DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40
031>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40031
Summary: subtree canonicalization produces
incorrect result
Product: Security
Version: Java 1.3
Platform: Other
OS/Version: other
Status: NEW
Severity: major
Priority: P1
Component: Canonicalization
AssignedTo: security-dev xml.apache.org
ReportedBy: bobdirectdocs.com
The following XML is taken from the CanonSubtree sample app,
but illustrates an
issue that I've encountered, which is causing a signature
verification interop
problem (Keytools and xml-sec).
I've slightly altered the XML from the CanonSubtree sample
by adding xmlns="" to
the CanonicalizationMethod element. The second chunk of XML
is the result of
Apache xml-sec 1.3 subtree (SignedInfo) canonicalization.
<?xml version="1.0"
encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/
2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod xmlns=""
Algorithm="http:
//www.w3.org/TR/2001/REC-xml-c14n-20010315"><
;/CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www
.w3.org/2000/09/xmldsig#rsa-sha1"></Signatur
eMethod>
<Reference URI="http://www.w3.org
/TR/xml-stylesheet">
<DigestMethod
Algorithm="http://www.w3.
org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestVa
lue>
</Reference>
</SignedInfo>
<Signature>
<SignedInfo xmlns="http://www.w3.org/
2000/09/xmldsig#">
<CanonicalizationMethod
Algorithm="http:
//www.w3.org/TR/2001/REC-xml-c14n-20010315"><
;/CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www
.w3.org/2000/09/xmldsig#rsa-sha1"></Signatur
eMethod>
<Reference URI="http://www.w3.org
/TR/xml-stylesheet">
<DigestMethod
Algorithm="http://www.w3.
org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestVa
lue>
</Reference>
</SignedInfo>
Note that xmlns="" has been omitted from the
CanonicalizationMethod element.
This is correct in the context of the subtree prior to
adding doc level
namespaces to the subtree root (i.e. <SignedInfo> vs
<SignedInfo
xmlns="http://www.w3.org/
2000/09/xmldsig#">), but is incorrect following
the
addition of the doc level namespace.
The following code reproduces bug:
package org.apache.xml.security.samples.canonicalization;
import java.io.ByteArrayInputStream;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xpath.XPathAPI;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
/**
*
* <at> author Christian Geuer-Pollmann
*/
public class CanonSubTree {
//J-
static String input = ""
+ "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>\n"
+ "<Signature xmlns=\"http://www.w3.org/
2000/09/xmldsig#\">\n"
+ " <SignedInfo><!-- comment inside
-->\n"
+ " <CanonicalizationMethod
xmlns=\"\"
Algorithm=\"http:
//www.w3.org/TR/2001/REC-xml-c14n-20010315\"
/>\n"
+ " <SignatureMethod
Algorithm=\"http://www
.w3.org/2000/09/xmldsig#rsa-sha1\"
/>\n"
+ " <Reference URI=\"http://www.w3.org
/TR/xml-stylesheet\">\n"
+ " <DigestMethod
Algorithm=\"http://www.w3.
org/2000/09/xmldsig#sha1\" />\n"
+ "
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestVa
lue>\n"
+ " </Reference>\n"
+ " </SignedInfo>\n"
+ " <SignatureValue>\n"
+ "
fKMmy9GYF2s8rLFrZdVugTOFuWx19ccX7jh5HqFd4vMOY7LWAj52ykjSdvtW
3fNY\n"
+ "
PPYGC4MFL19oPSId5GEsMtFMpGXB3XaCtoKjMCHQsN3+kom8YnGf7Ge1JNRc
Gty5\n"
+ "
0UsoP6Asj47+QR7QECT64uoziha4WRDVyXjDrg24W+U=\n"
+ " </SignatureValue>\n"
+ " <KeyInfo>\n"
+ "
<KeyName>Lugh</KeyName>\n"
+ " </KeyInfo>\n"
+ "</Signature>\n"
;
//J+
/**
* Method main
*
* <at> param args
* <at> throws Exception
*/
public static void main(String args[]) throws Exception {
org.apache.xml.security.Init.init();
DocumentBuilderFactory dfactory =
DocumentBuilderFactory.newInstance();
dfactory.setNamespaceAware(true);
dfactory.setValidating(true);
DocumentBuilder documentBuilder =
dfactory.newDocumentBuilder();
// this is to throw away all validation warnings
documentBuilder
.setErrorHandler(new org.apache.xml.security.utils
.IgnoreAllErrorHandler());
byte inputBytes[] = input.getBytes();
Document doc =
documentBuilder.parse(new
ByteArrayInputStream(inputBytes));
Canonicalizer c14n =
Canonicalizer
.getInstance("http:
//www.w3.org/TR/2001/REC-xml-c14n-20010315");
Element nscontext = XMLUtils.createDSctx(doc,
"ds",
Constants.SignatureSpecNS);
Node signedInfo = XPathAPI.selectSingleNode(doc,
"//ds:SignedInfo",
nscontext);
byte outputBytes[] =
c14n.canonicalizeSubtree(signedInfo);
if (outputBytes != null) {
System.out.println(new String(outputBytes));
}
}
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
|