XML Digital Signature throws NAMESPACE_ERR exception under OpenJDK 11 that works under Java SE 8, 9 and 10

Open eSignForms yozons at gmail.com
Wed Feb 13 21:23:54 UTC 2019


I checked the ETSI XAdES spec 
(http://uri.etsi.org/01903/v1.1.1/ts_101903v010101p.pdf) and it doesn't 
show any namespace on their entries for their QualifyingProperties 
element and all sub-elements under the ETSI example's element <ds:Object>.

But, their specification does show element <QualifyingProperties> should 
be under the namespace "http://uri.etsi.org/01903/v1.1.1#" as you added 
in your fixed code.

That is, when my snapshot element that's digitally signed using the 
below, it fails with the NAMESPACE_ERR exception:

<snapshot *xmlns="http://open.esignforms.com/XMLSchema/2011"* 
timestamp="2019-02-13T11:02:30-08:00" type="document">

But if my snapshot is set up with the ETSI namespace URI, it works:

<snapshot *xmlns="**http://uri.etsi.org/01903/v1.1.1#**" * 
timestamp="2019-02-13T11:02:30-08:00" type="document">

So, it seems that the XMLSignature is noting that the 
<QualifyingProperties> belongs to the default namespace in both cases, 
but of course expects that particular element to belong to the ETSI 
namespace, not ours.

I presume that's correct behavior; I just didn't think that the 
XMLSignature.sign() knew about and was limited to that specific namespace.

If you agree that this is the correct behavior, I think it's not really 
a bug in Java 11, though it fails backwards compatibility.

The only oddity that remains is what I mentioned below with all the 
"
" characters in the digests/signatures that appear in Java 11.  
They sure look odd compared to simple line breaks that presumably were 
emitted before.

