You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by "Oleg V. Portnov/Quorus-ACS/ru" <po...@quorus.ru> on 2003/06/25 16:08:41 UTC

Bug in SignedInfo.java ?

I use xml-security 1.0.5 D2

Possible found a bug
in org.apache.xml.security.signature.SignedInfo.java :
  if SignedInfo.getCanonicalizedOctetStream() called,
  then next calls to this method does not rebuilds
  returning canonicalized octets of 'SignedInfo' element,
  irrespective of the changes made in him.

For example, this affects XMLSignature.sign(...) method implementation:
1) If first call to SignedInfo.getCanonicalizedOctetStream()
   made before (!) first call to SignedInfo.generateDigestValues(),
   digest values not included in result octets of 'SignedInfo'.
   Regardless of following calls to SignedInfo.generateDigestValues(),
   result octets not changed for 'SignedInfo'.
   As a result, when generateDigestValues() called in XMLSignature.sign(...),
   then digest values not included in calculation of signature value
   (element 'Signature').
2) But! digest values are successfully written during serialization
   of result xml-signature document...
3) After that all, signature validation of result xml-signature document
   will fail - because digest values are specified in body of document,
   now are used during calculation of signature value.


i am temporary patched SignedInfo.java by commenting this two lines
in method getCanonicalizedOctetStream():
  // if ((this._c14nizedBytes == null)
  //         && (this._state == ElementProxy.MODE_SIGN))
  {
      Canonicalizer c14nizer =
        Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
  ...
  ...

Oleg V. Portnov