Harakiri wrote on 2009-01-27: > however it seems that java signed empty tags as: > > <param name="myparam"/> > > but apache security correctly validates as > > <param name="myparam"></param> > > Since i cant just change existing signatures, how can I modify the apache > xmldsig validation so that it will not compute the hash over the empty tags > as <param></param> but as <param/> ?
If you're using c14n (either version) as defined today, the signature digest is over the <tag></tag> form, not the other form. That's part of c14n. I doubt what you're using is really doing that wrong, unless it's one-off signing code that isn't interoperable at all. But you can't make Apache's code do this wrong, no. -- Scott
