Bradley Beddoes wrote:
After more investigation I found a few problems with my usage of Xerces
and also some issues with the JAXP validator which I have now stopped
using which were causing problems with root node signatures.
Verification of a signature at the root node is now successful in both
C++ and Java,
Just in case this wasn't 100% clear a signature on the root node is
successful with or without additional enveloped signatures on child
nodes in both languages.
however embedded enveloped signatures continue to fail
with incorrect references. (The documents however still fully validate
in the language they were created in)
Additionally an embedded sig reference will fail even when it is not
wrapped inside a root node signature and there is definitely no base64
content present in my current test documents regular child nodes.
I intend to do some more work tomorrow I am currently suspicious of c14n
inconsistencies, but I thought I might ask if anyone may have any
suggestions for other areas I should perhaps be looking at so I don't
waste a lot of time I don't really have.
regards,
Bradley
Scott Cantor wrote:
The problem of invalid references arises in xmlsec-c code base when
either a document has a single signature whose reference URI is some
child node of the document or when the root node has a signature AND
some child node of the document has a signature. (Validation with xerces
2.7 always comes out correct)
If you're validating, that might be your problem, but most of the issues
around that were fixed in Xerces-C 2.7. Earlier versions would require
that
you disable data type normalization, and that would break any nested
signature cases where you were signing base-64. But I would try disabling
validation and make sure that's not involved.
Otherwise, what you want to do is actually get a trace of the octet
string
being digested in C++ and compare that XML to what you think the c14n
should
produce.
-- Scott
--
Bradley Beddoes
Lead Software Architect
Intient - "Open Source, Open Standards"
