DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921 Summary: XML <X509Certificate> contents modified and signature normallly validated. Product: Security Version: unspecified Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] Hello I am using the XML Signature API ( javax.xml.crypto ) in order to generate and verify signatures in xml documents (Enveloped type). When verifying the signature, if i have changed some data, the signature is invalidated (That´s Ok and Correctly). But if have changed the content of <x509Certificate> tag by putting a different certificate, the signature is normally validated. I defined the <reference uri=""> indicating that the whole document must be signed (according to w3 especifications) Is there something wrong ? Here is my xml before sign: ======================================= <?xml version="1.0" encoding="UTF-8" ?> - <NotasFaltas> <ano>2006</ano> <semestre>2</semestre> <turma>52A</turma> <idtProf>15</idtProf> <idtDisc>2</idtDisc> <unidade>3</unidade> - <alunos class="linked-list"> - <Aluno> <idtAlu>1</idtAlu> <nota>1.0</nota> <faltas>2</faltas> </Aluno> - <Aluno> <idtAlu>2</idtAlu> <nota>3.0</nota> <faltas>4</faltas> </Aluno> - <Aluno> <idtAlu>3</idtAlu> <nota>5.0</nota> <faltas>6</faltas> </Aluno> - <Aluno> <idtAlu>4</idtAlu> <nota>7.0</nota> <faltas>8</faltas> </Aluno> </alunos> </NotasFaltas> Here is my xml after sign: ======================================= <?xml version="1.0" encoding="UTF-8" ?> - <NotasFaltas> <ano>2006</ano> <semestre>2</semestre> <turma>52A</turma> <idtProf>15</idtProf> <idtDisc>2</idtDisc> <unidade>3</unidade> - <alunos class="linked-list"> - <Aluno> <idtAlu>1</idtAlu> <nota>1.0</nota> <faltas>2</faltas> </Aluno> - <Aluno> <idtAlu>2</idtAlu> <nota>3.0</nota> <faltas>4</faltas> </Aluno> - <Aluno> <idtAlu>3</idtAlu> <nota>5.0</nota> <faltas>6</faltas> </Aluno> - <Aluno> <idtAlu>4</idtAlu> <nota>7.0</nota> <faltas>8</faltas> </Aluno> </alunos> - <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> - <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> - <Reference URI=""> - <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue>ltbvesKBO+VTvcovJyJ0VVkSaJM=</DigestValue> </Reference> </SignedInfo> <SignatureValue>I0lQECSCl5ITnF8uK/uMDZO2dgo0eLWFz4GMrV6I+FZmN2TbCr6Nj4LF62I7s2DVVrXybEsJmn/i 00EPNyYflhQjbp2/EXFZ+pu8wu5mRtm2LmcRGXbJz6CBEkfOXzFdE8lmw3MPmDT/NsnM3KXavDJZ Ah2xubknF/+Mjq7WDQE=</SignatureValue> - <KeyInfo> - <KeyValue> - <RSAKeyValue> <Modulus>unmSpz4AW43DBUeUtbGDxyEBOmKUiAM136ZrGOlJRzximnaFjABuQ7Ucix5Ru60DLlUH5Q3KHfDW aimUe3ufnWUWSGkbNUGYtwdqv/54LvTvW3SMA0IuvfqUmdF+AJgHCWv0rEYizswKaeNgMak+/oWL MBrOwE2+fhB6l87tBo8=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> - <X509Data> <X509Certificate>MIIE5TCCA82gAwIBAgIQMjAwNjA3MjgxNjQzMjMwMjANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UE BhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI1NlY3JldGFyaWEgZGEgUmVjZWl0 YSBGZWRlcmFsIC0gU1JGMTIwMAYDVQQDEylBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgZG8gU0VS UFJPIFNSRiB2MTAeFw0wNjA4MDExOTE4MDZaFw0wOTA3MzExOTE4MDZaMIGoMQswCQYDVQQGEwJC UjETMBEGA1UEChMKSUNQLUJyYXNpbDEqMCgGA1UECxMhU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZl ZGVyYWwtU1JGMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxFTATBgNVBAsTDFNSRiBlLUNQRiBBMzEq MCgGA1UEAxMhRklMTElQRSBPTElWRUlSQSBMSU1BOjAwNjg0MDE5NTc0MIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC6eZKnPgBbjcMFR5S1sYPHIQE6YpSIAzXfpmsY6UlHPGKadoWMAG5DtRyL HlG7rQMuVQflDcod8NZqKZR7e5+dZRZIaRs1QZi3B2q//ngu9O9bdIwDQi69+pSZ0X4AmAcJa/Ss RiLOzApp42AxqT7+hYswGs7ATb5+EHqXzu0GjwIDAQABo4IBrzCCAaswDwYDVR0TAQH/BAUwAwEB ADAfBgNVHSMEGDAWgBRGeQZEgwLZ6nmND8SA/kG69vMScjAOBgNVHQ8BAf8EBAMCBeAwYAYDVR0g BFkwVzBVBgZgTAECAwQwSzBJBggrBgEFBQcCARY9aHR0cHM6Ly9jY2Quc2VycHJvLmdvdi5ici9h Y3NlcnByb3NyZi9kb2NzL2RwY2Fjc2VycHJvc3JmLnBkZjCBowYDVR0RBIGbMIGYoD0GBWBMAQMB oDQEMjI3MDgxOTg0MDA2ODQwMTk1NzQwMDAwMDAwMDAwMDAwMDAwMDAzMDA5MTEwMVNTUFNFoCcG BWBMAQMFoB4EHDAyMDk0ODcxMjE5NDAyNzAyNjhBUkFDQUpVU0WgFwYFYEwBAwagDgQMMDAwMDAw MDAwMDAwgRVmaWxsaXBlbGltYUBnbWFpbC5jb20wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwIGCCsG AQUFBwMEMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3IvYWNz ZXJwcm9zcmYuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBliOTlViZNLJLUf2KlRobCtMmv7c7bkHqe M4HAW/19AyuuljFtQGpUAB9jjAXzgXpd9Hyrz/1+5NHPJ9fPoB+fHIpDYJfyUEnGkDPve7JUHrTq 10MlPATIuiJhws+40O7sIaYftCK0Yn2V1LTFuEHLSD4T5kvXbpDbeMs6Hx9oiR3HFZxi/Cfhv/1X KeEjLtsrV9xEeJwY7soKQ0Ds2UMu2LLw02T9o9wMcX9M3MU/QN7AirmWQsMxDfmNDRzXV/Axbh0o s72mrHXvYpranXJhibh6aKW67LuhZM7Z5EDXWgioMXruk6ys8bm3EIBJ/+YtrUUrmTKA9BsIx3WD 4UOy</X509Certificate> </X509Data> </KeyInfo> </Signature> </NotasFaltas> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
