You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Giacomo Boccardo (JIRA)" <ji...@apache.org> on 2011/04/20 12:28:06 UTC

[jira] [Issue Comment Edited] (SANTUARIO-266) c14n11 produces different signatures using version 1.4.3 and 1.4.4

    [ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022065#comment-13022065 ] 

Giacomo Boccardo edited comment on SANTUARIO-266 at 4/20/11 10:27 AM:
----------------------------------------------------------------------

I attached two files generated signing the same document using the two different versions of the library.

Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.

 * XMLSec Online XML Digital Signature Verifer (http://www.aleksey.com/xmlsec/xmldsig-verifier.html)
   * 1.4.3: [...] RESULT: Signature is OK
   * 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
                  RESULT: Signature is INVALID

 * DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
   * 1.4.3: "Firma XML OK" (= XML Signature OK)
   * 1.4.4: "Firma non verificata" (= Signature not verified)

 * FileProtector (http://www.actalis.it/, non-free):
   * 1.4.3: verified
   * 1.4.4: not verified

 * GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!

      was (Author: jhack):
    I attached two files generated signing the same document using the two different versions of the library.

Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.

 * http://www.aleksey.com/xmlsec/xmldsig-verifier.html
   * 1.4.3: [...] RESULT: Signature is OK
   * 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
                  RESULT: Signature is INVALID

 * DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
   * 1.4.3: "Firma XML OK" (= XML Signature OK)
   * 1.4.4: "Firma non verificata" (= Signature not verified)

 * FileProtector (http://www.actalis.it/, non-free):
   * 1.4.3: verified
   * 1.4.4: not verified

 * GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
  
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
>                 Key: SANTUARIO-266
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-266
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 1.4.4
>            Reporter: Giacomo Boccardo
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>              Labels: SignedInfo, attributes, c14n11, canonicalization, id
>         Attachments: TestGenEnvelopedTutorial.java, test143.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
>     1.4.3
>        <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>     1.4.4
>        <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">        
>  
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement> 
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira