You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by chirsmail sapl <ch...@yahoo.com> on 2006/04/07 06:03:29 UTC
JDOM - Sign validation
I am running into an issue with the XML signature validation of JDOM.The issue is that the XML signature validation of DOM converted from JDOM fails.
Here are the steps for signing:
1)Converted JDOM to DOM using SAXBuilder
2)Signed an URI of converted DOM
3)Converted the DOM into JDOM again
It works fine.
Here are stpes for validation:
1)Converted JDOM into DOM
2)Validated the DOM
The validation of DOM converted from JDOM fails.The reason is the converted DOM from JDOM is different than the original DOM.
I am not getting exact DOM out of JDOM due to which the validation falis.
can any expert suggest me a way to bring out of the original DOM from JDOM in-order to make the validation working.
Thanks in advance for the help
cheers,
chris.
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Re: JDOM - Sign validation
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
But is your code available for others to use?
not yet, i mailed Jason the idea of launching the whole project as a JDOM sister.
Or when you did this, did you find issues that might help the original poster?
every modification that is not "catched" by c14n could affect the signature, so we need
to see the samples to see what is missing.
Re: JDOM - Sign validation
Posted by "David Wall - Yozons Inc." <da...@yozons.com>.
> yes, i did quite a lot of R&D on that and made a pure JDOM XML signing
> algorithm.
> i prefer JDOM to DOM a lot!
But is your code available for others to use? Or when you did this, did
you find issues that might help the original poster?
David
Re: JDOM - Sign validation
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
yes, i did quite a lot of R&D on that and made a pure JDOM XML signing algorithm.
i prefer JDOM to DOM a lot!
i also made a JAXB based on JDOM instead too. I found it much simpler and faster to
manage business objects that way, and sign them directly from there.
the other diference of my JAXB is that i generate POJOs objects peer each XML node,
Has anyone did some R&D on handling JDOM for signing and validating.
Re: JDOM - Sign validation
Posted by chirsmail sapl <ch...@yahoo.com>.
Thanks again for your comments.The app handles JDOM across the life cycle due to which the singed DOM should be updated into JDOM back and convert the JDOM to DOM instead of saving the XML into a file.
Has anyone did some R&D on handling JDOM for signing and validating.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
you can try saving the XML to a file, and reading from it,
when traspasing from one format to another and viceversa. JDOM <-> DOM
moreover, i usually use IBMXMLSecurity suite to test the file just
typing
java dsig.VerifyGUI "filename.xml"
----- Original Message -----
From: chirsmail sapl
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:31 PM
Subject: Re: JDOM - Sign validation
thanks for the reply.When i print DOM and DOM converted from JDOM seems to be same.I see lot of difference on the object level of signed DOM and DOM converted from JDOM.Because the signing of DOM converted from JDOM work well.After updating the DOM into JDOM and then convert the JDOM back to DOM ,the vaildation fails.
I think if i get the exact singed DOM out of JDOM , i should be able to valid the sign.But don't know how to get the exact DOM out of JDOM for validation.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
Yes. in this case i also saw both of them identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
From: David Wall - Yozons Inc.
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:09 PM
Subject: Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from syntactically equivalent XML? It seems that the element is the same, has the same value and same attributes with the same values, so they should be treated as the same data from a digital signing perspective.
David
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
Re: JDOM - Sign validation
Posted by chirsmail sapl <ch...@yahoo.com>.
One more point to add is that singed DOM validates.But the singed DOM converted to JDOM and then DOM out of JDOM doesnt validate.
Martin Labarthe Dubois <du...@consist.com.ar> wrote: you can try saving the XML to a file, and reading from it,
when traspasing from one format to another and viceversa. JDOM <-> DOM
moreover, i usually use IBMXMLSecurity suite to test the file just
typing
java dsig.VerifyGUI "filename.xml"
----- Original Message -----
From: chirsmail sapl
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:31 PM
Subject: Re: JDOM - Sign validation
thanks for the reply.When i print DOM and DOM converted from JDOM seems to be same.I see lot of difference on the object level of signed DOM and DOM converted from JDOM.Because the signing of DOM converted from JDOM work well.After updating the DOM into JDOM and then convert the JDOM back to DOM ,the vaildation fails.
I think if i get the exact singed DOM out of JDOM , i should be able to valid the sign.But don't know how to get the exact DOM out of JDOM for validation.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
Yes. in this case i also saw both of them identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
From: David Wall - Yozons Inc.
