Thanks Brent for all your help and quick response.
We finaly talk to the client/3rd-party and convinced them that they were
doing something wrong. They finaly admitted that they were removing
carriage returns and blanks spaces in the signed info.
Jean-Charles Laurent
Analyste / Analyst
Le Groupe Jean Coutu (PJC) Inc.
tél: 450-463-1890 (3363)
fax: 450-646-0567
[EMAIL PROTECTED]
Brent Putman <[EMAIL PROTECTED]>
27/05/2008 06:10 PM
A
Jean-Charles Laurent <[EMAIL PROTECTED]>,
security-dev@xml.apache.org
cc
Objet
Re: question
(Please hit reply-to-all when you reply so that your email goes to the
list and not just to me).
Jean-Charles Laurent wrote:
Hi Brent,
Yes I did write to a file and I validate it with a Java tool (found on the
web) or with a Java program that I got in the sample directory of xml
security package. I am quite sure what we are sending is a valid xml
signature file. I think this is an issue with dot-net.
Well, then ultimately it's not your problem, and if I were you, I
personally would not waste my time trying to work around someone else's
broken code. Ask them to fix it.
Here someone did a signature with a dot-net program and for it to validate
on the peer side, they needed to use some dot-net parameter to prevent
blanks or newline characters in the signature. We know that it is not
being corrupted on the way (since we can send the dot-net result and it is
valide). Their resulting sign XML file has the SignedInfo tag on a single
line with no carriage return characters. This is what I am trying to
reproduce with my Java application.
I understand. Good luck. Even if you get the line breaks feature
working, realize this very may not actually fix your problem, given
everything that you've said. I'd be very wary.
Out of curiosity: do you know whether the .NET code that is being used to
validate is some standard .NET XML Signature library, or something that
someone just wrote up for this particular application? If the former, I'd
be interested to know what it is, just for future reference...
I tried to set the parameter "org.apache.xml.security.ignoreLineBreaks"
and I semm to have no effect on my signature. I must be doing something
wrong. I tried as you suggested via the -D option ("java
-Dorg.apache.xml.security.ignoreLineBreaks=true ..."). To make sure the
parameter is set correctly, I do a
System.out.println("ignoreLineBreaks="+System.getProperty("org.apache.xml.security.ignoreLineBreaks"));
which displays true.
I haven't personally used this feature, perhaps someone on the Apache xml
security dev team can comment. But one thing is (and sorry I didn't
realize this before): according to SVN the last Java xmlsec release
(1.4.1) was tagged in May 2007, and this ignore line breaks feature wasn't
added until October 2007, so you would have to be running with a xmlsec
jar built from recent source, or perhaps try with the 1.4.2 beta (or
release candidate?) that I believe Sean currently has out there somewhere.
--Brent
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE
Ce message, incluant ses pieces jointes, est strictement reserve a l'usage de
l'individu ou de l'entite a qui il est
adresse et contient de l'information privilegiee et confidentielle. La
dissemination, distribution ou copie de cette
communication est strictement prohibee. Si vous n'etes pas le destinataire
projete veuillez retourner
immediatement un courrier electronique a l'expediteur et effacez toutes les
copies.
CONFIDENTIALITY WARNING
This message, including its attachments, is strictly intended for the use of
the individual or the entity to which it is addressed
and contains privileged and confidential information. Disclosure, distribution
or copy of this communication is strictly
prohibited. If you are not the intended recipient please notify us immediately
by returning the e-mail to the originator and
deleting all copies.
