Raul, Here is the example of signed XML document. Let me know if you need more resources. What I have that can help you is a class that validates an XML document using IBM XSS4J toolkit (XML document having external reference or not). This can help you to check if the signed XML documents are valid or not according an other toolkit.
Regards. Yvan Hess -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: mercredi, 9. août 2006 20:44 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly That will be great. There is already a regression test but still it does not contain a lot of xpath2 transformations examples(indeed only one). Feel free to send you patches for more tests ;) Regards, Raul On 8/9/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > Raul, > > I can send you a signed XML document without external references (it's easier > to manage) that have been signed using XML Security V1.3. > > - The document is valid with Apache XML Version 1.3 > - The document is valid with IBM XSS4J toolkit > - the document is NOT valid with Apache XML version 1.4 > > Is It what you need ? Moreover, I think it will be great to add a regression > test as I have. Document signed with version 1.3 must be valid with higher > version. > > Regards. Yvan Hess > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: mercredi, 9. août 2006 12:02 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Hi Hess, > Sadly it is going to take me more time to reprduce this. I have finished my > vacation(that is when I work with xml-sec). > I can revert my changes and go with the old 1.3 implementation of > xpath2 filter, but it will be very sad, as it is very slow compare to the new > one ( o(n2) vs. o(n) ). > The problme is that the test cases only has one example of xpath2 > transformation. If you can give us more I can debug the implementation > better. If not I have to create them and check what should be the correct > c14n, this takes me "long" time(1 hour, but currently I can only reserve half > an hour for xml-sec hacking). > So if you can provide me a failling example I can speed up this process. > Sorry. > > Regards, > > Raul > > On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > When you have a new version correcting the bug, please inform me and I will > > one more time execute my Junit tests and I will give you a feedback. > > > > Regards. Yvan > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > Sent: lundi, 7. août 2006 18:41 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to > > reproduce it with a xfilter with only intersect nodes. > > > > Thanks, > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > I don't think so because I have a transform <ds:Transform > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a > > > element of my XML document that doesn't include the signature itself. As > > > I said, it was working like that prior to version 1.4. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > Sent: lundi, 7. août 2006 17:21 > > > To: security-dev@xml.apache.org > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > Hi Hess, > > > It seem to me that you need to use also enveloped signature > > > transformation. The Reference="" is including the signature and this is a > > > problem when signing, it depends in the order of doing the reference your > > > going to obtain different digest values. > > > What do you think,can it be your case? > > > > > > Regards, > > > > > > Raul > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > It will be difficult to send you a test case because all my test cases > > > > are based on my library (that is also bind to others library). I can > > > > try to