You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Milan Tomic <mi...@setcce.org> on 2004/06/23 17:39:13 UTC

With comments

	Does C++ XSEC libraries support cannonicalization WithComments?
I have one document signed and verified using Java XSEC libraries, but I
can't verify it using C++ XSEC libraries. Reference digest is not valid.
Here is SignedInfo:

<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonic
alizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMet
hod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:T
ransform>
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>QLLUpIfi2+x6kp7Smu8riBFShAs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

Best regards,
Milan

RE: With comments

Posted by Milan Tomic <mi...@setcce.org>.

	Thank you, guys. We took new version from CVS and it works OK.

	Version 1.1 of Java libraries was not signing PIs. When I
removed PIs from Java XSEC 1.1 signed file and verified signature using
C++ libraries, signature was valid.

Best regards,
Milan

Re: With comments

Posted by ra...@r-bg.com.

> I've just run these two sample files against the CVS Java library.  The
> "with" file fails to verify, but the "without" is fine.
>
> Dumping the post transformation bytes, I get the same output as the C++
> library - in particular the PI stuff is output.  With the Java 1.1
> library, I don't get the PI output, only the nodes after it.
>
> According to :
>
> http://www.w3.org/TR/xml-c14n#Example-OutsideDoc
>
> My read is that the PI *should* be there, so the C++ library and current
> Java CVS behaviour is correct.  Java library 1.1 and previous is
> incorrect (again my read).  This agrees with Raul's position, but I'm
> happy to be contradicted if someone thinks I have it up wrong!
>
> Cheers,
> 	Berin
>
You are *complytly* right. I was getting mad because I was only testing in
CVS branch and it was correct.
Perhaps the issue is fixed in the patch where I rewrite the c14nsubtree
making it common between excl & incl.

Regards,

Re: With comments

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

I've just run these two sample files against the CVS Java library.  The 
"with" file fails to verify, but the "without" is fine.

Dumping the post transformation bytes, I get the same output as the C++ 
library - in particular the PI stuff is output.  With the Java 1.1 
library, I don't get the PI output, only the nodes after it.

According to :

http://www.w3.org/TR/xml-c14n#Example-OutsideDoc

My read is that the PI *should* be there, so the C++ library and current 
Java CVS behaviour is correct.  Java library 1.1 and previous is 
incorrect (again my read).  This agrees with Raul's position, but I'm 
happy to be contradicted if someone thinks I have it up wrong!

Cheers,
	Berin

Milan Tomic wrote:

> Hi Raul,
> 
> 
>>The code in CVS of c14n in java and c++ looks good enouth. So 
>>I need to know what version of the Java library are you 
>>using
> 
> I've checked with both 1.0 and 1.1 version of XSEC (checksig.exe app)
> and verification of signature fails. :<
> 
> Thank you,
> Milan
> 
> 
> 
>

RE: With comments

Posted by Milan Tomic <mi...@setcce.org>.

Hi Raul,

> The code in CVS of c14n in java and c++ looks good enouth. So 
> I need to know what version of the Java library are you 
> using
I've checked with both 1.0 and 1.1 version of XSEC (checksig.exe app)
and verification of signature fails. :<

Thank you,
Milan

RE: With comments

Posted by ra...@r-bg.com.

> Hello Raul,
>
>>   I supose that the original document has the PI, right?.
> No, I don't have any additional PIs except this one:
>
> <?xml-stylesheet type="text/xsl" href="http://www.setcce.org"?>
>
> I've attached XML file with my previous post.
>
> Best regards,
> Milan
>
>
>

Ok,
The error seems to be that as the PI is the first element before the
document a leading #0A must be emited(in the example you send it isn't)
<cite>
# Processing Instruction (PI) Nodes- The opening PI symbol (<?), the PI
target name of the node, a leading space and the string value if it is not
empty, and the closing PI symbol (?>). If the string value is empty, then
the leading space is not added. Also, a trailing #xA is rendered after the
closing PI symbol for PI children of the root node with a lesser document
order than the document element, and a leading #xA is rendered before the
opening PI symbol of PI children of the root node with a greater document
order than the document element.
</cite>

The code in CVS of c14n in java and c++ looks good enouth. So I need to
know what version of the Java library are you using, and it will be good
to have the code that generated the signature(Better just the DOM
instractions).

