You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2007/03/12 12:30:02 UTC

DO NOT REPLY [Bug 41821] New: - Invalid Reference Signature when are used 2 or more Namespaces

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41821>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41821

           Summary: Invalid Reference Signature when are used 2 or more
                    Namespaces
           Product: Security
           Version: unspecified
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: miro@space-comm.com
                CC: sean.mullan@sun.com


For XAdES signatures we have to use 2 namespaces. One for Digital Signature and
another for XAdES. When we do that it is not possible to make correct signature
because the digest value is calculated using just one of the 2 namespaces. When
the XML Signature is stored to the file using XMLUtils.outputDOMc14nWithComments
the file format is correct. After that when the file again is loaded into the
memory and the validation is failed because now the validation algorithm use
both namespaces which is the correct situation.

I try the suggested ideas using CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS
Transforms in Reference without successful results. 
I am not so familiar with the standards, but in my opinion this is very strong
bug in Java XML Signature implementation. Using of one or more namespaces with
prefixes is very typical issue.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 41821] - Invalid Reference Signature when are used 2 or more Namespaces

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41821>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41821


sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




------- Additional Comments From sean.mullan@sun.com  2007-09-19 12:31 -------
Closing old bugs.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 41821] - Invalid Reference Signature when are used 2 or more Namespaces

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41821>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41821


sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From sean.mullan@sun.com  2007-03-13 15:09 -------
This is not a bug. You need to always use the namespace-aware DOM L2
Element.setAttributeNS() method (instead of setAttribute) when creating
attributes, even namespace attributes. Otherwise, the C14n algorithm doesn't
"see" these namespace attributes when canonicalizing and that is why the
results did not match. I changed the following lines in your code and it now
works fine:

//element.setAttribute("xmlns:" + XML_SIGNATURE_PREFIX,
//                     XMLSignature.XMLNS);
//element.setAttributeNS("xmlns:" + XAdES_XMLNS_PREFIX,
//                       XAdES_XMLNS);
element.setAttributeNS("http://www.w3.org/2000/xmlns/", 
                       "xmlns:" + XAdES_XMLNS_PREFIX,
                       XAdES_XMLNS);
element.setAttributeNS("http://www.w3.org/2000/xmlns/", 
                       "xmlns:" + XML_SIGNATURE_PREFIX,
                       XMLSignature.XMLNS);







-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 41821] - Invalid Reference Signature when are used 2 or more Namespaces

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41821>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41821





------- Additional Comments From miro@space-comm.com  2007-03-12 04:35 -------
Created an attachment (id=19698)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=19698&action=view)
Sign and Validate something using 2 namespaces

The problem is when are used 2 XML Namespaces:
- "dsig" for "http://www.w3.org/2000/09/xmldsig#"
- "xsd" for "http://uri.etsi.org/01903/v1.3.2#"

The actual problem is happen because during the signing process the Digest
calculations are done using just one (the first and main) namespace. When the
XML signature is saved to the file using c14nWithComments transformation the
file is saved in correct format. Then when the file is loading the signature is
loaded using both namespaces which is correct also. Then the problem is showing
during Validation when the digest calculation is done using just one namespace
which is not correct and validation  which using both namespaces which is
correct.
I am attached a file with test case.
Any idea how to solve the problem?
I am trying to solve the problem using Transform in Reference
"#L1.S1-SignedProperties" where this is happen but without result until now. 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 41821] - Invalid Reference Signature when are used 2 or more Namespaces

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41821>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41821


sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|sean.mullan@sun.com         |




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.