do debugging to help you to isolate the problem or to solve it > > > > :-). First a good Junit test case that you can introduce into XML > > > > security JUnit tests is something similar to my TEST 2 (Signature with > > > > XML security and verification with IBM toolkit XSS4J). In this case you > > > > are sure that the signature has been corectly be generated and is valid. > > > > > > > > Here is the signature of my XML document I am using into the context of > > > > my test case. As you can see I am signing one part of the XML document > > > > and two external binary documents. The problem seems to come from the > > > > first Reference (<ds:Reference URI="">). The digest value doesn't match > > > > after signature verification. The digest values of the two external > > > > reference matches. > > > > > > > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > > > > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > > > > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > <ds:SignatureMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > > <ds:Reference URI=""> > > > > <ds:Transforms> > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > > > > <dsig-xpath:XPath > > > > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; > > > > Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > > > > </ds:Transform> > > > > </ds:Transforms> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference > > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference > > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue> > > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9 > > > > ZO > > > > wP > > > > GY > > > > izLB4P > > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo > > > > vMa8f4sHx8onoVt+4f > > > > vMa8f4sHx8onoVt+jD > > > > vMa8f4sHx8onoVt+UL > > > > vMa8f4sHx8onoVt+dk9Zhw > > > > vIN/+eBfirtyCcbTb1w= > > > > </ds:SignatureValue> > > > > <ds:KeyInfo> > > > > <ds:X509Data> > > > > <ds:X509Certificate> > > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > > > </ds:X509Certificate> > > > > <ds:X509Certificate> > > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > > > > </ds:X509Certificate> > > > > </ds:X509Data> > > > > </ds:KeyInfo> > > > > </ds:Signature> > > > > </edoc:SignatureBlock> > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > > Sent: lundi, 7. août 2006 16:21 > > > > To: security-dev@xml.apache.org > > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > > > Can you open a bug report and attach a test case? > > > > This will help a lot. > > > > > > > > Regards, > > > > > > > > Raul > > > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > > > document correctly. I developped a Java library that uses XML > > > > > security to sign/verify and to encrypt/decrypt XML documents. > > > > > When I executed my JUNIT tests, they failed when XML document are > > > > > verified. I have two tests that failed: > > > > > > > > > > TEST 1: The XML document is already signed (with XML security > > > > > version > > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > > > This test failed using version 1.4 but was ok with precedent versions. > > > > > > > > > > TEST 2: The XML document is signed with XML security > > > > > V1.4Beta1 and is verified with IBM XSS4J toolkit. This test > > > > > failed using version > > > > > 1.4Beta1 but was ok with precedent versions. > > > > > > > > > > I think it is a critical bug...Please can you help me > > > > > > > > > > Regards. Yvan Hess > > > > > > > > > > > > > > > > > > > > > > -- > > > > http://r-bg.com > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > > > > > > > -- > > http://r-bg.com > > > > > > > > > -- > http://r-bg.com > > > -- http://r-bg.com
