Hi Micha, Can you modify the test case a bit so that verification fails with XMLSec 4.0.0 and submit it in the format of a unit test case to the project? That'll allow us to diagnose it better.
I did a git bisect and it appears this massive commit is the problem: ccac0cb862a9e8b0632f017e9970906f2e1c6543 is the first bad commit commit ccac0cb862a9e8b0632f017e9970906f2e1c6543 Author: David Matějček <[email protected]> Date: Tue Aug 8 15:08:17 2023 +0200 New version, Java 11, System.Logger, AutoCloseable, XmlSignatureInput types (#192) Colm. On Wed, Sep 4, 2024 at 12:27 PM Micha Wensveen <[email protected]> wrote: > Hi, > > I created a small test project that generates a signature with an XPath > transformation > I did some tests and found > 1) the result of the transformation is the same hen using Santuario 3.0.4 > and when using Santurio 4.0.2 > (based on the result of > org.apache.xml.security.signature.Reference.getContentsAfterTransformation) > 2) The digest in the signature created by Santuario 3.0.4 is different > than the digest created by Santuario 4.0.2 > 3) When using a different XPath expression, Santuario 3.0.4 generates a > different digest (as expected because the result of the transformation is > different). > But Santurio 4.0.2 generates the same digest as the first XPath > expression. > > <ds:DigestValue>47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=</ds:DigestValue> > > Enclosed also the results of the signature generation and the > contentsAfterGeneration and a hash of the contentAfterGeneration. > > Any help will be appreciated. > > kind regards, > > Micha Wensveen > > Solution Architect > > Visma Connect B.V. > > Lange Kleiweg 6 > > 2288 GK Rijswijk, The Netherlands > > Mobile +31658872337 > > www.suresync.nl > > > This communication is intended for the person(s) named above only. It > contains information that is confidential and legally privileged. If > received in error, please delete this e-mail and notify the sender. > > > > On Mon, 2 Sept 2024 at 12:52, Colm O hEigeartaigh <[email protected]> > wrote: > >> Hi, >> >> I don't see anything obvious as to why it doesn't work, maybe a bug. >> Can you create a testcase please that reproduces the problem? >> >> Colm. >> >> On Mon, Sep 2, 2024 at 7:49 AM Micha Wensveen <[email protected]> >> wrote: >> > >> > Good Morning, >> > >> > I hope somebody can help me. >> > >> > I upgraded my application from using xmlsec 3.0.4 to 4.0.2. >> > However when I validate a digital signature that has been created with >> version 3.0.4 it fails validation with these logmessages >> > >> > 2024-09-02 06:32:17,581 [main] WARN >> o.a.xml.security.signature.Reference - Verification failed for URI >> "myfile.xml" >> > 2024-09-02 06:32:17,582 [main] WARN >> o.a.xml.security.signature.Reference - Expected Digest: >> dsslKYCcuSb+MHq9e36/JbugIuP7LdkLlUqiScdqgXs= >> > 2024-09-02 06:32:17,582 [main] WARN >> o.a.xml.security.signature.Reference - Actual Digest: >> 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= >> > >> > This only happens when using xpath transformation >> > >> > <ds:Reference Id="xmldsig-ref1" URI="myfile.xml"> >> > <ds:Transforms> >> > <ds:Transform Algorithm=" >> http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> >> > <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> >> > <dsig-xpath:XPath xmlns:dsig-xpath=" >> http://www.w3.org/2002/06/xmldsig-filter2"; xmlns:xbrli=" >> http://www.xbrl.org/2003/instance"; >> Filter="intersect">xbrli:xbrl//*[@id!='' and not(starts-with(@id, >> 'kvk-i_DocumentAdoption'))]</dsig-xpath:XPath> >> > </ds:Transform> >> > </ds:Transforms> >> > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >> > >> <ds:DigestValue>dsslKYCcuSb+MHq9e36/JbugIuP7LdkLlUqiScdqgXs=</ds:DigestValue> >> > </ds:Reference> >> > >> > Is there a migration document to migrate to version 4? >> > Is there something that I need to change in my code? >> > >> > Any help will be appreciated. >> > >> > >> > kind regards, >> > >> > >> > Micha Wensveen >> > >> > >> > >> > This communication is intended for the person(s) named above only. It >> contains information that is confidential and legally privileged. If >> received in error, please delete this e-mail and notify the sender. >> > >> > >> >