David



On 2/13/19 11:20 AM, Open eSignForms wrote:
> Thanks, Sean.  I was able to find the updated test case source code.
>
> A preliminary review seems to show worthwhile changes to our code.  
> That is, the namespaces and such seem to make sense as you have them.
>
> In particular, the use of:
>
> domSignContext.putNamespacePrefix(XMLSignature.XMLNS, "dsig");
>
> and adding this namespace to additional elements we added:
>
>             String xmlns = "http://uri.etsi.org/01903/v1.1.1#";
>
> seem reasonable and an acceptable workaround for us.  I'm not sure if 
> those were oversights from before, but likely were the result of it 
> being based on Oracle/Java example code from Java 6 days...
>
> We'll incorporate your namespace changes in our code and test, but 
> this seems like it will work as I was able to confirm that your fixed 
> version seems to run on Java 10 and Java 11.
>
> It is interesting that the fixed code, though, generates different 
> output on Java 10 and Java 11.  I'm not positive, but it seems that 
> Java 11 adds '
' to the end of many lines that aren't present in 
> Java 10's output.
>
> Under Java 10, a test run products this result:
>
> <snapshot xmlns="http://open.esignforms.com/XMLSchema/2011" 
> timestamp="2019-02-13T11:02:30-08:00" type="document"><![CDATA[<html 
> xmlns="http://www.w3.org/1999/xhtml"><head></head><body><p>Dummy HTML 
> document</p></body></html>]]><dsig:Signature 
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" 
> Id="OpenESignForms_Seal"><dsig:SignedInfo><dsig:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/><dsig:SignatureMethod 
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/><dsig:Reference 
> Id="Payload_Reference_ID" URI=""><dsig:Transforms><dsig:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>Zqmii2rv6C+bFM+CSO3s8sAGOrl67HEnv4t8XUgQd5iguf9m7vcVJn3pJz5inCZfx5V9lTtDaj0u 
>
> xbZSyWE5kQ==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#KeyInfo_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>kZM1pJpRXoeDuolU+kyK41BotQoW7ir5lfg/nNSMoC69bUC2OHzWbQ5Kug0gtrLVIuq5HRdzk6zc
> 2N2jA0WKMQ==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#QualifyingProperties_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>AFx1CJi739IWZwJL1Y5KU2B+ZioT3ONMBLwLTdT/NTysV/+KYF7lZMgEHaGtLxvc6haIKKKzZisr
> r2YDQVgs5w==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#OpenESignForms_Seal_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>jhVDd7nvr4s2bu7LRNHb7yj2gQRzAE7fXcsgonq2Qsn4EWNfpqNEVUViIy9jh86tTs5ZiakaGAEs
> l9YV1hNnEg==</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>izJCFA5lBOjc7zhlc/1Wrsu+/jd0o0aPtemm4hM7aMKJvzkKddhjaHRY9iX4qtMZJtl7L1qj4YGN 
>
> hxHc2Wjuj6F1ZFD9asPf/kumVliAqTwNvhfyVfmpbaZtzQVtOQWhNIC1PivbPfbwTKr1yztLbo0K 
>
> B8TJWWiqHBjgEjlhw8X84buXVsCIUaAkOJG73Q0x9hMDVPf5y5R56xknLwjwzQPdveMI3zKvKvq5 
>
> vj1UPKVqlCjrjPa1HR0g4wEOjL51HCK/EWVbB4LLRAL59KB6ERW01CaRX1crGzQw6wz5eFVWK/0o 
>
> NcIdn4wc7rWPdYfT362iqqJMzIyUQGHmk7FVD/1Nky2wlEvYaRk7PrpbXo8ISSPB+RQM+EWQbYCP 
>
> RVT5oq6d4dnu0cUuj/wG8Ng7FIfSY3C8Ds9cw7CTKi/Dbmw3oE8yaJHNqfjEMAW2tmqQmuC4ZRXG 
>
> 7DfqeNdgiHwoQLdLzD/vj/00SWmcM67NWQNwblbPJ5MhVeFmh/fIbd7bkIyANbw1FAYIj1b+Hf8b 
>
> cZzC+lNecKxzkcY9/VZ3ny4kBBQmxwBLlojBa2ll8B9m+sYN0enRGwy9GG2eBY2Gb53KqAALQAUU 
>
> kjXjJYxrQh64Y2RTAgp01Nbfj7QbvuKW93YDR6cpjNTM7EfJfQM/cz+VHHngFCRr/N0/WmM4j0A=</dsig:SignatureValue><dsig:KeyInfo 
> Id="KeyInfo_ID"><dsig:KeyName>c42c747f-0f03-46a3-8ae8-81fc95464c8f</dsig:KeyName><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>kPCr+Fy0NInaICpnzDpGLkNQ93kd0NzZfTBfQOb3PUH1Bt4OrBWcvYoch7wUm6k1Il3apsi7s2B9 
>