Thanks,

Raul

RE: With comments

Posted by Milan Tomic <mi...@setcce.org>.

Hello Raul,

>   I supose that the original document has the PI, right?. 
No, I don't have any additional PIs except this one:

<?xml-stylesheet type="text/xsl" href="http://www.setcce.org"?>

I've attached XML file with my previous post.

Best regards,
Milan

RE: With comments

Posted by ra...@r-bg.com.

> Berin,
>
>> Hmm, don't like that!  Can you send me the full document as an
>> attachment?  The library definitely supports WithComments, so it
>> shouldn't be an issue there.
> I belive I've found what the problem is. Interoperability between Java &
> C++ libraries fails when there is XML pre processing instruction for
> stylesheet in XMl file. I'm attaching both XML files, with and without
> stylesheet instruction. XML file with stylesheet instruction have
> invalid signature in C++ and valid in Java XSEC library.
>
> Best regards,
> Milan
>

Hi,
  I supose that the original document has the PI, right?. Reading the c14n
spec seems that the Java is the correct one. As you are not using any
xpath transformation the PI must be emited. As reads in the spec:
<cite>

The examples in this section assume a non-validating processor, primarily
so that a document type declaration can be used to declare entities as
well as default attributes and attributes of various types (such as ID and
enumerated) without having to declare all attributes for all elements in
the document. As well, one example contains an element that deliberately
violates a validity constraint (because it is still well-formed).
3.1 PIs, Comments, and Outside of Document Element
==================================================
Input Document:
---------------
<?xml version="1.0"?>

<?xml-stylesheet   href="doc.xsl"
   type="text/xsl"   ?>

<!DOCTYPE doc SYSTEM "doc.dtd">

<doc>Hello, world!<!-- Comment 1 --></doc>

<?pi-without-data     ?>

<!-- Comment 2 -->

<!-- Comment 3 -->

Canonical Form (uncommented):
------------------------------
<?xml-stylesheet href="doc.xsl"
   type="text/xsl"   ?>
<doc>Hello, world!</doc>
<?pi-without-data?>

Canonical Form (commented):
---------------------------
<?xml-stylesheet href="doc.xsl"
   type="text/xsl"   ?>
<doc>Hello, world!<!-- Comment 1 --></doc>
<?pi-without-data?>
<!-- Comment 2 -->
<!-- Comment 3 -->



</cite>

RE: With comments

Posted by Milan Tomic <mi...@setcce.org>.

Berin,

> Hmm, don't like that!  Can you send me the full document as an 
> attachment?  The library definitely supports WithComments, so it 
> shouldn't be an issue there.
I belive I've found what the problem is. Interoperability between Java &
C++ libraries fails when there is XML pre processing instruction for
stylesheet in XMl file. I'm attaching both XML files, with and without
stylesheet instruction. XML file with stylesheet instruction have
invalid signature in C++ and valid in Java XSEC library.

Best regards,
Milan

Re: With comments

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Hmm, don't like that!  Can you send me the full document as an 
attachment?  The library definitely supports WithComments, so it 
shouldn't be an issue there.

Cheers,
	Berin

Milan Tomic wrote:
> 
>         Does C++ XSEC libraries support cannonicalization WithComments? 
> I have one document signed and verified using Java XSEC libraries, but I 
> can't verify it using C++ XSEC libraries. Reference digest is not valid. 
> Here is SignedInfo:
> 
> <ds:SignedInfo>
> <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod> 
> 
> <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> 
> 
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> 
> 
> <ds:Transform 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform> 
> 
> </ds:Transforms>
> <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>QLLUpIfi2+x6kp7Smu8riBFShAs=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> 
> Best regards,
> Milan
>