Hello, thanks i knew this - i used this debugging tip here :
http://weblogs.java.net/blog/mullan/archive/2007/08/index.html and saw the SignedInfo.getCanonicalizedData information. It is possible that this is not the issue i have, because i havent figured out how to debug the actual signed data with the SUN APIs. I thought i could apply the Reference.getDigestInputStream hint to the SUN Apis to see what bytes have been signed, but that didnt work. --- On Tue, 1/27/09, Jesse Pelton <j...@pkc.com> wrote: > From: Jesse Pelton <j...@pkc.com> > Subject: RE: Invalid Signature problem through Empty elements are converted > to start-end tag pairs > To: security-dev@xml.apache.org > Date: Tuesday, January 27, 2009, 2:54 PM > In case it isn't obvious (it wasn't to me at first), > the fact that an > element appears as "<param/>" in the signed > document does not mean those > are the bytes that were used in generating the signature. > The point of > canonicalization is that a canonical form of the document > is used to > calculate the hash, but the document that contains the > resulting > signature may not be (and generally is not) rewritten in > canonical form. > > Put differently, the canonicalized document is a temporary > copy. > > Sorry if you already knew this. Since you said "it > seems that java > signed empty tags" a certain way, not that you were > certain this is the > case, I thought it worth pointing out that this might not > in fact be the > problem. > > -----Original Message----- > From: Scott Cantor [mailto:canto...@osu.edu] > Sent: Tuesday, January 27, 2009 2:31 PM > To: security-dev@xml.apache.org > Subject: RE: Invalid Signature problem through Empty > elements are > converted to start-end tag pairs > > Harakiri wrote on 2009-01-27: > > however it seems that java signed empty tags as: > > > > <param name="myparam"/> > > > > but apache security correctly validates as > > > > <param name="myparam"></param> > > > > Since i cant just change existing signatures, how can > I modify the > apache > > xmldsig validation so that it will not compute the > hash over the empty > tags > > as <param></param> but as <param/> ? > > If you're using c14n (either version) as defined today, > the signature > digest > is over the <tag></tag> form, not the other > form. That's part of c14n. I > doubt what you're using is really doing that wrong, > unless it's one-off > signing code that isn't interoperable at all. > > But you can't make Apache's code do this wrong, no. > > -- Scott