> Geqbh7tzF41MwvTWBNCQg3Kw3FKcF0jzKZ7D+na8Ndc52YPmsjU9zjpf+SDfKqb0NIDe3Bo3csWW 
>
> I42CkF3sI9AFknogovrfRM7ITJatA6WRHU8Kv6Qee8VfXZ1XAdKzWcc9EWbj74Kagiz8bMeATujU 
>
> MCI/XQb1luwvlrVxZUtnfLL9WD6Nvmj3uDYK52z5E80vqTKIq7EJvmlR7kcEdH1NuxDQSWCJQgQX 
>
> oU2TzuB0Nmov7P/pZ40JPF72Knb18Rgu4aRSMiaKKw+jzFHpw75VlQn2YkdfjNMwfUaEaZ4wuHoJ 
>
> Qjud79jilbam++eUQFRxjcXK9Nl/z01KtmuV1mPhm97LRaKQlsbBxa56pncrkAmF0cuIipPzo9aB 
>
> snJZkUQuwQtD/moDkUm84v5SOU1hn4RpWdGAkaJ1ubIrnKfF0qKmbCOcO69SEL5zP0JXEgSZ+D6z 
>
> Vv7VkAJizdJ91KKs4y/ypel4lurNcyBd3hzw8xpz9joMl8DOTLCcLhGp350Vrccbh9vauAcRcK/n 
>
> C+yaPI/mghmN2D2yZ3LZ3Z6k78Jl9BUV7PL5YyuxQmZjVP07lJvi6glLUm23o+c3c4D7rgHL4gM=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue><dsig:X509Data><dsig:X509Certificate>MIIKvTCCCKWgAwIBAgIJAPaU10x5GhRQMA0GCSqGSIb3DQEBDQUAMIHYMU0wSwYDVQQDDERPcGVu 
>
> X2VTaWduRm9ybXNfaHR0cHM6Ly9sb2NhbGhvc3QubG9jYWxkb21haW4vb3Blbi1lU2lnbkZvcm1z 
>
> VmFhZGluNzE6MDgGA1UECgwxRGVwbG95bWVudElEL2FhMGUyYjllLWM5ZDItNDk0NS04ZWVmLWI2 
>
> NDhiZDYzYWFjNDE8MDoGA1UECwwzU2lnbmF0dXJlS2V5SUQvMDJkYmMwMDktMTAyYi00ZWE3LTlh 
>
> YzgtNzYwZThiMzY4NTlmMQ0wCwYDVQQGEwRudWxsMB4XDTE0MTIxNjAzMjc1NVoXDTI0MTIxNjAz 
>
> Mjc1NVowgdgxTTBLBgNVBAMMRE9wZW5fZVNpZ25Gb3Jtc19odHRwczovL2xvY2FsaG9zdC5sb2Nh 
>
> bGRvbWFpbi9vcGVuLWVTaWduRm9ybXNWYWFkaW43MTowOAYDVQQKDDFEZXBsb3ltZW50SUQvYWEw 
>
> ZTJiOWUtYzlkMi00OTQ1LThlZWYtYjY0OGJkNjNhYWM0MTwwOgYDVQQLDDNTaWduYXR1cmVLZXlJ 
>
> RC8wMmRiYzAwOS0xMDJiLTRlYTctOWFjOC03NjBlOGIzNjg1OWYxDTALBgNVBAYTBG51bGwwggIi 
>
> MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCQ8Kv4XLQ0idogKmfMOkYuQ1D3eR3Q3Nl9MF9A 
>
> 5vc9QfUG3g6sFZy9ihyHvBSbqTUiXdqmyLuzYH0Z6puHu3MXjUzC9NYE0JCDcrDcUpwXSPMpnsP6 
>
> drw11znZg+ayNT3OOl/5IN8qpvQ0gN7cGjdyxZYjjYKQXewj0AWSeiCi+t9EzshMlq0DpZEdTwq/ 
>
> pB57xV9dnVcB0rNZxz0RZuPvgpqCLPxsx4BO6NQwIj9dBvWW7C+WtXFlS2d8sv1YPo2+aPe4Ngrn 
>
> bPkTzS+pMoirsQm+aVHuRwR0fU27ENBJYIlCBBehTZPO4HQ2ai/s/+lnjQk8XvYqdvXxGC7hpFIy 
>
> JoorD6PMUenDvlWVCfZiR1+M0zB9RoRpnjC4eglCO53v2OKVtqb755RAVHGNxcr02X/PTUq2a5XW 
>
> Y+Gb3stFopCWxsHFrnqmdyuQCYXRy4iKk/Oj1oGyclmRRC7BC0P+agORSbzi/lI5TWGfhGlZ0YCR 
>
> onW5siucp8XSoqZsI5w7r1IQvnM/QlcSBJn4PrNW/tWQAmLN0n3UoqzjL/Kl6XiW6s1zIF3eHPDz 
>
> GnP2OgyXwM5MsJwuEanfnRWtxxuH29q4BxFwr+cL7Jo8j+aCGY3YPbJnctndnqTvwmX0FRXs8vlj 
>
> K7FCZmNU/TuUm+LqCUtSbbej5zdzgPuuAcviAwIDAQABo4IEhjCCBIIwggIzBgNVHQ4EggIqBIIC 
>
> JjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJDwq/hctDSJ2iAqZ8w6Ri5DUPd5HdDc 
>
> 2X0wX0Dm9z1B9QbeDqwVnL2KHIe8FJupNSJd2qbIu7NgfRnqm4e7cxeNTML01gTQkINysNxSnBdI 
>
> 8ymew/p2vDXXOdmD5rI1Pc46X/kg3yqm9DSA3twaN3LFliONgpBd7CPQBZJ6IKL630TOyEyWrQOl 
>
> kR1PCr+kHnvFX12dVwHSs1nHPRFm4++CmoIs/GzHgE7o1DAiP10G9ZbsL5a1cWVLZ3yy/Vg+jb5o 
>
> 97g2Cuds+RPNL6kyiKuxCb5pUe5HBHR9TbsQ0ElgiUIEF6FNk87gdDZqL+z/6WeNCTxe9ip29fEY 
>
> LuGkUjImiisPo8xR6cO+VZUJ9mJHX4zTMH1GhGmeMLh6CUI7ne/Y4pW2pvvnlEBUcY3FyvTZf89N 
>
> SrZrldZj4Zvey0WikJbGwcWueqZ3K5AJhdHLiIqT86PWgbJyWZFELsELQ/5qA5FJvOL+UjlNYZ+E 
>
> aVnRgJGidbmyK5ynxdKipmwjnDuvUhC+cz9CVxIEmfg+s1b+1ZACYs3SfdSirOMv8qXpeJbqzXMg 
>
> Xd4c8PMac/Y6DJfAzkywnC4Rqd+dFa3HG4fb2rgHEXCv5wvsmjyP5oIZjdg9smdy2d2epO/CZfQV 
>
> Fezy+WMrsUJmY1T9O5Sb4uoJS1Jtt6PnN3OA+64By+IDAgMBAAEwggI3BgNVHSMEggIuMIICKoCC 
>
> AiYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCQ8Kv4XLQ0idogKmfMOkYuQ1D3eR3Q 
>
> 3Nl9MF9A5vc9QfUG3g6sFZy9ihyHvBSbqTUiXdqmyLuzYH0Z6puHu3MXjUzC9NYE0JCDcrDcUpwX 
>
> SPMpnsP6drw11znZg+ayNT3OOl/5IN8qpvQ0gN7cGjdyxZYjjYKQXewj0AWSeiCi+t9EzshMlq0D 
>
> pZEdTwq/pB57xV9dnVcB0rNZxz0RZuPvgpqCLPxsx4BO6NQwIj9dBvWW7C+WtXFlS2d8sv1YPo2+ 
>
> aPe4NgrnbPkTzS+pMoirsQm+aVHuRwR0fU27ENBJYIlCBBehTZPO4HQ2ai/s/+lnjQk8XvYqdvXx 
>
> GC7hpFIyJoorD6PMUenDvlWVCfZiR1+M0zB9RoRpnjC4eglCO53v2OKVtqb755RAVHGNxcr02X/P 
