ds:SignatureValue>
> >       <ds:KeyInfo>
> >          <ds:X509Data>
> >             <ds:X509Certificate>
> > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG.....
> > </ds:X509Certificate>
> >             <ds:X509Certificate>
> > 
MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx....
> > </ds:X509Certificate>
> >          </ds:X509Data>
> >       </ds:KeyInfo>
> >    </ds:Signature>
> > </edoc:SignatureBlock>
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> > Sent: lundi, 7. août 2006 16:21
> > To: security-dev@xml.apache.org
> > Subject: Re: Version 1.4 doesn't sign XML document correctly
> >
> > Can you open a bug report and attach a test case?
> > This will help a lot.
> >
> > Regards,
> >
> > Raul
> >
> > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > Hi,
> > >
> > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML
> > > document correctly. I developped a Java library that uses XML
> > > security to sign/verify and to encrypt/decrypt XML documents. When
> > > I executed my JUNIT tests, they failed when XML document are verified. I 
have two tests that failed:
> > >
> > > TEST 1:  The XML document is already signed (with XML security
> > > version
> > > 1.2) and it is verified with the version 1.4 (beta0 and beta1).
> > > This test failed using version 1.4 but was ok with precedent versions.
> > >
> > > TEST 2:  The XML document is signed with XML security V1.4Beta1
> > > and is verified with IBM XSS4J toolkit. This test failed using
> > > version
> > > 1.4Beta1 but was ok with precedent versions.
> > >
> > > I think it is a critical bug...Please can you help me
> > >
> > > Regards. Yvan Hess
> > >
> > >
> >
> >
> > --
> > http://r-bg.com
> >
>
>
> --
> http://r-bg.com
>
>
>


--
http://r-bg.com





--
http://r-bg.com

Reply via email to