Hi,
Seems my suspicions were correct it was a c14n issue.
I just found this post from Scott,
http://mail-archives.apache.org/mod_mbox/xml-security-dev/200610.mbox/[EMAIL PROTECTED]
With my few small tests tonight (I intend to thrash it out more in the
morning) it seems to have also corrected my issues.
regards,
Bradley
Bradley Beddoes wrote:
Bradley Beddoes wrote:
After more investigation I found a few problems with my usage of
Xerces and also some issues with the JAXP validator which I have now
stopped using which were causing problems with root node signatures.
Verification of a signature at the root node is now successful in both
C++ and Java,
Just in case this wasn't 100% clear a signature on the root node is
successful with or without additional enveloped signatures on child
nodes in both languages.
however embedded enveloped signatures continue to fail
with incorrect references. (The documents however still fully validate
in the language they were created in)
Additionally an embedded sig reference will fail even when it is not
wrapped inside a root node signature and there is definitely no base64
content present in my current test documents regular child nodes.
I intend to do some more work tomorrow I am currently suspicious of
c14n inconsistencies, but I thought I might ask if anyone may have any
suggestions for other areas I should perhaps be looking at so I don't
waste a lot of time I don't really have.
regards,
Bradley
Scott Cantor wrote:
The problem of invalid references arises in xmlsec-c code base when
either a document has a single signature whose reference URI is some
child node of the document or when the root node has a signature AND
some child node of the document has a signature. (Validation with
xerces
2.7 always comes out correct)
If you're validating, that might be your problem, but most of the issues
around that were fixed in Xerces-C 2.7. Earlier versions would
require that
you disable data type normalization, and that would break any nested
signature cases where you were signing base-64. But I would try
disabling
validation and make sure that's not involved.
Otherwise, what you want to do is actually get a trace of the octet
string
being digested in C++ and compare that XML to what you think the c14n
should
produce.
-- Scott
--
Bradley Beddoes
Lead Software Architect
Intient - "Open Source, Open Standards"
