You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Marius Constantin <mc...@digev.com> on 2003/12/14 23:34:58 UTC
signature verification modifies the original document
Hi all,
I have a problem with verifying a signed document (I am using apache
xml security -- which uses bouncy castle.) Although verification
succeeds, when I print the signed document I passed to the
verification function, I can see that every node in the tree contains
all the namespace definitions that are in its context. Below is a
sample:
Original document:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<q1:deposit xmlns:q1="http://tempuri.org/AccountManager">
<acctId xsi:type="xsd:string">AC1</acctId>
<amount xsi:type="xsd:int">10</amount>
</q1:deposit>
<new_ns:node1 xmlns:new_ns="http://some_url_new_ns">
<new_ns:node2>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComment
s" />
<ds:Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>node()=/soap:Envelope/soap:Body</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>UFrKoAsAGL65aVU3fj6uvbM2Jwo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>UHVs8LFlTCsZcoHVLPOs0/jmqRqR+fnZfzR6HMJ8dVq0sT5LB6x
bSA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>administrator</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</new_ns:node2>
</new_ns:node1>
</soap:Body>
</soap:Envelope>
Top part of he original document, after signature verification:
<?xml version="1.0" encoding="UTF-8" ?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<q1:deposit xmlns:q1="http://tempuri.org/AccountManager"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<acctId xmlns:q1="http://tempuri.org/AccountManager"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">AC1</acctId>
<amount xmlns:q1="http://tempuri.org/AccountManager"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://wsdl/AccountManagerBinding/"
xmlns:types="http://wsdl/AccountManagerBinding/encodedTypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:int">10</amount>
</q1:deposit>
I thought the verification is a non-intrusive process, and it's not
supposed to modify the original bytes. Does anyone have an idea why
this happens???
Thank you,
Marius