You are viewing a plain text version of this content. The canonical link for it is here.
Posted to tsik-dev@ws.apache.org by "Granqvist, Hans" <hg...@verisign.com> on 2006/01/18 14:36:17 UTC
RE: canonicalization problem with tsik ?
Hi Henri,
The presence of the prefix, or any prefix, is not relevant in
canonicalization, since
the c14n process only deals with the namespace URI not the chosen
prefix. This
means that, for example,
<a:element xmlns:a="http://a"/>
and
<element xmlns="http://a"/>
are equivalent.
There are too many unknowns here for me to help efficiently. I'd need to
see the
actual Java code and XML that is being verified with TSIK to help. Can
you post
it/them?
Thanks,
Hans
________________________________
From: henri.delbrouck@skynet.be
[mailto:henri.delbrouck@skynet.be]
Sent: Monday, January 16, 2006 12:11 PM
To: Granqvist, Hans
Subject: RE: canonicalization problem with tsik ?
Hi Hans,
I received your mail and apologize for my late answer. Last
week, I did some debugging to check what was wrong. I did not send the
code snipped because I thought that the problem was located in the .net
code (client) and not the java code (server). It is right. I found that
.net make some modifications of the xml (formatting with addition of
space and LF) after signing which cause the digest verification to fail.
Now, the .net client send a correct message and the digest
verification is successfull (digest value found in the signed info
element). But unfortunately, the signature verification (SignedInfo
element) fails. Perhaps you could help me in this area?
I see that in the SOAP message sent by the .net client, there is
no "ds" prefix for Signature element and its children (SignedInfo,
SignatureValue and KeyInfo). It seems that the SignatureValue element is
not correctly found in the XML. Could it be a problem if there is no
"ds" prefix ? Having a look in the tsik source code, I see that the
signature value is found by using the "ds" prefix" (is it correct ?). Is
it possible to modify the code in order to support signed message with
or without "ds" prefix.
I thing that the ds prefix is not mandatory according to the
OASIS specification.
Thank you very much for any advice.
Henri
________________________________
Hi Henri, I sent you a follow-up email but saw no response. Let
me know if you still have problems.
Thanks,
Hans
________________________________
From: henri.delbrouck@skynet.be
[mailto:henri.delbrouck@skynet.be]
Sent: Tuesday, January 10, 2006 7:21 AM
To: Granqvist, Hans
Subject: canonicalization problem with tsik ?
Hello Hans,
I come again with my problem I submitted to you end of
last year.
I use tsik.jar with wssecurity.jar and got signature
verification problem when the signing client is a .net 2005 client. I
only use the body signature. To be able to make some diagnose to see
what is wrong, I downloaded the tsik sources from apache (even if I use
the tsik downloaded from verisign web site). Up to now, I saw that the
digest computed by .net and the one computed by the verifying server
don't match. Do you have any idea ?
It seems that the canonicalization keep some tab and
blank characters. This could lead to a wrong digest computation.
Normally, the canonicalization should eliminate all tab and unecessary
blank char.
Thanks for your help.
Henri Delbrouck
--