You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/04/02 09:56:00 UTC

[jira] [Commented] (SANTUARIO-530) Reference validation always omits comments for canonicalization

    [ https://issues.apache.org/jira/browse/SANTUARIO-530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17073568#comment-17073568 ] 

Colm O hEigeartaigh commented on SANTUARIO-530:
-----------------------------------------------

Can you submit a test-case that shows the problem?

> Reference validation always omits comments for canonicalization
> ---------------------------------------------------------------
>
>                 Key: SANTUARIO-530
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-530
>             Project: Santuario
>          Issue Type: Bug
>    Affects Versions: Java 2.1.4
>            Reporter: Aleksandr Beliakov
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>         Attachments: exclusive_with_comments.xml, exclusive_without_comments.xml
>
>
> Hello, I have a problem when validating signature references with canonicalization transforms with comments, like "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" and "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments".
> I use the following code to validate a reference:
> {code:java}
> org.apache.xml.security.signature.Reference.verify();
> {code}
> The problem seems to be in the method Reference.getContentsAfterTransformation(input, os). The thing is that the _input_ variable of XMLSignatureInput.class here has always an attribute "excludeComments=true", and the boolean value never changed depending on a requested transformer.
>  
> I attach two signatures one without comments and one with comments, in order to show that the produced result of the method Reference.getContentsAfterTransformation().getBytes() is the same for this two different transforms.
>  
> Could you please clarify, is that an expected behavior or a bug?
>  
> Best regards,
> Aleksandr.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)