I think Sean was asking you to do so. This will ensure that you'll be properly recorded as the reporter of the bugs, which can facilitate their management. I'd recommend two bug reports, one for each issue.
________________________________ From: Lijun Liao [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 10:14 AM To: security-dev@xml.apache.org Subject: Re: Found several bugs in XML-Security 1.4.0 (Java) You can open a bug under bugzilla. Lijun On 1/24/07, Sean Mullan <[EMAIL PROTECTED]> wrote: Thanks for reporting these. Do you mind opening a bug so we can track this at: http://issues.apache.org/bugzilla/ --Sean Lijun Liao wrote: > Hello, > > I am using xml-security 1.4.0 (java) for my project. And I have found > several bugs of this library (Perhaps bugs of the > used third-party libraries): > > 1. In org.apache.xml.security.c14n.implementations.CanonicalizerBase and > org.apache.xml.security.c14n.implementations.UtfHelpper (How about if > the class name if changed to UtfHelper with ONE p?): > The line if ((c & 0x80) ==0) should be changed to if(c < 0x80), since > the most UTF-chars have 0 at bit 8. > > 2. There are always two text nodes with the value '\n' in succession > within <ds:SignedInfo> and <ds:X509IssuerSerial>. If we have signed some > elements and wish to add another signature with xpath as the tranform, > then we get the error that says no node can be found to a handle raised > by xalan-J). After the debug I found the responding codes as in following: > > > 01 public SignedInfo( > 02 Document doc, Element SignatureMethodElem, Element > CanonicalizationMethodElem) > 03 throws XMLSecurityException { > 04 > 05 super(doc); > 06 this._constructionElement.appendChild(CanonicalizationMethodElem); > 07 XMLUtils.addReturnToElement(this._constructionElement); > 08 //Check this? > 09 this.c14nMethod=CanonicalizationMethodElem; > 10 this._constructionElement.appendChild(c14nMethod); > 11 XMLUtils.addReturnToElement (this._constructionElement); > > this._signatureAlgorithm = new > SignatureAlgorithm(SignatureMethodElem, null); > > signatureMethod=this._signatureAlgorithm.getElement(); > this._constructionElement.appendChild(signatureMethod); > > XMLUtils.addReturnToElement(this._constructionElement); > } > > Line 06 and 10 add the same element twice, hence the line 06 has no > effect. But the text-node with the value "\n" added at line 07 is > remained there. > > > 01 public XMLX509IssuerSerial(Document doc, String X509IssuerName, > > 02 BigInteger X509SerialNumber) { > 03 super(doc); > 04 > 05 XMLUtils.addReturnToElement(this._constructionElement); > > 06 this.addTextElement(X509IssuerName, Constants._TAG_X509ISSUERNAME); > 07 XMLUtils.addReturnToElement(this._constructionElement); > 08 this.addTextElement(X509SerialNumber.toString(), Constants._TAG_X509SERIALNUMBER); > > 09 } > > Line 07 should be removed, since '\n' is added in line 06. > > Best regards, > > Lijun Liao -- Lijun Liao
