Fixed,
a single condition in an if statement
I was over-pruning. Now your test case pass.
I can send you a jar, if you want. but please write a bug entry with
the document, so we can keep track of the problems.

Regarding your sugestion of using other xml digital signature
implementation look interesting. But I think we can have the same
having more correct and incorrect signatures like you send.

Anyway feel free to prove me wrong.

And really thank for the bug report. One question do you have any
performance testing?
If you do, I hope you see the outcome of your problems.

Regards,

Raul

On 8/10/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
Raul,

Here is the example of signed XML document. Let me know if you need more 
resources. What I have that can help you is a class that validates an XML 
document using IBM XSS4J toolkit (XML document having external reference or 
not). This can help you to check if the signed XML documents are valid or not 
according an other toolkit.

Regards. Yvan Hess


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
Sent: mercredi, 9. août 2006 20:44
To: security-dev@xml.apache.org
Subject: Re: Version 1.4 doesn't sign XML document correctly

That will be great.

There is already a regression test but still it does not  contain a lot of 
xpath2 transformations examples(indeed only one).
Feel free to send you patches for more tests ;)

Regards,

Raul

On 8/9/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> Raul,
>
> I can send you a signed XML document without external references (it's easier 
to manage) that have been signed using XML Security V1.3.
>
> - The document is valid with Apache XML Version 1.3
> - The document is valid with IBM XSS4J toolkit
> - the document is NOT valid with Apache XML version 1.4
>
> Is It what you need ? Moreover, I think it will be great to add a regression 
test as I have. Document signed with version 1.3 must be valid with higher version.
>
> Regards. Yvan Hess
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> Sent: mercredi, 9. août 2006 12:02
> To: security-dev@xml.apache.org
> Subject: Re: Version 1.4 doesn't sign XML document correctly
>
> Hi Hess,
>   Sadly it is going to take me more time to reprduce this. I have finished my 
vacation(that is when I work with xml-sec).
>   I can revert my changes and go with the old 1.3 implementation of
> xpath2 filter, but it will be very sad, as it is very slow compare to the new 
one ( o(n2) vs. o(n) ).
>   The problme is that the test cases only has one example of xpath2 transformation. If 
you can give us more I can debug the implementation better. If not I have to create them and 
check what should be the correct c14n, this takes me "long" time(1 hour, but 
currently I can only reserve half an hour for xml-sec hacking).
>   So if you can provide me a failling example I can speed up this process.
>   Sorry.
>
> Regards,
>
> Raul
>
> On 8/8/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > When you have a new version correcting the bug, please inform me and I will 
one more time execute my Junit tests and I will give you a feedback.
> >
> > Regards. Yvan
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> > Sent: lundi, 7. août 2006 18:41
> > To: security-dev@xml.apache.org
> > Subject: Re: Version 1.4 doesn't sign XML document correctly
> >
> > Then it is a bug that I introduce rewriting xpath2 filter. I will try to 
reproduce it with a xfilter with only intersect nodes.
> >
> > Thanks,
> > Regards,
> >
> > Raul
> >
> > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > > I don't think so because I have a transform <ds:Transform 
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> pointing into a element of my XML 
document that doesn't include the signature itself. As I said, it was working like that prior to version 
1.4.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> > > Sent: lundi, 7. août 2006 17:21
> > > To: security-dev@xml.apache.org
> > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > >
> > > Hi Hess,
> > > It seem to me that you need to use also enveloped signature transformation. The 
Reference="" is including the signature and this is a problem when signing, it depends 
in the order of doing the reference your going to obtain different digest values.
> > > What do you think,can it be your case?
> > >
> > > Regards,
> > >
> > > Raul
> > >
> > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > > > It will be difficult to send you a test case because all my test cases 
are based on my library (that is also bind to others library). I can try to do debugging to 
help you to isolate the problem or to solve it :-). First a good Junit test case that you 
