You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Hess Yvan <yv...@imtf.ch> on 2004/12/16 15:42:26 UTC

Bug or Corrupted version 1.2: version 1.2 doesn't sign document a s the version 1.1 !!!

Hi,

I used version 1.1 and I signed documents that has external URI references
using JUNIT tests. Applying the same test with version 1.2, my JUNIT tests
failed. I compare the signature and digest value and they are DIFFERENT
!!!!!

****************************************************************************
**
Here is the signature result of my XML document with version 1.1:
****************************************************************************
**

<edoc:SignatureBlock
id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-16T15:19:57</edoc:Si
gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
ationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>iR+QqWJUmEp9SqD/y7EWwF2Svqg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RwNgZQIe2haQQufbN8N/MeSsLKZOLkDczPai9H2j4GUvc4MYyh5DHzumAUN6TY9xQGp+oisOlPJJ
bLbe33kK0i637v1r737RYg+axX3zuc6N89hjgqpSlGWET23JfzYpCw+ZnhLtDjbD/8pqVB7+NC0P
G7C8E43ZklpxeAZsHI0cuYXwWCOo0GFKyAxhpuvhyjSc2NX9UBy9N5IL/l6rHTH7T3PXv1+nuKXV
gkXEG587IWCcxjRLM/rBzdCr3WE1gslpWOr/9LOOhXzm6JkswS+QaBaawThuZi8KryTfeM4YTHvO
urniH1fN3pH5aNpgGLu/PB6zusv7jjXEJBzHmQ==
</ds:SignatureValue>
......

****************************************************************************
**
Here is the signature result of my XML document with version 1.2
****************************************************************************
**

<edoc:SignatureBlock
id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-10T15:04:55</edoc:Si
gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
ationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>VUXqX81Q/RLCegjQdaBOISDDayE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
rnvby10ZnBnqZcR6qQk48SmagIRdF9dBZ0RAvR/eSq44G12nZbxWJHDGPfZE3d7msCZKKsbXqqGl
6QnoqOJUf+mMjoBcytsfXUBfznGu20T63JbXEGhaGW/XqBvbyATiSnR3NFf/KzrxV73KKQAWHOv/
SZDMln17J//mRvjEa+78JEdaKRRS4C1JCtktm88FJrpeeIsNJoZ1Swm0Lcn/9/aX1L85Xrs7NDKz
0eCt/bfaFStY9ILYLzzKVrrQmyeU8nJA8a3ky1ZFBMYXB8n4DsYb6f+JJTvJjtBtgZw7doV/hzc+
PTK6pVUCD90t7Gv7vSq+eI7NQte3WC3RK/yfBA==
</ds:SignatureValue>
.......

As you can see DigestValue and SignatureValue are different with  version
1.1 and 1.2 !!!!!!!!!!!!!!!! What is the problem ? In which version can I
rely ?

Can anybody help me. It is a critical point for us because we archive signed
xml document on optical disk and if they are wrong signed....


Regards. Yvan Hess

Re: Bug or Corrupted version 1.2: version 1.2 doesn't sign document a s the version 1.1 !!!

Posted by Raul Benito <ra...@r-bg.com>.

> Hi,
>
> I used version 1.1 and I signed documents that has external URI references
> using JUNIT tests. Applying the same test with version 1.2, my JUNIT tests
> failed. I compare the signature and digest value and they are DIFFERENT
> !!!!!
>
First of all I need more information, can you send the document wich is
failling. If not we cannot do anything. Second, I 'm not an xpath expert
but  I'll take a look to the Object, and see if the signature node are
included, in the <edoc:EDOC><edoc:Object> i.e:
You have something like:
<edoc:EDOC>
...
<edoc:Object>
...
..
<ds:Siganture>
..
..
</edoc:Object>
</edoc:EDOC>
It this your case you know where you problem reside. If not please fill a
bug report

Thanks,

Raul



> ****************************************************************************
> **
> Here is the signature result of my XML document with version 1.1:
> ****************************************************************************
> **
>
> <edoc:SignatureBlock
> id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-16T15:19:57</edoc:Si
> gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
> ationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> <dsig-xpath:XPath
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
> Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>iR+QqWJUmEp9SqD/y7EWwF2Svqg=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> RwNgZQIe2haQQufbN8N/MeSsLKZOLkDczPai9H2j4GUvc4MYyh5DHzumAUN6TY9xQGp+oisOlPJJ
> bLbe33kK0i637v1r737RYg+axX3zuc6N89hjgqpSlGWET23JfzYpCw+ZnhLtDjbD/8pqVB7+NC0P
> G7C8E43ZklpxeAZsHI0cuYXwWCOo0GFKyAxhpuvhyjSc2NX9UBy9N5IL/l6rHTH7T3PXv1+nuKXV
> gkXEG587IWCcxjRLM/rBzdCr3WE1gslpWOr/9LOOhXzm6JkswS+QaBaawThuZi8KryTfeM4YTHvO
> urniH1fN3pH5aNpgGLu/PB6zusv7jjXEJBzHmQ==
> </ds:SignatureValue>
> ......
>
> ****************************************************************************
> **
> Here is the signature result of my XML document with version 1.2
> ****************************************************************************
> **
>
> <edoc:SignatureBlock
> id="Revision-1-Signature-1"><edoc:SignatureDate>2004-12-10T15:04:55</edoc:Si
> gnatureDate><edoc:Signer>Hess Yvan (first signature)</edoc:Signer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz
> ationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
> <dsig-xpath:XPath
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
> Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>VUXqX81Q/RLCegjQdaBOISDDayE=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>7typFfsZFzJVtEsGinu58N8RtqE=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> rnvby10ZnBnqZcR6qQk48SmagIRdF9dBZ0RAvR/eSq44G12nZbxWJHDGPfZE3d7msCZKKsbXqqGl
> 6QnoqOJUf+mMjoBcytsfXUBfznGu20T63JbXEGhaGW/XqBvbyATiSnR3NFf/KzrxV73KKQAWHOv/
> SZDMln17J//mRvjEa+78JEdaKRRS4C1JCtktm88FJrpeeIsNJoZ1Swm0Lcn/9/aX1L85Xrs7NDKz
> 0eCt/bfaFStY9ILYLzzKVrrQmyeU8nJA8a3ky1ZFBMYXB8n4DsYb6f+JJTvJjtBtgZw7doV/hzc+
> PTK6pVUCD90t7Gv7vSq+eI7NQte3WC3RK/yfBA==
> </ds:SignatureValue>
> .......
>
> As you can see DigestValue and SignatureValue are different with  version
> 1.1 and 1.2 !!!!!!!!!!!!!!!! What is the problem ? In which version can I
> rely ?
>
> Can anybody help me. It is a critical point for us because we archive
> signed
> xml document on optical disk and if they are wrong signed....
>
>
> Regards. Yvan Hess
>
>