You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Hess Yvan <yv...@imtf.ch> on 2004/12/17 08:12:49 UTC
RE: Bug or Corrupted version 1.2: version 1.2 doesn't sign docum
ent a s the version 1.1 !!!
I don't where is the problem, I just know that a document that has been
signed and verified with version 1.1 is considered has not valid in version
1.2 !
The digest values of the of external reference are the same, but the digest
value of XML (filter is "intersect" and value ="edoc:EDOC/edoc:Object" don't
return the same value. Which do I have to consider wrong ? Where is the
problem ?
Regards. Yvan
-----Original Message-----
From: Raul Benito [mailto:raul-info@r-bg.com]
Sent: jeudi, 16. décembre 2004 16:39
To: security-dev@xml.apache.org
Subject: Re: Bug or Corrupted version 1.2: version 1.2 doesn't sign
document a s the version 1.1 !!!
> Hi,
>
> I used version 1.1 and I signed documents that has external URI references
> using JUNIT tests. Applying the same test with version 1.2, my JUNIT tests
> failed. I compare the signature and digest value and they are DIFFERENT
> !!!!!
>
First of all I need more information, can you send the document wich is
failling. If not we cannot do anything. Second, I 'm not an xpath expert
but I'll take a look to the Object, and see if the signature node are
included, in the <edoc:EDOC><edoc:Object> i.e:
You have something like:
<edoc:EDOC>
...
<edoc:Object>
...
..
<ds:Siganture>
..
..
</edoc:Object>
</edoc:EDOC>
It this your case you know where you problem reside. If not please fill a
bug report
Thanks,
Raul
>
****************************************************************************
> **
> Here is the signature result of my XML document with version 1.1:
>
****************************************************************************
> **
>
> <edoc:SignatureBlock
>
id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-16T15:19:57</edoc:Si
> gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
> ationMethod>
> <ds:SignatureMethod
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> <dsig-xpath:XPath
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
> Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>iR+QqWJUmEp9SqD/y7EWwF2Svqg=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
RwNgZQIe2haQQufbN8N/MeSsLKZOLkDczPai9H2j4GUvc4MYyh5DHzumAUN6TY9xQGp+oisOlPJJ
>
bLbe33kK0i637v1r737RYg+axX3zuc6N89hjgqpSlGWET23JfzYpCw+ZnhLtDjbD/8pqVB7+NC0P
>
G7C8E43ZklpxeAZsHI0cuYXwWCOo0GFKyAxhpuvhyjSc2NX9UBy9N5IL/l6rHTH7T3PXv1+nuKXV
>
gkXEG587IWCcxjRLM/rBzdCr3WE1gslpWOr/9LOOhXzm6JkswS+QaBaawThuZi8KryTfeM4YTHvO
> urniH1fN3pH5aNpgGLu/PB6zusv7jjXEJBzHmQ==
> </ds:SignatureValue>
> ......
>
>
****************************************************************************
> **
> Here is the signature result of my XML document with version 1.2
>
****************************************************************************
> **
>
> <edoc:SignatureBlock
>
id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-10T15:04:55</edoc:Si
> gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
> ationMethod>
> <ds:SignatureMethod
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> <dsig-xpath:XPath
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
> Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>VUXqX81Q/RLCegjQdaBOISDDayE=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
rnvby10ZnBnqZcR6qQk48SmagIRdF9dBZ0RAvR/eSq44G12nZbxWJHDGPfZE3d7msCZKKsbXqqGl
>
6QnoqOJUf+mMjoBcytsfXUBfznGu20T63JbXEGhaGW/XqBvbyATiSnR3NFf/KzrxV73KKQAWHOv/
>
SZDMln17J//mRvjEa+78JEdaKRRS4C1JCtktm88FJrpeeIsNJoZ1Swm0Lcn/9/aX1L85Xrs7NDKz
>
0eCt/bfaFStY9ILYLzzKVrrQmyeU8nJA8a3ky1ZFBMYXB8n4DsYb6f+JJTvJjtBtgZw7doV/hzc+
> PTK6pVUCD90t7Gv7vSq+eI7NQte3WC3RK/yfBA==
> </ds:SignatureValue>
> .......
>
> As you can see DigestValue and SignatureValue are different with version
> 1.1 and 1.2 !!!!!!!!!!!!!!!! What is the problem ? In which version can I
> rely ?
>
> Can anybody help me. It is a critical point for us because we archive
> signed
> xml document on optical disk and if they are wrong signed....
>
>
> Regards. Yvan Hess
>
>
RE: Bug or Corrupted version 1.2: version 1.2 doesn't sign docum
ent a s the version 1.1 !!!
Posted by Raul Benito <ra...@r-bg.com>.
> I don't where is the problem, I just know that a document that has been
> signed and verified with version 1.1 is considered has not valid in
> version
> 1.2 !
> The digest values of the of external reference are the same, but the
> digest
> value of XML (filter is "intersect" and value ="edoc:EDOC/edoc:Object"
> don't
> return the same value. Which do I have to consider wrong ? Where is the
> problem ?
First of all, Without the whole document I cannot give you the exact
reason, sorry.
I supose that you are including the ds:Signature element in the reference,
and that's something you are not suppose to do. If this is your case, the
way the digest are calculated are implementation dependant, and we have
change a lot the way the c14n and digesting method work from 1.1 to 1.2,
and that's why it fails when previously works, but anyway in this case
your signatures will fail in other implementations.
But it can also be that you have found a real bug. But until we have all
information, I think is more likely the first cause(you are including the
signature)
Regards,
Raul