>
> TUq2a5XWY+Gb3stFopCWxsHFrnqmdyuQCYXRy4iKk/Oj1oGyclmRRC7BC0P+agORSbzi/lI5TWGf 
>
> hGlZ0YCRonW5siucp8XSoqZsI5w7r1IQvnM/QlcSBJn4PrNW/tWQAmLN0n3UoqzjL/Kl6XiW6s1z 
>
> IF3eHPDzGnP2OgyXwM5MsJwuEanfnRWtxxuH29q4BxFwr+cL7Jo8j+aCGY3YPbJnctndnqTvwmX0 
>
> FRXs8vljK7FCZmNU/TuUm+LqCUtSbbej5zdzgPuuAcviAwIDAQABMA4GA1UdDwEB/wQEAwIGwDAN 
>
> BgkqhkiG9w0BAQ0FAAOCAgEAOu3Y4o7P4wel6zcwGIHfwuTuL/IX9qzYnxtPNkEHL8D8v3P4Tovk 
>
> zDHOou4Ai5yycZninbaoK2WJr80p2HNfISY51fCJZ+Z16xmBlPmunnLI23cTAJGnZlI6WtsZLXQw 
>
> LX91VkqKlRL73+MZECxO0m5I4hxNu8CeOIcQ7aCLvnkO8AEeCa9zAwmiL2tJ8coJvELvqS9Zaiaz 
>
> syix8IWETtrZ+vv+85rASl5PSkCb0AX3eipJoqRgGazWraV7NBwDZgPEYXNQq1/jbQoirjJIzNQO 
>
> KEgH3wViGFVwnW4YJ4dzbtVd6EVaHZGmYb666FpwNPz6OBLgX1sjvDTMTYGYo/VrIN02neYEvBtK 
>
> GrZ5Gw7l7BOyKe92F3iQ3q90/kOBmGnEn8agkKlynv5IlJR8xOCxG1U9e8GFfmAwFS5hYtf0Gh/u 
>
> FRqnOepWQKuZ3kBBR+6KttbE58aD2kVuB36et5Dij1nxr+ihL7e4V42KsQQn/VBDrMoU5xW+yZH/ 
>
> aAEgpbfUm5detK5oFqs5JIILFiyUXQCrvYuNZFx4vDqrsDmmAaaAPBlcybCUXseqh4hThyrOJ0dX 
>
> 3xaXcwd32t1+/aOa7jgJRTgSklxhhcRCMHI9HWNlLgUWmvZ2O5G70reY4Kyg1NAS56qX48Xbckvy 
>
> VMfem/JPPYT/veThnefIgQk=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo><dsig:Object><QualifyingProperties 
> xmlns:ns0="http://uri.etsi.org/01903/v1.1.1#" 
> ns0:Id="QualifyingProperties_ID" 
> xmlns="http://uri.etsi.org/01903/v1.1.1#"><SignedProperties><SignedSignatureProperties><SigningTime>2019-02-13T11:02:30-08:00</SigningTime></SignedSignatureProperties><SignedDataObjectProperties><DataObjectFormat 
> ns0:ObjectReference="#Payload_Reference_ID"><Description>description</Description><MimeType>text/html</MimeType></DataObjectFormat></SignedDataObjectProperties></SignedProperties></QualifyingProperties></dsig:Object><dsig:Object><dsig:SignatureProperties><dsig:SignatureProperty 
> Id="OpenESignForms_Seal_ID" 
> Target="#OpenESignForms_Seal"><OpenESignForms_XmlDigitalSignatureSeal 
> xmlns:ns0="http://open.esignforms.com/XMLSchema/2011" 
> ns0:DeploymentHostAddress="192.1.1.1" 
> xmlns:ns1="http://open.esignforms.com/XMLSchema/2011" 
> ns1:DeploymentHostName="open.esignforms.com" 
> xmlns:ns2="http://open.esignforms.com/XMLSchema/2011" 
> ns2:DeploymentId="1.1.1.1" 
> xmlns:ns3="http://open.esignforms.com/XMLSchema/2011" 
> ns3:SignerAddress="192.1.1.1" 
> xmlns:ns4="http://open.esignforms.com/XMLSchema/2011" 
> ns4:SignerAgent="No-Browser-Test" 
> xmlns:ns5="http://open.esignforms.com/XMLSchema/2011" 
> ns5:Timestamp="2019-02-13T11:02:30-08:00" 
> xmlns:ns6="http://open.esignforms.com/XMLSchema/2011" 
> ns6:Version="19.1.19"/></dsig:SignatureProperty></dsig:SignatureProperties></dsig:Object></dsig:Signature></snapshot>
>
> while when run under Java 11 it shows what seems to be the same 
> (clearly, the digest/hashes aren't the same as the 'timestamp' differs 
> because they are actual times) except for lots of '
' added to the 
> digests and signatures:
>
> <snapshot xmlns="http://open.esignforms.com/XMLSchema/2011" 
> timestamp="2019-02-13T11:01:22-08:00" type="document"><![CDATA[<html 
> xmlns="http://www.w3.org/1999/xhtml"><head></head><body><p>Dummy HTML 
> document</p></body></html>]]><dsig:Signature 
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" 
> Id="OpenESignForms_Seal"><dsig:SignedInfo><dsig:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/><dsig:SignatureMethod 
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/><dsig:Reference 
> Id="Payload_Reference_ID" URI=""><dsig:Transforms><dsig:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>LdB/ydGxr3VUoTshQtOvQNmMZmt2OHgLax4tSk9Lqb1c+X1h4Uc/RBVXwfI9QrVnITBz85Fi8Bwr
 