can introduce into XML security JUnit tests is something similar to my TEST 2 (Signature 
with XML security and verification with IBM toolkit XSS4J). In this case you are sure that 
the signature has been corectly be generated and is valid.
> > > >
> > > > Here is the signature of my XML document I am using into the context of my test case. 
As you can see I am signing one part of the XML document and two  external binary documents. The problem 
seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't 
match after signature verification. The digest values of the two external reference matches.
> > > >
> > > > <edoc:SignatureBlock id="Revision-1-Signature-1">
> > > >    <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate>
> > > >    <edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> > > >    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > > >       <ds:SignedInfo>
> > > >          <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> > > >          <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > > >          <ds:Reference URI="">
> > > >             <ds:Transforms>
> > > >                <ds:Transform 
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
> > > >                   <dsig-xpath:XPath 
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"; 
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> > > >                </ds:Transform>
> > > >             </ds:Transforms>
> > > >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > >             
<ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
> > > >          </ds:Reference>
> > > >          <ds:Reference 
URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> > > >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > >             
<ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> > > >          </ds:Reference>
> > > >          <ds:Reference 
URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465">
> > > >             <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > >             
<ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue>
> > > >          </ds:Reference>
> > > >       </ds:SignedInfo>
> > > >       <ds:SignatureValue>
> > > > RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9
> > > > ZO
> > > > wP
> > > > GY
> > > > izLB4P
> > > > vMa8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgEDGodfZ4P7kmjsgo
> > > > vMa8f4sHx8onoVt+4f
> > > > vMa8f4sHx8onoVt+jD
> > > > vMa8f4sHx8onoVt+UL
> > > > vMa8f4sHx8onoVt+dk9Zhw
> > > > vIN/+eBfirtyCcbTb1w=
> > > > </ds:SignatureValue>
> > > >       <ds:KeyInfo>
> > > >          <ds:X509Data>
> > > >             <ds:X509Certificate>
> > > > MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgYDVQQG.....
> > > > </ds:X509Certificate>
> > > >             <ds:X509Certificate>
> > > > 
MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhMLU3dpdHplcmxhbmQx....
> > > > </ds:X509Certificate>
> > > >          </ds:X509Data>
> > > >       </ds:KeyInfo>
> > > >    </ds:Signature>
> > > > </edoc:SignatureBlock>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito
> > > > Sent: lundi, 7. août 2006 16:21
> > > > To: security-dev@xml.apache.org
> > > > Subject: Re: Version 1.4 doesn't sign XML document correctly
> > > >
> > > > Can you open a bug report and attach a test case?
> > > > This will help a lot.
> > > >
> > > > Regards,
> > > >
> > > > Raul
> > > >
> > > > On 8/7/06, Hess Yvan <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > XML security version 1.4 Beta0 and Beta1 doesn't sign the XML
> > > > > document correctly. I developped a Java library that uses XML
> > > > > security to sign/verify and to encrypt/decrypt XML documents.
> > > > > When I executed my JUNIT tests, they failed when XML document are 
verified. I have two tests that failed:
> > > > >
> > > > > TEST 1:  The XML document is already signed (with XML security
> > > > > version
> > > > > 1.2) and it is verified with the version 1.4 (beta0 and beta1).
> > > > > This test failed using version 1.4 but was ok with precedent versions.
> > > > >
> > > > > TEST 2:  The XML document is signed with XML security
> > > > > V1.4Beta1 and is verified with IBM XSS4J toolkit. This test
> > > > > failed using version
> > > > > 1.4Beta1 but was ok with precedent versions.
> > > > >
> > > > > I think it is a critical bug...Please can you help me
> > > > >
> > > > > Regards. Yvan Hess
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > http://r-bg.com
> > > >
> > >
> > >
> > > --
> > > http://r-bg.com
> > >
> > >
> > >
> >
> >
> > --
> > http://r-bg.com
> >
> >
> >
>
>
> --
> http://r-bg.com
>
>
>


--
http://r-bg.com







--
http://r-bg.com

Reply via email to