You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Aleksandr Beliakov (Jira)" <ji...@apache.org> on 2020/04/02 09:52:00 UTC

[jira] [Created] (SANTUARIO-530) Reference validation always omits comments for canonicalization

Aleksandr Beliakov created SANTUARIO-530:
--------------------------------------------

             Summary: Reference validation always omits comments for canonicalization
                 Key: SANTUARIO-530
                 URL: https://issues.apache.org/jira/browse/SANTUARIO-530
             Project: Santuario
          Issue Type: Bug
    Affects Versions: Java 2.1.4
            Reporter: Aleksandr Beliakov
            Assignee: Colm O hEigeartaigh
         Attachments: exclusive_with_comments.xml, exclusive_without_comments.xml

Hello, I have a problem when validating signature references with canonicalization transforms with comments, like "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" and "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments".

I use the following code to validate a reference:
{code:java}
org.apache.xml.security.signature.Reference.verify();
{code}
The problem seems to be in the method Reference.getContentsAfterTransformation(input, os). The thing is that the _input_ variable of XMLSignatureInput.class here has always an attribute "excludeComments=true", and the boolean value never changed depending on a requested transformer.

 

I attach two signatures one without comments and one with comments, in order to show that the produced result of the method Reference.getContentsAfterTransformation().getBytes() is the same for this two different transforms.

 

Could you please clarify, is that an expected behavior or a bug?

 

Best regards,

Aleksandr.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)