You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Ulrich Ackermann <ul...@web.de> on 2007/06/21 22:12:37 UTC

Interop question

Hi all,

I have got a question concerning the interoperability between the Apache XML Security framework (we are currently using the version 1.3.0) and the Sun implementation of XML DSIG (Java XML Digital Signature API, 1.0 EA2).
Currently we are running into problems because the opposite application isn't able to verify our signature whereas it is no problem for us to verify a signature built by the Sun implementation based application with our app, which is built upon the Apache XML Security framework.

We are using enveloping signature and the problem can be narrowed down to the digest (SHA1) we are calculating differently. The canonicalization we are using is org.apache.xml.security.c14nCanonicalizer.ALGO_ID_C14N_WITH_COMMENTS.

Are there any problems known with version 1.3.x of Apache XML Security that are fixed with 1.4.x? Are there any known issues at all concerning one or the other framework?

Thank you in advance,
Ulrich
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066

Re: Interop question

Posted by Sean Mullan <Se...@Sun.COM>.

Hi Ulrich,

It's probably a c14n issue. What you should do is enable logging on each
side, and then compare the canonicalized bytes, before it is digested.
My guess is that it is something subtle (it always is) probably with
namespaces. You may also try using the Java XML DSig implementation in
JDK 6 or XMLSec 1.4.1, which is more up to date.

--Sean

Ulrich Ackermann wrote:
> Hi all,
> 
> I have got a question concerning the interoperability between the
> Apache XML Security framework (we are currently using the version
> 1.3.0) and the Sun implementation of XML DSIG (Java XML Digital
> Signature API, 1.0 EA2). Currently we are running into problems
> because the opposite application isn't able to verify our signature
> whereas it is no problem for us to verify a signature built by the
> Sun implementation based application with our app, which is built
> upon the Apache XML Security framework.
> 
> We are using enveloping signature and the problem can be narrowed
> down to the digest (SHA1) we are calculating differently. The
> canonicalization we are using is
> org.apache.xml.security.c14nCanonicalizer.ALGO_ID_C14N_WITH_COMMENTS.
> 
> 
> Are there any problems known with version 1.3.x of Apache XML
> Security that are fixed with 1.4.x? Are there any known issues at all
> concerning one or the other framework?
> 
> Thank you in advance, Ulrich 
> _____________________________________________________________________
>  Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu
> sparen! 
> http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
>