DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40245>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40245 Summary: Version 1.4 doesn't sign XML document correctly (bad digest) Product: Security Version: unspecified Platform: Other OS/Version: Windows XP Status: NEW Severity: critical Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] XML security version 1.4 Beta0 and Beta1 don't sign the XML document correctly. Two tests failed: TEST 1: The XML document is already signed (with XML security version 1.2) and it is verified with the version 1.4 (beta0 and beta1).This test failed using version 1.4 but was ok with precedent versions. TEST 2: The XML document is signed with XML security V1.4Beta1 and is verified with IBM XSS4J toolkit.This test failed using version 1.4Beta1 but was ok with precedent versions. Doing some investigations, it seems that the problem is due to a bug into xpath2 filter that has been rewritten in the version 1.4. As you can see I am signing (see bellow) one part of the XML document and two external binary documents. The problem seems to come from the first Reference (<ds:Reference URI="">). The digest value doesn't match after signature verification. The digest values of the two external references matches. <edoc:SignatureBlock id="Revision-1-Signature-1"> <edoc:SignatureDate>2006-08-07T12:24:18</edoc:SignatureDate> <edoc:Signer>Hess Yvan (first signature)</edoc:Signer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC- xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa- sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig- filter2"> <dsig-xpath:XPath xmlns:dsig- xpath="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue> </ds:Reference> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue> </ds:Reference> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033465"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>oxwjv1Go+8Y0m97hiJLTKcYx4t8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> RYaOiVt2gDIFmFDFotJrxGWHFYFe3dAoI1L2vubdlbBZt3pk4aaolBz6NA9IswW9ZOwPGYizLB4PvMa 8f4sHx8onoVt+5BGQwLuTYRDgGrJqmwpbwJxUAPvFh1xgED GodfZ4P7kmjsvMa8f4sHx8onoVt+govMa8f4sHx8onoVt+4fvMa8f4sHx8onoVt+jDvMa8f4sHx8ono Vt+ULvMa8f4sHx8onoVt+dk9ZhwvIN/+eBfirtyCcbTb1w= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDADCCAmmgAwIBAgIGAQpEtx7tMA0GCSqGSIb3DQEBBQUAMIGXMRQwEgY DVQQG.....</ds:X509Certificate> <ds:X509Certificate>MIICpDCCAg0CBgEKRLVqKDANBgkqhkiG9w0BAQUFADCBlzEUMBIGA1UEBhM LU3dpdHplcmxhbmQx....</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </edoc:SignatureBlock> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
