Fixed, a single condition in an if statement I was over-pruning. Now your test case pass. I can send you a jar, if you want. but please write a bug entry with the document, so we can keep track of the problems.
Regarding your sugestion of using other xml digital signature implementation look interesting. But I think we can have the same having more correct and incorrect signatures like you send. Anyway feel free to prove me wrong. And really thank for the bug report. One question do you have any performance testing? If you do, I hope you see the outcome of your problems. Regards, Raul On 8/10/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
Raul, Here is the example of signed XML document. Let me know if you need more resources. What I have that can help you is a class that validates an XML document using IBM XSS4J toolkit (XML document having external reference or not). This can help you to check if the signed XML documents are valid or not according an other toolkit. Regards. Yvan Hess -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: mercredi, 9. août 2006 20:44 To: security-dev@xml.apache.org Subject: Re: Version 1.4 doesn't sign XML document correctly That will be great. There is already a regression test but still it does not contain a lot of xpath2 transformations examples(indeed only one). Feel free to send you patches for more tests ;) Regards, Raul On 8/9/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > Raul, > > I can send you a signed XML document without external references (it's easier to manage) that have been signed using XML Security V1.3. > > - The document is valid with Apache XML Version 1.3 > - The document is valid with IBM XSS4J toolkit > - the document is NOT valid with Apache XML version 1.4 > > Is It what you need ? Moreover, I think it will be great to add a regression test as I have. Document signed with version 1.3 must be valid with higher version. > > Regards. Yvan Hess > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > Sent: mercredi, 9. août 2006 12:02 > To: security-dev@xml.apache.org > Subject: Re: Version 1.4 doesn't sign XML document correctly > > Hi Hess, > Sadly it is going to take me more time to reprduce this. I have finished my vacation(that is when I work with xml-sec). > I can revert my changes and go with the old 1.3 implementation of > xpath2 filter, but it will be very sad, as it is very slow compare to the new one ( o(n2) vs. o(n) ). > The problme is that the test cases only has one example of xpath2 transformation. If you can give us more I can debug the implementation better. If not I have to create them and check what should be the correct c14n, this takes me "long" time(1 hour, but currently I can only reserve half an hour for xml-sec hacking). > So if you can provide me a failling example I can speed up this process. > Sorry. > > Regards, > > Raul > > On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > When you have a new version correcting the bug, please inform me and I will one more time execute my Junit tests and I will give you a feedback. > > > > Regards. Yvan > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > Sent: lundi, 7. août 2006 18:41 > > To: security-dev@xml.apache.org > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > Then it is a bug that I introduce rewriting xpath2 filter. I will try to reproduce it with a xfilter with only intersect nodes. > > > > Thanks, > > Regards, > > > > Raul > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > I don't think so because I have a transform <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a element of my XML document that doesn't include the signature itself. As I said, it was working like that prior to version 1.4. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > Sent: lundi, 7. août 2006 17:21 > > > To: security-dev@xml.apache.org > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > Hi Hess, > > > It seem to me that you need to use also enveloped signature transformation. The Reference="" is including the signature and this is a problem when signing, it depends in the order of doing the reference your going to obtain different digest values. > > > What do you think,can it be your case? > > > > > > Regards, > > > > > > Raul > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > It will be difficult to send you a test case because all my test cases are based on my library (that is also bind to others library). I can try to do debugging to help you to isolate the problem or to solve it :-). First a good Junit test case that you can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature with XML security and verification with IBM toolkit XSS4J). In this case you are sure that the signature has been corectly be generated and is valid. > > > > > > > > Here is the signature of my XML document I am using into the context of my test case. As you can see I am signing one part of the XML document and two external binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't match after signature verification. The digest values of the two external reference matches. > > > > > > > > <edoc:SignatureBlock id="Revision-1-Signature-1"> > > > > <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> > > > > <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> > > > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > > > > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > > <ds:Reference URI=""> > > > > <ds:Transforms> > > > > <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > > > > <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> > > > > </ds:Transform> > > > > </ds:Transforms> > > > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> > > > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> > > > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue> > > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9 > > > > ZO > > > > wP > > > > GY > > > > izLB4P > > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo > > > > vMa8f4sHx8onoVt+4f > > > > vMa8f4sHx8onoVt+jD > > > > vMa8f4sHx8onoVt+UL > > > > vMa8f4sHx8onoVt+dk9Zhw > > > > vIN/+eBfirtyCcbTb1w= > > > > </ds:SignatureValue> > > > > <ds:KeyInfo> > > > > <ds:X509Data> > > > > <ds:X509Certificate> > > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG..... > > > > </ds:X509Certificate> > > > > <ds:X509Certificate> > > > > MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx.... > > > > </ds:X509Certificate> > > > > </ds:X509Data> > > > > </ds:KeyInfo> > > > > </ds:Signature> > > > > </edoc:SignatureBlock> > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito > > > > Sent: lundi, 7. août 2006 16:21 > > > > To: security-dev@xml.apache.org > > > > Subject: Re: Version 1.4 doesn't sign XML document correctly > > > > > > > > Can you open a bug report and attach a test case? > > > > This will help a lot. > > > > > > > > Regards, > > > > > > > > Raul > > > > > > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML > > > > > document correctly. I developped a Java library that uses XML > > > > > security to sign/verify and to encrypt/decrypt XML documents. > > > > > When I executed my JUNIT tests, they failed when XML document are verified. I have two tests that failed: > > > > > > > > > > TEST 1: The XML document is already signed (with XML security > > > > > version > > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1). > > > > > This test failed using version 1.4 but was ok with precedent versions. > > > > > > > > > > TEST 2: The XML document is signed with XML security > > > > > V1.4Beta1 and is verified with IBM XSS4J toolkit. This test > > > > > failed using version > > > > > 1.4Beta1 but was ok with precedent versions. > > > > > > > > > > I think it is a critical bug...Please can you help me > > > > > > > > > > Regards. Yvan Hess > > > > > > > > > > > > > > > > > > > > > > -- > > > > http://r-bg.com > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > > > > > > > -- > > http://r-bg.com > > > > > > > > > -- > http://r-bg.com > > > -- http://r-bg.com
-- http://r-bg.com