>
> 7wyMjw84cA==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#KeyInfo_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>FkpexxTwhpCPHHsMrKGnBXE5hkZ/x10ArpzjX6ltYfOilvVAubzc9sNPwo6phw//ot1rSKPU5jTB
> LRD7p7t50g==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#QualifyingProperties_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>LxB0xAsDxKqeyCflaSUgMQOMhoxP4Gl9GfvlpCiL/gd9rz36qG4roaFRl+4PBC+IxzGiRDOqzQYX
> x6gSn5d1IQ==</dsig:DigestValue></dsig:Reference><dsig:Reference 
> URI="#OpenESignForms_Seal_ID"><dsig:DigestMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><dsig:DigestValue>Pqd+9yaeBMytcG1sTTpuq+Wrd3lZSC18j7lv6VQ6LjUSz9VN7uwVNNn1E79mY8H6XUI2jbd/IozM
> oba2KF46ig==</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>IpdHZtzSw8TOnp0gfKMaCp30jJAPP8YCAIg4OBvRobIwHBFrG+O9v7peXRRA5nXi+fm4bdemi5jI
 
>
> /N2smS7W6lKMMeTzrYNJEmpD/0c/SVCs0M1peZmiWZD/F6GYP6RkhZfTglk9skKsZIme3W5lHL5e
 
>
> vTFno50J32oW0chq/jPzD42snoVQmVKS9wqqybGgRrm1W2RSWfziNo7QjXtJuR5eVuCtqpOLrGrS
 
>
> J0aLaaNLucia/6cJyZ13mz7131Lj2Y4oJbrbpzvrDY5xDfFDK+bRRMR3DCvTLgKcZZz5zxcAKYL8
 
>
> lG64U/tsmd/ZVn+d+fJGH03hPdvY/wMW7MTN1k/6S95PiNdx0cLeP0HLCug9zWiC7vUkrVDrsO9i
 
>
> qsvSYKcAH8vQlG1arZgGJn88Hg8EGjmmWXs15ulU3Lm8TOTXl/xi6O4stSgMi9dFSsE1ISHAPaxN
 
>
> D3Rqg7Bv7p/iEVn0xXq/C9AI3iwrpHbip8K81uJOsaiZgwR5D40XyYLV9FUPIacRclfT5EJKsx6k
 
>
> jYiprWMOMjmnlJwj2vI8zG6sYLVJdQywm2isWu5eHSw39Wof0BYfDeOzh0LrifUcnt86no5fUEOI
 
>
> OlNbqOO7rjuxtb+gt1iO2dTHfQhG99BCBQhC7AEMp67fIlPjEOECXldDTpzPMZ1K6cPlk22rpvc=</dsig:SignatureValue><dsig:KeyInfo 
> Id="KeyInfo_ID"><dsig:KeyName>184a40b0-78b6-4070-a7d7-1497078a06e4</dsig:KeyName><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>kPCr+Fy0NInaICpnzDpGLkNQ93kd0NzZfTBfQOb3PUH1Bt4OrBWcvYoch7wUm6k1Il3apsi7s2B9
 
>
> Geqbh7tzF41MwvTWBNCQg3Kw3FKcF0jzKZ7D+na8Ndc52YPmsjU9zjpf+SDfKqb0NIDe3Bo3csWW
 
>
> I42CkF3sI9AFknogovrfRM7ITJatA6WRHU8Kv6Qee8VfXZ1XAdKzWcc9EWbj74Kagiz8bMeATujU
 
>
> MCI/XQb1luwvlrVxZUtnfLL9WD6Nvmj3uDYK52z5E80vqTKIq7EJvmlR7kcEdH1NuxDQSWCJQgQX
 
>
> oU2TzuB0Nmov7P/pZ40JPF72Knb18Rgu4aRSMiaKKw+jzFHpw75VlQn2YkdfjNMwfUaEaZ4wuHoJ
 
>
> Qjud79jilbam++eUQFRxjcXK9Nl/z01KtmuV1mPhm97LRaKQlsbBxa56pncrkAmF0cuIipPzo9aB
 
>
> snJZkUQuwQtD/moDkUm84v5SOU1hn4RpWdGAkaJ1ubIrnKfF0qKmbCOcO69SEL5zP0JXEgSZ+D6z
 
>
> Vv7VkAJizdJ91KKs4y/ypel4lurNcyBd3hzw8xpz9joMl8DOTLCcLhGp350Vrccbh9vauAcRcK/n
 
>
> C+yaPI/mghmN2D2yZ3LZ3Z6k78Jl9BUV7PL5YyuxQmZjVP07lJvi6glLUm23o+c3c4D7rgHL4gM=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue><dsig:X509Data><dsig:X509Certificate>MIIKvTCCCKWgAwIBAgIJAPaU10x5GhRQMA0GCSqGSIb3DQEBDQUAMIHYMU0wSwYDVQQDDERPcGVu
 
