https://issues.apache.org/bugzilla/show_bug.cgi?id=45586
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |NEEDINFO
--- Comment #6 from [EMAIL PROTECTED] 2008-09-17 12:47:10 PST ---
(In reply to comment #5)
> I am little confused when you say pre-digested input.
By pre-digested input, I mean the bytes that are input to the MessageDigest
algorithm. These are the bytes that are digested and become the DigestValue of
each Reference element. Being able to dump these bytes are usually critical to
debugging XML Signature validation failures. You need to obtain the
pre-digested bytes when you are both signing and validating the XML Signature.
Then you can compare them and look for the differences (i.e. which is causing
the signature not to validate and the digests not to match).
Often, it is caused by the following problems:
- namespaces are leaking into the signed content
- serializing the signature from DOM to xml and back to DOM has introduced
something that breaks the signature, maybe additional whitespace or default
namespaces due to legacy xml, etc
In the Apache XMLSec implementation, there is logging code that dumps the
pre-digested bytes in the org.apache.xml.security.utils.DigesterOutputStream
class:
if (log.isDebugEnabled()) {
log.debug("Pre-digested input:");
StringBuffer sb = new StringBuffer(arg2);
for (int i=arg1; i<(arg1+arg2); i++) {
sb.append((char) arg0[i]);
}
log.debug(sb.toString());
}
Please enable this logging and attach this output when you are generating the
signature.
> But looking at the code
> in TransformEnvelopedSignature.java of xmlsec which is:
>
> if (input.isElement()) {
> XMLSignatureInput result = new
> XMLSignatureInput(input.getSubNode());
> result.setExcludeNode(signatureElement);
> result.setExcludeComments(input.isExcludeComments());
> return result;
> }
>
> So excluding the sign elt and the comments, I get this:
It is not enough to do that. There is another transform following the enveloped
transform that canonicalizes the nodeset result of the enveloped transform. The
bytes resulting from that are the pre-digested input. But you can just use the
logging code above to dump the bytes.
Also, I am assuming that you used the Apache XMLSec implementation to generate
the signature. If you used some other XML Signature implementation to generate
the signature, then you must use that implementation to dump the pre-digested
bytes. You may need to ask the developers if there is a hook or debug mechanism
to do that (hopefully there is). If there isn't a way to do that, then there
isn't much else I can do with this report and will have to close it. I would
like to help find out the problem, but without this minimal information, it is
impossible since I have nothing to start with.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
