Bug 45961 - verify with own canonicalization method
verify with own canonicalization method
Status: RESOLVED FIXED
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature
unspecified
PC Windows XP
: P2 normal
: ---
Assigned To: XML Security Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-10-07 05:17 UTC by Anton Kosyakov
Modified: 2008-10-16 08:44 UTC (History)
0 users



Attachments
Bug 45961 test case. (Eclipse project) (7.28 KB, application/zip)
2008-10-07 21:48 UTC, Anton Kosyakov
Details
Bug 45961 test case 2. (Eclipse project) (3.33 KB, application/zip)
2008-10-12 22:05 UTC, Anton Kosyakov
Details
Bug 45961 test case 3. (7.76 KB, application/zip)
2008-10-15 03:01 UTC, Anton Kosyakov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Kosyakov 2008-10-07 05:17:09 UTC
I developed own canonicalization method and register it. Sign with my method perform successful, but verify finished with error: Cannot find SignatureValue in Signature. Constructor SignedInfo(Element, Strign) canonicalize ds:SignedInfo by my method, reparse it into a new document and replace the original not-canonicalized ds:SignedInfo. After replace, XMLSignature try get ds:SignatureValue by method getNextSibling of element ds:SignedInfo. But it is null!
Comment 1 sean.mullan 2008-10-07 06:55:04 UTC
(In reply to comment #0)
> I developed own canonicalization method and register it. Sign with my method
> perform successful, but verify finished with error: Cannot find SignatureValue
> in Signature. Constructor SignedInfo(Element, Strign) canonicalize
> ds:SignedInfo by my method, reparse it into a new document and replace the
> original not-canonicalized ds:SignedInfo. After replace, XMLSignature try get
> ds:SignatureValue by method getNextSibling of element ds:SignedInfo. But it is
> null!
> 

You say you parsed it into a new document, so did you use Document.importNode when replacing the SignedInfo in the original document?

In any case, we will need a reproducible test case to analyze this. Please 
attach it to the bug report, thanks.
Comment 2 Anton Kosyakov 2008-10-07 21:48:06 UTC
Created attachment 22689 [details]
Bug 45961 test case. (Eclipse project)
Comment 3 Anton Kosyakov 2008-10-07 21:51:17 UTC
> You say you parsed it into a new document, so did you use Document.importNode
> when replacing the SignedInfo in the original document?

See org.apache.xml.security.signature.SignedInfo(element : Element, BaseURI : String) constructor.
 
> In any case, we will need a reproducible test case to analyze this. Please 
> attach it to the bug report, thanks.
 
Ok. See attachement.
Comment 4 sean.mullan 2008-10-10 06:07:22 UTC
This is not a bug. You are invoking the XMLSignature(Element, String) constructor with a Signature element that is not complete. This constructor should be invoked when you are validating an XML Signature that has been parsed from a Document. You need to first generate an XML Signature using your CanonicalizationMethod, but before you do that you must register your CanonicalizationMethod impl. with the register method so that the XMLSec library is aware of it. You may want to look at some of the XML Signature samples to see how to generate XML Signatures.
Comment 5 Anton Kosyakov 2008-10-12 22:05:44 UTC
Created attachment 22717 [details]
Bug 45961 test case 2. (Eclipse project)
Comment 6 Anton Kosyakov 2008-10-12 22:42:02 UTC
(In reply to comment #4)
> This is not a bug. You are invoking the XMLSignature(Element, String)
> constructor with a Signature element that is not complete. This constructor
> should be invoked when you are validating an XML Signature that has been parsed
> from a Document. You need to first generate an XML Signature using your
> CanonicalizationMethod, but before you do that you must register your
> CanonicalizationMethod impl. with the register method so that the XMLSec
> library is aware of it. You may want to look at some of the XML Signature
> samples to see how to generate XML Signatures.
> 

Ok. Now I’m invoking the XMLSignature(Element, String) constructor with a Signature element that is complete. And again I'm getting a exception with a error message “Cannot find SignatureValue in Signature”. See attachment.
Comment 7 sean.mullan 2008-10-14 08:18:12 UTC
Fixed in the latest source tree.

The problem was that if you define a custom canonicalization method, the SignedInfo element is canonicalized and replaced before validating the signature and references (as a security precaution). However, the code was still holding a stale reference to the old SignedInfo element, thus the exception. The fix was to simply get a reference to the new SignedInfo element.
Comment 8 Anton Kosyakov 2008-10-15 03:01:24 UTC
Created attachment 22732 [details]
Bug 45961 test case 3.
Comment 9 Anton Kosyakov 2008-10-15 03:24:53 UTC
I sign document with enveloped transform and own canonicaliztion method. Document verification is finishing with error in a work of transformer TransformEnvelopedSignature. Because a instance of SignedInfo saves references to old element Reference into array _referenceEl. See attachment.
Comment 10 sean.mullan 2008-10-16 08:44:51 UTC
Thanks for the updated test case. Should be fixed now. Fixes have been checked
into latest source tree.