>
> X2VTaWduRm9ybXNfaHR0cHM6Ly9sb2NhbGhvc3QubG9jYWxkb21haW4vb3Blbi1lU2lnbkZvcm1z
 
>
> VmFhZGluNzE6MDgGA1UECgwxRGVwbG95bWVudElEL2FhMGUyYjllLWM5ZDItNDk0NS04ZWVmLWI2
 
>
> NDhiZDYzYWFjNDE8MDoGA1UECwwzU2lnbmF0dXJlS2V5SUQvMDJkYmMwMDktMTAyYi00ZWE3LTlh
 
>
> YzgtNzYwZThiMzY4NTlmMQ0wCwYDVQQGEwRudWxsMB4XDTE0MTIxNjAzMjc1NVoXDTI0MTIxNjAz
 
>
> Mjc1NVowgdgxTTBLBgNVBAMMRE9wZW5fZVNpZ25Gb3Jtc19odHRwczovL2xvY2FsaG9zdC5sb2Nh
 
>
> bGRvbWFpbi9vcGVuLWVTaWduRm9ybXNWYWFkaW43MTowOAYDVQQKDDFEZXBsb3ltZW50SUQvYWEw
 
>
> ZTJiOWUtYzlkMi00OTQ1LThlZWYtYjY0OGJkNjNhYWM0MTwwOgYDVQQLDDNTaWduYXR1cmVLZXlJ
 
>
> RC8wMmRiYzAwOS0xMDJiLTRlYTctOWFjOC03NjBlOGIzNjg1OWYxDTALBgNVBAYTBG51bGwwggIi
 
>
> MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCQ8Kv4XLQ0idogKmfMOkYuQ1D3eR3Q3Nl9MF9A
 
>
> 5vc9QfUG3g6sFZy9ihyHvBSbqTUiXdqmyLuzYH0Z6puHu3MXjUzC9NYE0JCDcrDcUpwXSPMpnsP6
 
>
> drw11znZg+ayNT3OOl/5IN8qpvQ0gN7cGjdyxZYjjYKQXewj0AWSeiCi+t9EzshMlq0DpZEdTwq/
 
>
> pB57xV9dnVcB0rNZxz0RZuPvgpqCLPxsx4BO6NQwIj9dBvWW7C+WtXFlS2d8sv1YPo2+aPe4Ngrn
 
>
> bPkTzS+pMoirsQm+aVHuRwR0fU27ENBJYIlCBBehTZPO4HQ2ai/s/+lnjQk8XvYqdvXxGC7hpFIy
 
>
> JoorD6PMUenDvlWVCfZiR1+M0zB9RoRpnjC4eglCO53v2OKVtqb755RAVHGNxcr02X/PTUq2a5XW
 
>
> Y+Gb3stFopCWxsHFrnqmdyuQCYXRy4iKk/Oj1oGyclmRRC7BC0P+agORSbzi/lI5TWGfhGlZ0YCR
 
>
> onW5siucp8XSoqZsI5w7r1IQvnM/QlcSBJn4PrNW/tWQAmLN0n3UoqzjL/Kl6XiW6s1zIF3eHPDz
 
>
> GnP2OgyXwM5MsJwuEanfnRWtxxuH29q4BxFwr+cL7Jo8j+aCGY3YPbJnctndnqTvwmX0FRXs8vlj
 
>
> K7FCZmNU/TuUm+LqCUtSbbej5zdzgPuuAcviAwIDAQABo4IEhjCCBIIwggIzBgNVHQ4EggIqBIIC
 
>
> JjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJDwq/hctDSJ2iAqZ8w6Ri5DUPd5HdDc
 
>
> 2X0wX0Dm9z1B9QbeDqwVnL2KHIe8FJupNSJd2qbIu7NgfRnqm4e7cxeNTML01gTQkINysNxSnBdI
 
>
> 8ymew/p2vDXXOdmD5rI1Pc46X/kg3yqm9DSA3twaN3LFliONgpBd7CPQBZJ6IKL630TOyEyWrQOl
 
>
> kR1PCr+kHnvFX12dVwHSs1nHPRFm4++CmoIs/GzHgE7o1DAiP10G9ZbsL5a1cWVLZ3yy/Vg+jb5o
 
>
> 97g2Cuds+RPNL6kyiKuxCb5pUe5HBHR9TbsQ0ElgiUIEF6FNk87gdDZqL+z/6WeNCTxe9ip29fEY
 
>
> LuGkUjImiisPo8xR6cO+VZUJ9mJHX4zTMH1GhGmeMLh6CUI7ne/Y4pW2pvvnlEBUcY3FyvTZf89N
 
>
> SrZrldZj4Zvey0WikJbGwcWueqZ3K5AJhdHLiIqT86PWgbJyWZFELsELQ/5qA5FJvOL+UjlNYZ+E
 
>
> aVnRgJGidbmyK5ynxdKipmwjnDuvUhC+cz9CVxIEmfg+s1b+1ZACYs3SfdSirOMv8qXpeJbqzXMg
 
>
> Xd4c8PMac/Y6DJfAzkywnC4Rqd+dFa3HG4fb2rgHEXCv5wvsmjyP5oIZjdg9smdy2d2epO/CZfQV
 
>
> Fezy+WMrsUJmY1T9O5Sb4uoJS1Jtt6PnN3OA+64By+IDAgMBAAEwggI3BgNVHSMEggIuMIICKoCC
 
>
> AiYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCQ8Kv4XLQ0idogKmfMOkYuQ1D3eR3Q
 
