You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Giacomo Boccardo (JIRA)" <ji...@apache.org> on 2011/03/18 15:06:29 UTC
[jira] Created: (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
c14n11 produces different signatures using version 1.4.3 and 1.4.4
------------------------------------------------------------------
Key: SANTUARIO-266
URL: https://issues.apache.org/jira/browse/SANTUARIO-266
Project: Santuario
Issue Type: Bug
Components: Java
Affects Versions: Java 1.4.4
Reporter: Giacomo Boccardo
Assignee: Colm O hEigeartaigh
Priority: Critical
When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
1) SignatureValue differs
2) the SignedInfo used to produce the signature is:
1.4.3
<ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
1.4.4
<ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
The document before the signature is:
<apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
</apache:RootElement>
To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved SANTUARIO-266.
-------------------------------------------
Resolution: Fixed
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Fix For: Java 1.4.5, Java 1.5
>
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml, xmlsec-1.4.5-SNAPSHOT.jar
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13023144#comment-13023144 ]
Giacomo Boccardo commented on SANTUARIO-266:
--------------------------------------------
Now the signatures are the same. I hope this version will be released as soon as possible :)
Thanks,
J.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml, xmlsec-1.4.5-SNAPSHOT.jar
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (SANTUARIO-266) c14n11 produces
different signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022065#comment-13022065 ]
Giacomo Boccardo edited comment on SANTUARIO-266 at 4/20/11 10:29 AM:
----------------------------------------------------------------------
I attached two files (test14{3|4}.xml) generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* XMLSec Online XML Digital Signature Verifer (http://www.aleksey.com/xmlsec/xmldsig-verifier.html)
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
was (Author: jhack):
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* XMLSec Online XML Digital Signature Verifer (http://www.aleksey.com/xmlsec/xmldsig-verifier.html)
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022789#comment-13022789 ]
Colm O hEigeartaigh commented on SANTUARIO-266:
-----------------------------------------------
Hi,
I think I've found the problem. A regression was introduced in Canonicalizer11.java:
425c425
< if (XML_LANG_URI == N.getNamespaceURI()) {
---
> if (!XML_LANG_URI.equals(N.getNamespaceURI())) {
I've fixed this and attached a 1.4.5-SNAPSHOT version of the jar to this JIRA. Could you test the jar to see if it produces the same signature as per the 1.4.3 version?
Thanks,
Colm.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022065#comment-13022065 ]
Giacomo Boccardo commented on SANTUARIO-266:
--------------------------------------------
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* http://www.aleksey.com/xmlsec/xmldsig-verifier.html
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-266:
------------------------------------------
Fix Version/s: Java 1.5
Java 1.4.5
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Fix For: Java 1.4.5, Java 1.5
>
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml, xmlsec-1.4.5-SNAPSHOT.jar
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Gabriele Contini (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13008782#comment-13008782 ]
Gabriele Contini commented on SANTUARIO-266:
--------------------------------------------
This could be a duplicate of https://issues.apache.org/jira/browse/SANTUARIO-191 because the "apache:RootElement" node has an attribute Id that in version 1.4.4 is attached to the SignedInfo structure.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Giacomo Boccardo updated SANTUARIO-266:
---------------------------------------
Attachment: test143.xml
It works!
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Giacomo Boccardo updated SANTUARIO-266:
---------------------------------------
Attachment: test144.xml
It doesn't work :(
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed SANTUARIO-266.
-----------------------------------------
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Fix For: Java 1.4.5, Java 1.5
>
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml, xmlsec-1.4.5-SNAPSHOT.jar
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Giacomo Boccardo updated SANTUARIO-266:
---------------------------------------
Comment: was deleted
(was: It doesn't work :()
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (SANTUARIO-266) c14n11 produces
different signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022065#comment-13022065 ]
Giacomo Boccardo edited comment on SANTUARIO-266 at 4/20/11 10:27 AM:
----------------------------------------------------------------------
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* XMLSec Online XML Digital Signature Verifer (http://www.aleksey.com/xmlsec/xmldsig-verifier.html)
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
was (Author: jhack):
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* http://www.aleksey.com/xmlsec/xmldsig-verifier.html
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Giacomo Boccardo updated SANTUARIO-266:
---------------------------------------
Attachment: TestGenEnvelopedTutorial.java
Not a "real" JUnit: to be executed with Santuario's versions 1.4.3 and 1.4.4.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020332#comment-13020332 ]
Colm O hEigeartaigh commented on SANTUARIO-266:
-----------------------------------------------
Are you sure this is a bug? As I said in the previous comment, there was a bug in 1.4.3 (see SANTUARIO-191) that has been fixed in 1.4.4. It's entirely possible the signature that was generated in 1.4.3 was incorrect.
Colm.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Giacomo Boccardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Giacomo Boccardo updated SANTUARIO-266:
---------------------------------------
Comment: was deleted
(was: It works!)
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-266:
------------------------------------------
Attachment: xmlsec-1.4.5-SNAPSHOT.jar
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml, test144.xml, xmlsec-1.4.5-SNAPSHOT.jar
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-266) c14n11 produces different
signatures using version 1.4.3 and 1.4.4
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020329#comment-13020329 ]
Colm O hEigeartaigh commented on SANTUARIO-266:
-----------------------------------------------
I'll take a look. It's definately not a duplicate of SANTUARIO-191, as that issue has been fixed. Perhaps the fix has introduced this regression.
Colm.
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira