You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Giacomo Boccardo (JIRA)" <ji...@apache.org> on 2011/04/20 12:28:06 UTC
[jira] [Issue Comment Edited] (SANTUARIO-266) c14n11 produces
different signatures using version 1.4.3 and 1.4.4
[ https://issues.apache.org/jira/browse/SANTUARIO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022065#comment-13022065 ]
Giacomo Boccardo edited comment on SANTUARIO-266 at 4/20/11 10:27 AM:
----------------------------------------------------------------------
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* XMLSec Online XML Digital Signature Verifer (http://www.aleksey.com/xmlsec/xmldsig-verifier.html)
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
was (Author: jhack):
I attached two files generated signing the same document using the two different versions of the library.
Verifying them with the following products/services, I suspect that a bug has been introduced in the latest version of the library.
* http://www.aleksey.com/xmlsec/xmldsig-verifier.html
* 1.4.3: [...] RESULT: Signature is OK
* 1.4.4: [...] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
* DiKe (https://www.firma.infocert.it/installazione/installazione_DiKe.php)
* 1.4.3: "Firma XML OK" (= XML Signature OK)
* 1.4.4: "Firma non verificata" (= Signature not verified)
* FileProtector (http://www.actalis.it/, non-free):
* 1.4.3: verified
* 1.4.4: not verified
* GlobalTrustFinder Online Verifier (http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx) should be used using a certificate which they trust...!
> c14n11 produces different signatures using version 1.4.3 and 1.4.4
> ------------------------------------------------------------------
>
> Key: SANTUARIO-266
> URL: https://issues.apache.org/jira/browse/SANTUARIO-266
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Giacomo Boccardo
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Labels: SignedInfo, attributes, c14n11, canonicalization, id
> Attachments: TestGenEnvelopedTutorial.java, test143.xml
>
>
> When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
> I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
> 1) SignatureValue differs
> 2) the SignedInfo used to produce the signature is:
> 1.4.3
> <ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
> 1.4.4
> <ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
>
> The document before the signature is:
> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
> </apache:RootElement>
> To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
> Obviously, I can't write a JUnit because you need two different versions of Santuario's library.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira