Signature from User-specified URIDereferencers NodeSetData objects is wrong
Shubham Rajput
shubhamnba2009 at gmail.com
Wed May 23 07:29:34 UTC 2018
Hi Sean,
Thanks for your reply.
I tried with the input that were given by you to use XPathFilter2Transform
with an
XPathFilter2ParameterSpec.
But the thing is in output XML, Under signature tag I am getting the
following output::
---------------------------------------------------Source-start------------------------------------
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#xpointer(//*%5B at authenticate='true'])">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="subtract">/descendant::*[name()='ds:Signature']</XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>mCvp/VNBFGQZFGJKBjT6dOifpoeS6G2j+t88RQEwnFQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>IEzsw0I0qQ00s0r1iigXBg+KwiDilclQfvnqC2QpdS1F6CaKHMOWsWm76oFaCXClAK18A0pMwxTw
E7DKmkGQfYHyFyt/XojuFsF9CwObS5TItsG4hdcD9MFaTUOe0D44nI3GU6g5dUB4eI1/F51GvWYd
dN1CXLFhsgrj1GfvDCSa6bM5U700aFX5WqiM73COf40h0/uHYRgW69zn+gqAidZqqDWJ9t55rUYk
9kOCLZr5JsLkE0fiwy/Ep37JgDxVDn5Lyi1x24T7inBo8jivtSkex9hjTtSBmzR0wxZTvaJAW/bx
JBxbRsIEMw5Hz6rDgFcCNA5WRB6l5Yf4pVuB+w==</ds:SignatureValue>
</ds:Signature>
----------------------------------------------------Source-end-------------------------------------
So the issue is the below tag info also gets add in <Signature tag>:
---------------------------------------------------Source-start------------------------------------
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="subtract">/descendant::*[name()='ds:Signature']</XPath>
</ds:Transform>
----------------------------------------------------Source-end-------------------------------------
Which is not required and if I remove this tag from the output I will face
signature verification failure issue!!
Any leads how to pivot or remedy for this issue?
Thanks in advance,
Regards,
Shubham
On Fri, May 18, 2018 at 7:58 PM Sean Mullan <sean.mullan at oracle.com> wrote:
> On 5/17/18 1:54 AM, Shubham Rajput wrote:
> >
> > Any lead why the signature is forming for the node element name only and
> > not for the whole node?
>
> I can't remember for sure now, but it probably has something to do with
> the way you are returning the nodes from your URIDereferencer.
>
> You are probably better off defining an XPathFilter2Transform with an
> XPathFilter2ParameterSpec [1] for your signature and letting that do the
> filtering for you automatically.
>
> HTH,
> Sean
>
> [1]
>
> https://docs.oracle.com/javase/10/docs/api/javax/xml/crypto/dsig/spec/XPathFilter2ParameterSpec.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180523/febfc40f/attachment.htm>
More information about the security-dev
mailing list