You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2008/09/04 16:20:34 UTC

DO NOT REPLY [Bug 45744] New: XPath transform and xml-stylesheet

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744

           Summary: XPath transform and xml-stylesheet
           Product: Security
           Version: Java 1.4.1
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: mlistwan@gmail.com


Created an attachment (id=22525)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22525)
upp_sign.xml is the signature and out.xml signed xml

There is a problem with verification of signatures having a ds:Reference to an
xml file with with <?xml-stylesheet?> with XPath transform. As you create the
same signature referencing a modified document by omitting <?xml-stylesheet?>
the signature verification succeeds.

I had to solve the problem and had come to conclusion that there is a bug in
org.apache.xml.security.signature.XMLSignatureInput. The source of the problem
is a line this._subNode=doc.getDocumentElement(); in void convertToNodes().
Assigning only root element removes xml-stylesheet. Changing the line to:
this._subNode=doc; seems to fix it.

Attached out.zip has two files that show the situation.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744





--- Comment #4 from Michal Listwan <ml...@gmail.com>  2009-06-18 13:12:12 PST ---
I have no objections.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744


coheigea <co...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #22525|0                           |1
        is obsolete|                            |
  Attachment #23828|0                           |1
        is obsolete|                            |




--- Comment #5 from coheigea <co...@apache.org>  2009-06-19 04:12:41 PST ---
Created an attachment (id=23832)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23832)
A patch for this issue


See attached for a patch for this issue. It includes the suggested fix to
XMLSignatureInput, as well as a unit test that's derived from the submitted
test-case.

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744





--- Comment #1 from coheigea <co...@apache.org>  2009-06-18 04:52:20 PST ---

Do you have a test-case for this issue?

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744


coheigea <co...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #6 from coheigea <co...@apache.org>  2009-07-10 06:32:03 PST ---

Patch applied.

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744





--- Comment #3 from coheigea <co...@apache.org>  2009-06-18 08:48:59 PST ---

Thanks Michael. I'll create a patch including a test-case for this issue. Do
you have any objections to me adding the test code and signature files to the
project?

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 45744] XPath transform and xml-stylesheet

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744





--- Comment #2 from Michal Listwan <ml...@gmail.com>  2009-06-18 06:42:38 PST ---
Created an attachment (id=23828)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23828)
verification

Attachment verifies the pair (upp_sign.xml and out.xml). As the line is
"this._subNode=doc.getDocumentElement();" verification of reference out.xml
fails. With "this._subNode=doc" verification succeeds.

Signature was created with third party library. It caused an inconsistency that
made me look for this bug.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.