To help you in the construction of the robustness of the Apache library, specialy for the signature of XML document, I propose you integrate a test case that verifies the signature of XML document generated with XML security with an other toolkit. I am doing this operation in my test cases using the IBM XSS4J toolkit. To help you to build this test case, I send you a Java helper class that allows you to verifiy a signed XML document having external reference or not.
If you have any questions don't hesitate to contact me. Regards. Yvan PS: What is the status of the problem described bellow? Did you find something ? -----Original Message----- From: Hess Yvan [mailto:[EMAIL PROTECTED] Sent: jeudi, 10. août 2006 09:18 To: security-dev@xml.apache.org Subject: RE: Version 1.4 doesn't sign XML document correctly Raul, Here is the example of signed XML document. Let me know if you need more resources. What I have that can help you is a class that validates an XML document using IBM XSS4J toolkit (XML document having external reference or not). This can help you to check if the signed XML documents are valid or not according an other toolkit. Regards. Yvan Hess -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: mercredi, 9. août 2006 20:44 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly That will be great. There is already a regression test but still it does not contain a lot of xpath2 transformations examples(indeed only one). Feel free to send you patches for more tests ;) Regards, Raul On 8/9/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > Raul, > > I can send you a signed XML document without external references (it's easier > to manage) that have been signed using XML Security V1.3. > > - The document is valid with Apache XML Version 1.3 > - The document is valid with IBM XSS4J toolkit > - the document is NOT valid with Apache XML version 1.4 > > Is It what you need ? Moreover, I think it will be great to add a regression > test as I have. Document signed with version 1.3 must be valid with higher > version. > > Regards. Yvan Hess > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: mercredi, 9. août 2006 12:02 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Hi Hess, > Sadly it is going to take me more time to reprduce this. I have finished my > vacation(that is when I work with xml-sec). > I can revert my changes and go with the old 1.3 implementation of > xpath2 filter, but it will be very sad, as it is very slow compare to the new > one ( o(n2) vs. o(n) ). > The problme is that the test cases only has one example of xpath2 > transformation. If you can give us more I can debug the implementation > better. If not I have to create them and check what should be the correct > c14n, this takes me "long" time(1 hour, but currently I can only reserve half > an hour for xml-sec hacking). > So if you can provide me a failling example I can speed up this process. > Sorry. > > Regards, > > Raul > > On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > When you have a new version correcting the bug, please inform me and I will > > one more time execute my Junit tests and I will give you a feedback. > > > > Regards. Yvan > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > Sent: lundi, 7. août 2006 18:41 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to > > reproduce it with a xfilter with only intersect nodes. > > > > Thanks, > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > I don't think so because I have a transform <ds:Transform > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a > > > element of my XML document that doesn't include the signature itself. As > > > I said, it was working like that prior to version 1.4. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > Sent: lundi, 7. août 2006 17:21 > > > To: security-dev@xml.apache.org > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > Hi Hess, > > > It seem to me that you need to use also enveloped signature > > > transformation. The Reference="" is including the signature and this is a > > > problem when signing, it depends in the order of doing the reference your > > > going to obtain different digest values. > > > What do you think,can it be your case? > > > > > > Regards, > > > > > > Raul > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > It will be difficult to send you a test case because all my test cases > > > > are based on my library (that is also bind to others library). I can > > > > try to do debugging to help you to isolate the problem or to solve it > > > > :-). First a good Junit test case that you can introduce into XML > > > > security JUnit tests is something similar to my TEST 2 (Signature with > > > > XML security and verification with IBM toolkit XSS4J). In this case you > > > > are sure that the signature has been corectly be generated and is valid. > > > > > > > > Here is the signature of my XML document I am using into the context of > > > > my test case. As you can see I am signing one part of the XML document > > > > and two external binary documents. The problem seems to come from the > > > > first Reference (<ds:Reference URI="">). The digest value doesn't match > > > > after signature verification. The digest values of the two external > > > > reference matches. > > > > > > > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > > > > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > > > > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > <ds:SignatureMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > > <ds:Reference URI=""> > > > > <ds:Transforms> > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > > > > <dsig-xpath:XPath > > > > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; > > > > Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > > > > </ds:Transform> > > > > </ds:Transforms> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference > > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference > > > > URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > > > > > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue> > > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9 > > > > ZO > > > > wP > > > > GY > > > > izLB4P > > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo > > > > vMa8f4sHx8onoVt+4f > > > > vMa8f4sHx8onoVt+jD > > > > vMa8f4sHx8onoVt+UL > > > > vMa8f4sHx8onoVt+dk9Zhw > > > > vIN/+eBfirtyCcbTb1w= > > > > </ds:SignatureValue> > > > > <ds:KeyInfo> > > > > <ds:X509Data> > > > > <ds:X509Certificate> > > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > > > </ds:X509Certificate> > > > > <ds:X509Certificate> > > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > > > > </ds:X509Certificate> > > > > </ds:X509Data> > > > > </ds:KeyInfo> > > > > </ds:Signature> > > > > </edoc:SignatureBlock> > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > > Sent: lundi, 7. août 2006 16:21 > > > > To: security-dev@xml.apache.org > > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > > > Can you open a bug report and attach a test case? > > > > This will help a lot. > > > > > > > > Regards, > > > > > > > > Raul > > > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > > > document correctly. I developped a Java library that uses XML > > > > > security to sign/verify and to encrypt/decrypt XML documents. > > > > > When I executed my JUNIT tests, they failed when XML document are > > > > > verified. I have two tests that failed: > > > > > > > > > > TEST 1: The XML document is already signed (with XML security > > > > > version > > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > > > This test failed using version 1.4 but was ok with precedent versions. > > > > > > > > > > TEST 2: The XML document is signed with XML security > > > > > V1.4Beta1 and is verified with IBM XSS4J toolkit. This test > > > > > failed using version > > > > > 1.4Beta1 but was ok with precedent versions. > > > > > > > > > > I think it is a critical bug...Please can you help me > > > > > > > > > > Regards. Yvan Hess > > > > > > > > > > > > > > > > > > > > > > -- > > > > http://r-bg.com > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > > > > > > > -- > > http://r-bg.com > > > > > > > > > -- > http://r-bg.com > > > -- http://r-bg.com
IBMSignatureVerifier.java
Description: IBMSignatureVerifier.java