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:09 PM
Subject: Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from syntactically equivalent XML? It seems that the element is the same, has the same value and same attributes with the same values, so they should be treated as the same data from a digital signing perspective.
David
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
---------------------------------
Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.
Re: JDOM - Sign validation
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
you can try saving the XML to a file, and reading from it,
when traspasing from one format to another and viceversa. JDOM <-> DOM
moreover, i usually use IBMXMLSecurity suite to test the file just
typing
java dsig.VerifyGUI "filename.xml"
----- Original Message -----
From: chirsmail sapl
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:31 PM
Subject: Re: JDOM - Sign validation
thanks for the reply.When i print DOM and DOM converted from JDOM seems to be same.I see lot of difference on the object level of signed DOM and DOM converted from JDOM.Because the signing of DOM converted from JDOM work well.After updating the DOM into JDOM and then convert the JDOM back to DOM ,the vaildation fails.
I think if i get the exact singed DOM out of JDOM , i should be able to valid the sign.But don't know how to get the exact DOM out of JDOM for validation.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
Yes. in this case i also saw both of them identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
From: David Wall - Yozons Inc.
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:09 PM
Subject: Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from syntactically equivalent XML? It seems that the element is the same, has the same value and same attributes with the same values, so they should be treated as the same data from a digital signing perspective.
David
------------------------------------------------------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
Re: JDOM - Sign validation
Posted by chirsmail sapl <ch...@yahoo.com>.
thanks for the reply.When i print DOM and DOM converted from JDOM seems to be same.I see lot of difference on the object level of signed DOM and DOM converted from JDOM.Because the signing of DOM converted from JDOM work well.After updating the DOM into JDOM and then convert the JDOM back to DOM ,the vaildation fails.
I think if i get the exact singed DOM out of JDOM , i should be able to valid the sign.But don't know how to get the exact DOM out of JDOM for validation.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
Yes. in this case i also saw both of them identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
From: David Wall - Yozons Inc.
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:09 PM
Subject: Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from syntactically equivalent XML? It seems that the element is the same, has the same value and same attributes with the same values, so they should be treated as the same data from a digital signing perspective.
David
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
Re: JDOM - Sign validation
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
Yes. in this case i also saw both of them identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
From: David Wall - Yozons Inc.
To: security-dev@xml.apache.org
Sent: Friday, April 07, 2006 2:09 PM
Subject: Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from syntactically equivalent XML? It seems that the element is the same, has the same value and same attributes with the same values, so they should be treated as the same data from a digital signing perspective.
David
Re: JDOM - Sign validation
Posted by "David Wall - Yozons Inc." <da...@yozons.com>.
> Thanks for the reply.
> 1)The different is on the byte level.When we print the byte of the
> orignal DOM and DOM converted from JDOM , the size is different.
> 2)The DOM converted from JDOM has the white space if the element
> doesn't have the values.
> For example :
> Orignal XML content:
> <?xml version="1.0" encoding="UTF-8"?>
> <div id="main"></div>
>
> DOM o/p using XMLUtils.outputDOMc14nWithComments(
> <div id="main"></div>
>
> JDOM O/P converted from DOM using XMLOutputter:
> <?xml version="1.0" encoding="UTF-8"?>
> <div id="main" />
>
> I think thats why it doesn't valid the DOM converted from JDOM.
> Can any expert suggest me a way to resolve the issue.
Isn't the point of canonicalization to remove such problems from
syntactically equivalent XML? It seems that the element is the same,
has the same value and same attributes with the same values, so they
should be treated as the same data from a digital signing perspective.
David
Re: JDOM - Sign validation
Posted by chirsmail sapl <ch...@yahoo.com>.
Thanks for the reply.
1)The different is on the byte level.When we print the byte of the orignal DOM and DOM converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM converted from JDOM.
Can any expert suggest me a way to resolve the issue.
Cheers,
Chris.
Martin Labarthe Dubois <du...@consist.com.ar> wrote:
The validation of DOM converted from JDOM fails.The reason is the converted DOM from JDOM is different than the original DOM.
Can you specify where is the difference?
send some examples.
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Re: JDOM - Sign validation
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
The validation of DOM converted from JDOM fails.The reason is the converted DOM from JDOM is different than the original DOM.
Can you specify where is the difference?
send some examples.