xmlsec 1.0.4 and 1.0.5D2

["Ng Chi Yuen [Cyng]" <cy...@csis.hku.hk>]

Hi,

        I have been using xmlsec 1.0.4 and 1.0.5D2 for sometimes. I follow
the steps exactly as stated in signing (CreateSignature) and verification
(VerifySignature) example.

        At the time I was using 1.0.4, I can verify a message signed by
1.0.4 successfully. But once it was changed 1.0.5D2, codes have to be
modified in order to verify a message signed by 1.0.5D2. As reported by our
users, it seems that 1.0.4 cannot "interoperate" with 1.0.5D2, i.e.,
a 1.0.4 signed message cannot be verified using 1.0.5D2 and vice versa.
At least, the intermediate canonicalization output (I capture it by debug
codes) of 1.0.5D2 is different from that of 1.0.4.

        Now, I am doing some experiments. I keep my codes fixed (I assume
the signing steps as demonstrated in the example are followed). Then,
I capture and print the signature element (DOM element) using 1.0.4 and
1.0.5D2 respectively. I find that the digest values for
<Reference URI="MyPayload"> (my added payload) are the same for both
versions (at least, this means I implement the ResourceResolver correctly).
However, for <Reference URI="">, the digest values are different. Then,
which version of xmlsec is doing the right thing?

        The xalan.jar bundled with xmlsec is 2.4.D1 and I am now using
xalan 2.5 (my assumption is that the newer version should still do
the correct XPath transform as the old version). Is it related to the
digest value difference?

        Also, is it true that the canonicalization implementation in
1.0.5D2 is different from 1.0.4?

        Thanks a lot for your help!

Regards,
CY

----------------------------------------------------------------------------
Ng Chi Yuen, CY.       cyng@cecid.hku.hk       http://www.cecid.hku.hk/
Technology Officer,
Centre for E-Commerce Infrastructure Development,
The University of Hong Kong
----------------------------------------------------------------------------