<?xml version="1.0" encoding="UTF-8"?> <edoc:EDOC xmlns:dc="http://purl.org/dc/elements/1.1/"; xmlns:dcterms="http://purl.org/dc/terms/"; xmlns:edoc="http://www.imtf.com/hypersuite/edoc/2.0/"; sysid="CC9CC230-C0A8024E01A3CA10-AC154F78"> <edoc:Version>2.0</edoc:Version> <edoc:Object edocVersion="2.0"> <edoc:ObjectMetadata> <edoc:ObjectType>Record</edoc:ObjectType> <edoc:ObjectCreationDate>2004-12-13T14:27:35</edoc:ObjectCreationDate> </edoc:ObjectMetadata> <edoc:ObjectContent> <edoc:Record> <edoc:RecordMetadata></edoc:RecordMetadata> <edoc:Document id="Revision-1-Document-1"> <edoc:DocumentMetadata> <dc:date>2003-07-20</dc:date> <dc:type>20</dc:type> <dc:format>PDF</dc:format> <edoc:customer-number>222222</edoc:customer-number> </edoc:DocumentMetadata> <edoc:Encoding id="Revision-1-Document-1-Encoding-1"> <edoc:EncodingMetadata> </edoc:EncodingMetadata> <edoc:ContentData encapsulation="Base64" id="Revision-1-Document-1-Encoding-1-ContentData-1" sourceFileSize="102550">AAA</edoc:ContentData> </edoc:Encoding> </edoc:Document> </edoc:Record> </edoc:ObjectContent> </edoc:Object> <edoc:SignatureBlock id="Revision-1-Signature-1"><edoc:SignatureDate>2006-08-09T17:21:35</edoc:SignatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>YMXHTYArDBcWDG99epurfdSEAWM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Un2HBIOcwGe36k8eDEJISKP8/EmCp813JlmV0qqxIPVgdMsIJXR5Wky6uqwP+E3wAXj4NykW76GV 1eSD9dTKw/M/bFMbId0nBp0ZFaFE5DKU/My4956qr2oyJqiFRKOokCxds0jMQvGcKeWVC9oAROxR byZQbrtjGw9YS+D5afY= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQGEwtTd2l0emVy bGFuZDERMA8GA1UECBMIRnJpYm91cmcxETAPBgNVBAcTCEdpdmlzaWV6MRUwEwYDVQQLEwxIeXBl cnN1aXRlIDUxGTAXBgNVBAoTEEluZm9ybWF0aXF1ZS1NVEYxJzAlBgNVBAMTHklNVEYgUm9vdENl cnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNjAzMjgyMjAwMDBaFw0xNjAzMTcyMzAwMDBaMIGMMRQw EgYDVQQGEwtTd2l0emVybGFuZDERMA8GA1UECBMIRnJpYm91cmcxETAPBgNVBAcTCEdpdmlzaWV6 MRUwEwYDVQQLEwxIeXBlcnN1aXRlIDUxGTAXBgNVBAoTEEluZm9ybWF0aXF1ZS1NVEYxHDAaBgNV BAMTE0lNVEYgRW5kQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOxpALzU r8TjtFB7ghScWXdaDuHHRM7bPOoyuDSCxCznCBQitrwT/Un/vkZjDxSTG1bLWObqUMf1Yf6ul30n nU9NsHO2fr7+YwtGnCV5vZ+qzWSQBY7qS+Gg8Ft9z0PluNRe84ukcQt7mdqSYet2qKbYWLP8tyFc XCYs0JL5E6aTAgMBAAGjYDBeMB8GA1UdIwQYMBaAFIeIxHkuiPSRw5OArsqR7wZYgVPlMB0GA1Ud DgQWBBRrfNhYheJHag+VBqDPWEOQyt3rqDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAN BgkqhkiG9w0BAQUFAAOBgQB4OVKzObDkpadteusbvcEin2GdK3B2qz/HwqH07AEt/pQbJ/oQOsYL qVyDFt3umJ5uHon15nkps3HRE4MoYNfVbtz1G+0nMcAbxVYJDIfC4YBJRUAm/aA0twfkiH6gFmLi V8o5YRtkjXvZQKUtJ/Ps/m0DAC4A935jTHDd6F4FCw== </ds:X509Certificate> <ds:X509Certificate> MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx ETAPBgNVBAgTCEZyaWJvdXJnMREwDwYDVQQHEwhHaXZpc2llejEVMBMGA1UECxMMSHlwZXJzdWl0 ZSA1MRkwFwYDVQQKExBJbmZvcm1hdGlxdWUtTVRGMScwJQYDVQQDEx5JTVRGIFJvb3RDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkwHhcNMDYwMzI4MjIwMDAwWhcNMjYwMzIzMjMwMDAwWjCBlzEUMBIGA1UE BhMLU3dpdHplcmxhbmQxETAPBgNVBAgTCEZyaWJvdXJnMREwDwYDVQQHEwhHaXZpc2llejEVMBMG A1UECxMMSHlwZXJzdWl0ZSA1MRkwFwYDVQQKExBJbmZvcm1hdGlxdWUtTVRGMScwJQYDVQQDEx5J TVRGIFJvb3RDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ANGw7zQmrujq9AkRSj9ia5YMG7P7EBT0ii8PyA+D95BI7EEpm/Bq8MtrmKfSSW+SOTyzBn1jKNfB zJbS13Kb+l2lii0Dt8LTuKS5mLe4cLqZwk5WgRYscgcc9dprhc8/7kFK2AwCO8Xq938ziyI2VHtX T8L/jIrGMm5mXxL9jufXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEABaltm26dgKne8kQUuDHXul8/ iGPwln2NSbvlIunJoLM7QiwLQaxgz1HfOIzYBOdhi7hwW+VN93OVI0Re33TfTWZZ1mLL0ojW27Ou ywiK22gUo5y9UX/Her5r2DSoIuOIqaoYioSYXluSgnrjI1krey/wv6CVFxNcYif7Ix+SLng= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature></edoc:SignatureBlock></edoc:EDOC>
