Hi Hess, Sadly it is going to take me more time to reprduce this. I have finished my vacation(that is when I work with xml-sec). I can revert my changes and go with the old 1.3 implementation of xpath2 filter, but it will be very sad, as it is very slow compare to the new one ( o(n2) vs. o(n) ). The problme is that the test cases only has one example of xpath2 transformation. If you can give us more I can debug the implementation better. If not I have to create them and check what should be the correct c14n, this takes me "long" time(1 hour, but currently I can only reserve half an hour for xml-sec hacking). So if you can provide me a failling example I can speed up this process. Sorry.
Regards, Raul On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
When you have a new version correcting the bug, please inform me and I will one more time execute my Junit tests and I will give you a feedback. Regards. Yvan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: lundi, 7. août 2006 18:41 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly Then it is a bug that I introduce rewriting xpath2 filter. I will try to reproduce it with a xfilter with only intersect nodes. Thanks, Regards, Raul On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a element of my XML document that doesn't include the signature itself. As I said, it was working like that prior to version 1.4. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: lundi, 7. août 2006 17:21 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Hi Hess, > It seem to me that you need to use also enveloped signature transformation. The Reference="" is including the signature and this is a problem when signing, it depends in the order of doing the reference your going to obtain different digest values. > What do you think,can it be your case? > > Regards, > > Raul > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > It will be difficult to send you a test case because all my test cases are based on my library (that is also bind to others library). I can try to do debugging to help you to isolate the problem or to solve it :-). First a good Junit test case that you can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security and verification with IBM toolkit XSS4J). In this case you are sure that the signature has been corectly be generated and is valid. > > > > Here is the signature of my XML document I am using into the context of my test case. As you can see I am signing one part of the XML document and two external binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't match after signature verification. The digest values of the two external reference matches. > > > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference URI=""> > > <ds:Transforms> > > <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > > <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > > </ds:Reference> > > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > > </ds:Reference> > > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue> > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwP > > GY > > izLB4P > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo4fjD > > vMa8f4sHx8onoVt+UL > > vMa8f4sHx8onoVt+dk9Zhw > > vIN/+eBfirtyCcbTb1w= > > </ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate> > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > </ds:X509Certificate> > > <ds:X509Certificate> > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > > </ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > > </ds:Signature> > > </edoc:SignatureBlock> > > > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > Sent: lundi, 7. août 2006 16:21 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Can you open a bug report and attach a test case? > > This will help a lot. > > > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hi, > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > document correctly. I developped a Java library that uses XML > > > security to sign/verify and to encrypt/decrypt XML documents. When > > > I executed my JUNIT tests, they failed when XML document are verified. I have two tests that failed: > > > > > > TEST 1: The XML document is already signed (with XML security > > > version > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > This test failed using version 1.4 but was ok with precedent versions. > > > > > > TEST 2: The XML document is signed with XML security V1.4Beta1 > > > and is verified with IBM XSS4J toolkit. This test failed using > > > version > > > 1.4Beta1 but was ok with precedent versions. > > > > > > I think it is a critical bug...Please can you help me > > > > > > Regards. Yvan Hess > > > > > > > > > > > > -- > > http://r-bg.com > > > > > -- > http://r-bg.com > > > -- http://r-bg.com
-- http://r-bg.com