>
> 3Nl9MF9A5vc9QfUG3g6sFZy9ihyHvBSbqTUiXdqmyLuzYH0Z6puHu3MXjUzC9NYE0JCDcrDcUpwX
 
>
> SPMpnsP6drw11znZg+ayNT3OOl/5IN8qpvQ0gN7cGjdyxZYjjYKQXewj0AWSeiCi+t9EzshMlq0D
 
>
> pZEdTwq/pB57xV9dnVcB0rNZxz0RZuPvgpqCLPxsx4BO6NQwIj9dBvWW7C+WtXFlS2d8sv1YPo2+
 
>
> aPe4NgrnbPkTzS+pMoirsQm+aVHuRwR0fU27ENBJYIlCBBehTZPO4HQ2ai/s/+lnjQk8XvYqdvXx
 
>
> GC7hpFIyJoorD6PMUenDvlWVCfZiR1+M0zB9RoRpnjC4eglCO53v2OKVtqb755RAVHGNxcr02X/P
 
>
> TUq2a5XWY+Gb3stFopCWxsHFrnqmdyuQCYXRy4iKk/Oj1oGyclmRRC7BC0P+agORSbzi/lI5TWGf
 
>
> hGlZ0YCRonW5siucp8XSoqZsI5w7r1IQvnM/QlcSBJn4PrNW/tWQAmLN0n3UoqzjL/Kl6XiW6s1z
 
>
> IF3eHPDzGnP2OgyXwM5MsJwuEanfnRWtxxuH29q4BxFwr+cL7Jo8j+aCGY3YPbJnctndnqTvwmX0
 
>
> FRXs8vljK7FCZmNU/TuUm+LqCUtSbbej5zdzgPuuAcviAwIDAQABMA4GA1UdDwEB/wQEAwIGwDAN
 
>
> BgkqhkiG9w0BAQ0FAAOCAgEAOu3Y4o7P4wel6zcwGIHfwuTuL/IX9qzYnxtPNkEHL8D8v3P4Tovk
 
>
> zDHOou4Ai5yycZninbaoK2WJr80p2HNfISY51fCJZ+Z16xmBlPmunnLI23cTAJGnZlI6WtsZLXQw
 
>
> LX91VkqKlRL73+MZECxO0m5I4hxNu8CeOIcQ7aCLvnkO8AEeCa9zAwmiL2tJ8coJvELvqS9Zaiaz
 
>
> syix8IWETtrZ+vv+85rASl5PSkCb0AX3eipJoqRgGazWraV7NBwDZgPEYXNQq1/jbQoirjJIzNQO
 
>
> KEgH3wViGFVwnW4YJ4dzbtVd6EVaHZGmYb666FpwNPz6OBLgX1sjvDTMTYGYo/VrIN02neYEvBtK
 
>
> GrZ5Gw7l7BOyKe92F3iQ3q90/kOBmGnEn8agkKlynv5IlJR8xOCxG1U9e8GFfmAwFS5hYtf0Gh/u
 
>
> FRqnOepWQKuZ3kBBR+6KttbE58aD2kVuB36et5Dij1nxr+ihL7e4V42KsQQn/VBDrMoU5xW+yZH/
 
>
> aAEgpbfUm5detK5oFqs5JIILFiyUXQCrvYuNZFx4vDqrsDmmAaaAPBlcybCUXseqh4hThyrOJ0dX
 
>
> 3xaXcwd32t1+/aOa7jgJRTgSklxhhcRCMHI9HWNlLgUWmvZ2O5G70reY4Kyg1NAS56qX48Xbckvy
 
>
> VMfem/JPPYT/veThnefIgQk=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo><dsig:Object><QualifyingProperties 
> xmlns:ns0="http://uri.etsi.org/01903/v1.1.1#" 
> ns0:Id="QualifyingProperties_ID" 
> xmlns="http://uri.etsi.org/01903/v1.1.1#"><SignedProperties><SignedSignatureProperties><SigningTime>2019-02-13T11:01:22-08:00</SigningTime></SignedSignatureProperties><SignedDataObjectProperties><DataObjectFormat 
> ns0:ObjectReference="#Payload_Reference_ID"><Description>description</Description><MimeType>text/html</MimeType></DataObjectFormat></SignedDataObjectProperties></SignedProperties></QualifyingProperties></dsig:Object><dsig:Object><dsig:SignatureProperties><dsig:SignatureProperty 
> Id="OpenESignForms_Seal_ID" 
> Target="#OpenESignForms_Seal"><OpenESignForms_XmlDigitalSignatureSeal 
> xmlns:ns0="http://open.esignforms.com/XMLSchema/2011" 
> ns0:DeploymentHostAddress="192.1.1.1" 
> xmlns:ns1="http://open.esignforms.com/XMLSchema/2011" 
> ns1:DeploymentHostName="open.esignforms.com" 
> xmlns:ns2="http://open.esignforms.com/XMLSchema/2011" 
> ns2:DeploymentId="1.1.1.1" 
> xmlns:ns3="http://open.esignforms.com/XMLSchema/2011" 
> ns3:SignerAddress="192.1.1.1" 
> xmlns:ns4="http://open.esignforms.com/XMLSchema/2011" 
> ns4:SignerAgent="No-Browser-Test" 
> xmlns:ns5="http://open.esignforms.com/XMLSchema/2011" 
> ns5:Timestamp="2019-02-13T11:01:22-08:00" 
> xmlns:ns6="http://open.esignforms.com/XMLSchema/2011" 
> ns6:Version="19.1.19"/></dsig:SignatureProperty></dsig:SignatureProperties></dsig:Object></dsig:Signature></snapshot>
>
>
> It's particularly odd because hex 13 isn't a typical character (^S).
>
> Any idea what that difference is about for the base64 digests and 
> signatures?
>
> David
>
>
> On 2/13/19 6:03 AM, Sean Mullan wrote:
>> On 2/12/19 6:28 PM, Open eSignForms wrote:
>>> Thanks for the update, Sean.  I'm a bit perplexed because I found 
