You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by "Centeno Martinez, Fernando" <FC...@IGAE.minhac.es> on 2004/11/11 10:19:00 UTC

RE: Java XML security 1.2RC1 ready to download

Hello

I was testing the new xml security version 1.2, and I've found a strange thing. 

I was verifying a file. This file had got an incorrect signature with previous versions, and now with the new version the verify says the signature is correct. I don't know why???

I'm attaching the file, and I'd be very grateful if somebody could explain me what's happening

Thanks for all

Fernando Centeno

-----Mensaje original-----
De: Raul Benito [mailto:raul-info@r-bg.com] 
Enviado el: sábado, 30 de octubre de 2004 21:21
Para: security-dev@xml.apache.org
Asunto: Java XML security 1.2RC1 ready to download

Hello all,
    I have just upload a fresh compiled jar of the first release 
candidate of version 1.2 of the java XML-Security to the Apache site.You 
can find it 
http://xml.apache.org/security/dist/java-library/xmlsec-1.2RC1.jar.
A lot of changes have happened since the 1.1 release, mainly:

    - A rewrote canonicalization.
    - A lot of memory consumption reduction work.
    - A lot of optimization work.
    - A new JCE discovering mechanism.

So please download and test with your programs, so we can be sure we 
haven't break anything.  

Regards,


Raul


http://r-bg.com

Re: Java XML security 1.2RC1 ready to download

Posted by ra...@r-bg.com.
On 11/11/2004, at 10:19, Centeno Martinez, Fernando wrote:

> Hello
>
> I was testing the new xml security version 1.2, and I've found a 
> strange thing.
>
> I was verifying a file. This file had got an incorrect signature with 
> previous versions, and now with the new version the verify says the 
> signature is correct. I don't know why???
>
> I'm attaching the file, and I'd be very grateful if somebody could 
> explain me what's happening
>
> Thanks for all
>
> Fernando Centeno
>
> Regards,
>
>
> <prueba.xml>

Hi Fernando,

   First of all how this signature was created, was it tampered or it 
just a good one? Regarding the changes from 1.1 there are at least one 
obscure bug in the c14n code that was fixed from 1.1, but as the c14n 
was rewritten other things can be fixed. If it was a wrong signature, 
then We'll need to see more carefully but I think that is unlikely.
Waiting for your answers,

Raul

htpp://r-bg.com