search

Vytek / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

XAdES-BES signature invalid when using namespace #30

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
When signing an XML file using a transform, the presence of a namespace 
attribute in the root node causes the signature to be invalid.

To reproduce this issue do the following
1. Compile and run the Java file. You will need to add your own certificate and 
maybe modify the paths if you like.
2. Validate the certificate. It will fail.
3. Replace petition_ns.xml with petition.xml. The only difference is the 
namespace references. 
4. Re-run. This will now validate

What is the expected output? What do you see instead?
I would expect to see consistent validation regardless of namespace attributes.

What version of the product are you using? On what operating system?
1.2.0

Original issue reported on code.google.com by r...@nmi.uk.com on 7 Dec 2011 at 2:49

Attachments:

GoogleCodeExporter commented 9 years ago 
What's the exception you're getting? Can you write its stack trace?

Original comment by luis.fgoncalv on 29 Jan 2012 at 3:10

GoogleCodeExporter commented 9 years ago 
Running your code got me one exception related to SigningCertificate property 
validation. I was using the "my" directory (of XAdES4j tests) as cert store 
directory, supplied to your XAdESSignatureEvaluator constructor. I looked into 
your code and the certificates on that directory are being added to a trust 
anchors key store. This means that the signing certificate itself was also 
added. On verification, the certificate chain will contain only the signing 
cert because it is trust anchor. Then the property verification fails because 
the property contains more certificate references than those on the 
certification chain.

I haven't tested the version without namespaces, but fixing the problem above 
made the verification succeed.

I think there's nothing wrong on the lib here. Can you double check?

Original comment by luis.fgoncalv on 29 Jan 2012 at 3:20

GoogleCodeExporter commented 9 years ago 
Ok, the behavior I described on the previous comment does happen but I actually 
made another change first. Your code didn't have 
dbFactory.setNamespaceAware(true) on the getDocument method prior to the sign 
operation.

Original comment by luis.fgoncalv on 29 Jan 2012 at 6:13

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 29 Jan 2012 at 6:19

GoogleCodeExporter commented 9 years ago 
Thanks Luis, that was the problem. By adding the setNamespaceAware(true) line 
it solved the problem.

Many thanks again, this issue can now be closed.

Original comment by r...@nmi.uk.com on 1 Feb 2012 at 11:29

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 1 Feb 2012 at 11:32