>>> the original code works under Java 9 and Java 10, so it seems like 
>>> the change occurred in Java 11.
>>
>> Sorry, that was a typo, I meant to say JDK 11.
>>
>>> I don't see the modified version of the test case.  If you attached 
>>> it, it somehow didn't make it through to me.
>>>
>>> If it's just a matter of making the code more correct, we'd love to 
>>> make the changes.  My concern, of course, is that we've already done 
>>> millions of XML digital signatures, so we need that to continue to 
>>> verify correctly (and even under Java 11, it seems that the verify 
>>> code works against previously digitally signed content) even if we 
>>> now start digitally signing using more update-to-date code.
>>
>> The verification of pre-existing signatures should continue to work 
>> regardless of how this bug is addressed.
>>
>>> Please send over the modified test case and I'll take a look.
>>
>> It is attached to the bug report in the Attachments section: 
>> https://bugs.openjdk.java.net/browse/JDK-8218629 (make sure you 
>> download the one I added yesterday).
>>
>> --Sean
>>
>>>
>>> Thanks!
>>> David
>>>
>>> On 2/12/19 2:14 PM, Sean Mullan wrote:
>>>> The bug is now at https://bugs.openjdk.java.net/browse/JDK-8218629
>>>>
>>>> I have started looking at this issue and have some progress I can 
>>>> report.
>>>>
>>>> In JDK 9, we updated the version of the Apache XML Signature 
>>>> implementation in the JDK. Some of the marshalling code was 
>>>> rewritten such that it will throw Exceptions if legacy DOM level 1 
>>>> methods were used to create XML content which is then passed into 
>>>> XMLObject and similar XMLSignature types that take DOMStructure 
>>>> objects. This is because the DOM level 1 methods do not support 
>>>> namespaces.
>>>>
>>>> I am still evaluating what the best fix is. However, you can 
>>>> workaround the issue by always using DOM level 3 methods which are 
>>>> namespace aware. For example, use Document.createElementNS instead 
>>>> of Document.createElement and Element.createAttributeNS instead of 
>>>> Element.createAttribute.
>>>>
>>>> Using legacy or non-namespace aware XML parsers or implementations 
>>>> is not recommended and the XML Signature Best Practices document 
>>>> gives some rationale: 
>>>> https://www.w3.org/TR/xmldsig-bestpractices/#signing-xml-without-namespaces 
>>>>
>>>> That said, this is a regression in behavior so it would be best if 
>>>> we could restore the previous behavior.
>>>>
>>>> I have attached a modified version of the test case to the bug 
>>>> report which no longer throws an Exception. Let me know if this is 
>>>> an acceptable workaround. Double-check the namespaces that I used 
>>>> to make sure they are correct.
>>>>
>>>> --Sean
>>>>
>>>>
>>>> On 2/7/19 11:23 AM, Open eSignForms wrote:
>>>>
>>>>> On 2/7/19 7:49 AM, Sean Mullan wrote:
>>>>>> On 2/6/19 4:51 PM, Open eSignForms wrote:
>>>>>>> I have a test version of the code that can run standalone and 
>>>>>>> shows the bug.  I'm not sure how best to transfer this 
>>>>>>> information to the forum for those to play with, but it is 
>>>>>>> included below.
>>>>>>
>>>>>> Thanks, I can reproduce the issue now. I will need to debug 
>>>>>> further to see what might be causing this.
>>>>>>
>>>>>> --Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190213/ef66c5e6/attachment-0001.html>


More information about the security-dev mailing list