You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by be...@ozemail.com.au on 2003/07/01 00:47:28 UTC
Re: Re: .NET Interop
Morti,
I think we may be getting somewhere :>.
Normally the presence of the namespace would be
correct (c14n should bring in any namespaces
defined in ancestor nodes).
However in this case, the parent of the SignedProperties
node, <QualifyingProperties> has a xmlns="",
clearing the default namespace. So, looking at
the original XML you are quite correct - the
<SignedProperties> node has no extant namespace
definitions.
Looks like there may be an error in the .NET
library.
Cheers,
Berin
>
> From: Morti Mer <fu...@yahoo.fr>
> Subject: Re: .NET Interop
> Date: 01/07/2003 1:30:43
> To: Apache XML DSIG <se...@xml.apache.org>
>
> Berin,
>
> The file http://xandrex.free.fr/c14n/dotnet_signed.xml
> contains the XML Signature and
> http://xandrex.free.fr/c14n/C14NTransform.xml contains
> the result of the two transforms : XPath + C14N
>
> The transforms added a namespace to signedProperties
> node. Is it the normal behaviour ?
>
> Thanks
>
> MM
>
> --- Berin Lautenbach <be...@ozemail.com.au> a écrit :
> > Morti,
> >
> > I have just had a _very_ quick look at the API for
> > .NET signatures.
> > There is a method GetOutput() for Transform objects
> > that should give you
> > the output of the transform. Would be interesting
> > to see the output of
> > the C14N trasnform object.
> >
> > BTW - Have never really played with .NET, so tell me
> > if the above is
> > simply incorrect :>.
> >
> > Cheers,
> > Berin
> >
> >
> > Morti Mer wrote:
> > > Berin,
> > >
> > > .Net library doesn't give information about the
> > > canonicalisation it uses.
> > >
> > > I have added a C14NTransform to the References of
> > the
> > > Signature: the output is located in
> > > http://xandrex.free.fr/ref1/dotnet_signed_c14n.xml
> > >
> > > I still cannot validate the signature. Seems not
> > to be
> > > related to canonicalisation.
> > >
> > > MM.
> > > --- Berin Lautenbach <be...@ozemail.com.au> a
> > écrit :
> > >
> > >>(RE-sending - seems to have gone missing in
> > >>transit).
> > >>
> > >>Morti,
> > >>
> > >>The second reference is exactly what I get, and
> > >>after canonicalisation I
> > >>get the same hash.
> > >>
> > >>The first reference, I think I get the same thing
> > -
> > >>basically the
> > >>SignedProperties sub-tree of the document. So if
> > >>I'm getting the same
> > >>nodeset (and that's what the XPath expression that
> > >>you have is supposed
> > >>to return), then our canonicalisations must
> > differ,
> > >>because I get a
> > >>different hash.
> > >>
> > >>Are you able to give me the canonicalised version
> > of
> > >>the first reference?
> > >>
> > >>Cheers,
> > >> Berin
> > >>
> > >>
> > >>
> > >>
> > >>Morti Mer wrote:
> > >>
> > >>>Berin,
> > >>>
> > >>>the first Reference returns an XmlNodeList of 37
> > >>
> > >>items
> > >>
> > >>>:
> > >>> * the first one is <SignedProperties> Node and
> > >>
> > >>his
> > >>
> > >>>childs
> > >>> * the second item is the first child of
> > >>><SignedProperties> : <SignedSignatureProperties>
> > >>> * the third item is the first child of teh
> > >>
> > >>previous
> > >>
> > >>>item : <SigningTime>
> > >>> * etc
> > >>>
> > >>>These nodes ara available at
> > >>>http://xandrex.free.fr/ref1/SignedProperties.xml
> > >>>
> > >>
> > >
> >
> http://xandrex.free.fr/ref1/SignedSignatureProperties.xml
> > >
> > >>>http://xandrex.free.fr/ref1/SigningTime.xml
> > >>>
> > >>>The second reference points to the envelopping
> > >>>document
> > >>>:
> > >>>
> > >>
> > >
> >
> <Person><Name>Morti</Name><Surname>Mer</Surname></Person>
> > >
> > >>>It Seems that the first reference uses a wrong
> > >>
> > >>XPath
> > >>
> > >>>transform because it returns a recursive filter
> > of
> > >>
> > >>the
> > >>
> > >>>SignedProperties element while my need is the
> > >>
> > >>first
> > >>
> > >>>node it returns ...
