Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
Java 1.4.4
-
Security Level: Public (Public issues, viewable by everyone)
Description
When I changed the canonicalization algorithm used to generate signatures from "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" to "http://www.w3.org/2006/12/xml-c14n11" and the version of Santuario from 1.4.3 to 1.4.4 all the signatures produced were no more valid if verified by the version 1.4.3 and viceversa.
I mean that "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" produces the same signature in both versions, while "http://www.w3.org/2006/12/xml-c14n11" has the following beaviour:
1) SignatureValue differs
2) the SignedInfo used to produce the signature is:
1.4.3
<ds:SignedInfo xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
1.4.4
<ds:SignedInfo attr1="test1" foo:attr1="foo's test" id="testId" xmlns:apache="http://www.apache.org/ns/#app1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:foo="http://example.org/#foo">
The document before the signature is:
<apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo" attr1="test1" id="testId" foo:attr1="foo's test">Some simple text
</apache:RootElement>
To create a sample to reproduce the issue I modified https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/CreateSignature.java using an RSA key (to generate the same SignatureValue each time).
Obviously, I can't write a JUnit because you need two different versions of Santuario's library.