Summary: | verify with own canonicalization method | ||
---|---|---|---|
Product: | Security - Now in JIRA | Reporter: | Anton Kosyakov <anton.k.ekb> |
Component: | Signature | Assignee: | XML Security Developers Mailing List <security-dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows XP | ||
Attachments: |
Bug 45961 test case. (Eclipse project)
Bug 45961 test case 2. (Eclipse project) Bug 45961 test case 3. |
Description
Anton Kosyakov
2008-10-07 05:17:09 UTC
(In reply to comment #0) > I developed own canonicalization method and register it. Sign with my method > perform successful, but verify finished with error: Cannot find SignatureValue > in Signature. Constructor SignedInfo(Element, Strign) canonicalize > ds:SignedInfo by my method, reparse it into a new document and replace the > original not-canonicalized ds:SignedInfo. After replace, XMLSignature try get > ds:SignatureValue by method getNextSibling of element ds:SignedInfo. But it is > null! > You say you parsed it into a new document, so did you use Document.importNode when replacing the SignedInfo in the original document? In any case, we will need a reproducible test case to analyze this. Please attach it to the bug report, thanks. Created attachment 22689 [details] Bug 45961 test case. (Eclipse project) > You say you parsed it into a new document, so did you use Document.importNode > when replacing the SignedInfo in the original document? See org.apache.xml.security.signature.SignedInfo(element : Element, BaseURI : String) constructor. > In any case, we will need a reproducible test case to analyze this. Please > attach it to the bug report, thanks. Ok. See attachement. This is not a bug. You are invoking the XMLSignature(Element, String) constructor with a Signature element that is not complete. This constructor should be invoked when you are validating an XML Signature that has been parsed from a Document. You need to first generate an XML Signature using your CanonicalizationMethod, but before you do that you must register your CanonicalizationMethod impl. with the register method so that the XMLSec library is aware of it. You may want to look at some of the XML Signature samples to see how to generate XML Signatures. Created attachment 22717 [details] Bug 45961 test case 2. (Eclipse project) (In reply to comment #4) > This is not a bug. You are invoking the XMLSignature(Element, String) > constructor with a Signature element that is not complete. This constructor > should be invoked when you are validating an XML Signature that has been parsed > from a Document. You need to first generate an XML Signature using your > CanonicalizationMethod, but before you do that you must register your > CanonicalizationMethod impl. with the register method so that the XMLSec > library is aware of it. You may want to look at some of the XML Signature > samples to see how to generate XML Signatures. > Ok. Now I’m invoking the XMLSignature(Element, String) constructor with a Signature element that is complete. And again I'm getting a exception with a error message “Cannot find SignatureValue in Signature”. See attachment. Fixed in the latest source tree. The problem was that if you define a custom canonicalization method, the SignedInfo element is canonicalized and replaced before validating the signature and references (as a security precaution). However, the code was still holding a stale reference to the old SignedInfo element, thus the exception. The fix was to simply get a reference to the new SignedInfo element. Created attachment 22732 [details] Bug 45961 test case 3. I sign document with enveloped transform and own canonicaliztion method. Document verification is finishing with error in a work of transformer TransformEnvelopedSignature. Because a instance of SignedInfo saves references to old element Reference into array _referenceEl. See attachment. Thanks for the updated test case. Should be fixed now. Fixes have been checked into latest source tree. |