> > >>>
> > >>>Do you obtain the same outputs with the C++
> > >>
> > >>Library ?
> > >>
> > >>>Thank you very much
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> --- Berin Lautenbach <be...@ozemail.com.au> a
> > >>
> > >>écrit :
> > >>
> > >>>>Erwin van der Koogh wrote:
> > >>>>
> > >>>>
> > >>>>>>What it might be worth your while doing is
> > >>>>
> > >>>>downloading another XMLSig
> > >>>>
> > >>>>
> > >>>>>>library (eg IBM's or Phaos) and seeing if you
> > >>
> > >>can
> > >>
> > >>>>verify the signature
> > >>>>
> > >>>>
> > >>>>>>with them That should give you some direction
> > as
> > >>>>
> > >>>>to whether it is
> > >>>>
> > >>>>
> > >>>>>>Apache or Microsoft that aren't doing it
> > >>
> > >>properly.
> > >>
> > >>>>(I know who my
> > >>>>
> > >>>>
> > >>>>>>money's on).
> > >>>>>
> > >>>>>
> > >>>>>I concur.. While it's not impossible that
> > Apache
> > >>>>
> > >>>>might be doing something
> > >>>>
> > >>>>
> > >>>>>wrong, it's been passing interop tests for
> > months
> > >>>>
> > >>>>with other major toolkit
> > >>>>
> > >>>>
> > >>>>>vendors with tens of different signature
> > >>>>
> > >>>>scenarios. AFAIK Microsoft hasn't
> > >>>>
> > >>>>
> > >>>>>published any test vectors or any interop test
> > >>>>
> > >>>>results.
> > >>>>
> > >>>>I'd also re-iterate that I'm getting some
> > >>>>interesting errors with the
> > >>>>C++ library. So if you have a way with the .NET
> > >>>>library of outputting
> > >>>>the data streams from each reference (i.e. the
> > >>
> > >>data
> > >>
> > >>>>that the library is
> > >>>>sending to the SHA-1 digest algorithm), I'm
> > happy
> > >>
> > >>to
> >
> === message truncated ===
>
> ___________________________________________________________
> Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
> Yahoo! Mail : http://fr.mail.yahoo.com
>
This message was sent through MyMail http://www.mymail.com.au
Re: Re: .NET Interop
Posted by Morti Mer <fu...@yahoo.fr>.
Berin,
that means that if I want to validate the .NET
generated signature with xml-sec, I have to modify
xml-sec source code in order to add/modify the xmlns
attribute just after canonicalization (in Atrribute
vectors) and before verifying the signature right ?
I'll try that and come back for report.
Thanks a lot
Morti
--- berin@ozemail.com.au a écrit : > Morti,
>
> I think we may be getting somewhere :>.
>
> Normally the presence of the namespace would be
> correct (c14n should bring in any namespaces
> defined in ancestor nodes).
>
> However in this case, the parent of the
> SignedProperties
> node, <QualifyingProperties> has a xmlns="",
> clearing the default namespace. So, looking at
> the original XML you are quite correct - the
> <SignedProperties> node has no extant namespace
> definitions.
>
> Looks like there may be an error in the .NET
> library.
>
> Cheers,
> Berin
>
> >
> > From: Morti Mer <fu...@yahoo.fr>
> > Subject: Re: .NET Interop
> > Date: 01/07/2003 1:30:43
> > To: Apache XML DSIG <se...@xml.apache.org>
> >
> > Berin,
> >
> > The file
> http://xandrex.free.fr/c14n/dotnet_signed.xml
> > contains the XML Signature and
> > http://xandrex.free.fr/c14n/C14NTransform.xml
> contains
> > the result of the two transforms : XPath + C14N
> >
> > The transforms added a namespace to
> signedProperties
> > node. Is it the normal behaviour ?
