Harakiri wrote:
We created signatures using the SUN XML Signature APIs in JRE 5 Versions.
Hmm, which APIs are those? What software are you using? Have you tried JRE 6 to see if the problem still exists?
Due to a bug in SUNs API we like to use the XML Security API from Apache. However, all our signatures are invalid through possibly a bug in java. The signatures have been created with the following: http://www.w3.org/TR/2001/REC-xml-c14n-20010315 however it seems that java signed empty tags as: <param name="myparam"/> but apache security correctly validates as <param name="myparam"></param> Since i cant just change existing signatures, how can I modify the apache xmldsig validation so that it will not compute the hash over the empty tags as <param></param> but as <param/> ?
You can't, as Scott notes. Well, you could hack up the code yourself and build your own library but then you would just be bug-compatible. The existing signatures would still not interoperate with other vendors.
Sorry, but I think your only solution may be to regenerate the signatures. --Sean