> >
> > Thanks
> >
> > MM
> >
> > --- Berin Lautenbach <be...@ozemail.com.au> a
> écrit :
> > > Morti,
> > >
> > > I have just had a _very_ quick look at the API
> for
> > > .NET signatures.
> > > There is a method GetOutput() for Transform
> objects
> > > that should give you
> > > the output of the transform. Would be
> interesting
> > > to see the output of
> > > the C14N trasnform object.
> > >
> > > BTW - Have never really played with .NET, so
> tell me
> > > if the above is
> > > simply incorrect :>.
> > >
> > > Cheers,
> > > Berin
> > >
> > >
> > > Morti Mer wrote:
> > > > Berin,
> > > >
> > > > .Net library doesn't give information about
> the
> > > > canonicalisation it uses.
> > > >
> > > > I have added a C14NTransform to the References
> of
> > > the
> > > > Signature: the output is located in
> > > >
> http://xandrex.free.fr/ref1/dotnet_signed_c14n.xml
> > > >
> > > > I still cannot validate the signature. Seems
> not
> > > to be
> > > > related to canonicalisation.
> > > >
> > > > MM.
> > > > --- Berin Lautenbach <be...@ozemail.com.au> a
> > > écrit :
> > > >
> > > >>(RE-sending - seems to have gone missing in
> > > >>transit).
> > > >>
> > > >>Morti,
> > > >>
> > > >>The second reference is exactly what I get,
> and
> > > >>after canonicalisation I
> > > >>get the same hash.
> > > >>
> > > >>The first reference, I think I get the same
> thing
> > > -
> > > >>basically the
> > > >>SignedProperties sub-tree of the document. So
> if
> > > >>I'm getting the same
> > > >>nodeset (and that's what the XPath expression
> that
> > > >>you have is supposed
> > > >>to return), then our canonicalisations must
> > > differ,
> > > >>because I get a
> > > >>different hash.
> > > >>
> > > >>Are you able to give me the canonicalised
> version
> > > of
> > > >>the first reference?
> > > >>
> > > >>Cheers,
> > > >> Berin
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>Morti Mer wrote:
> > > >>
> > > >>>Berin,
> > > >>>
> > > >>>the first Reference returns an XmlNodeList of
> 37
> > > >>
> > > >>items
> > > >>
> > > >>>:
> > > >>> * the first one is <SignedProperties> Node
> and
> > > >>
> > > >>his
> > > >>
> > > >>>childs
> > > >>> * the second item is the first child of
> > > >>><SignedProperties> :
> <SignedSignatureProperties>
> > > >>> * the third item is the first child of teh
> > > >>
> > > >>previous
> > > >>
> > > >>>item : <SigningTime>
> > > >>> * etc
> > > >>>
> > > >>>These nodes ara available at
> > >
> >>>http://xandrex.free.fr/ref1/SignedProperties.xml
> > > >>>
> > > >>
> > > >
> > >
> >
>
http://xandrex.free.fr/ref1/SignedSignatureProperties.xml
> > > >
> > > >>>http://xandrex.free.fr/ref1/SigningTime.xml
> > > >>>
> > > >>>The second reference points to the
> envelopping
> > > >>>document
> > > >>>:
> > > >>>
> > > >>
> > > >
> > >
> >
>
<Person><Name>Morti</Name><Surname>Mer</Surname></Person>
> > > >
> > > >>>It Seems that the first reference uses a
> wrong
> > > >>
> > > >>XPath
> > > >>
> > > >>>transform because it returns a recursive
> filter
> > > of
> > > >>
> > > >>the
> > > >>
> > > >>>SignedProperties element while my need is the
> > > >>
> > > >>first
> > > >>
> > > >>>node it returns ...
> > > >>>
> > > >>>Do you obtain the same outputs with the C++
> > > >>
> > > >>Library ?
> > > >>
> > > >>>Thank you very much
> > > >>>
> > > >>>
>
=== message truncated ===
___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com