Hi Colm First, thank you for the time your putting into this. It is really appreciated.
I created 2 unittest. One for generating the signature and one for validation.. Both tests fail on 4.0.2 but are successful on 3.0.4. The validation unit test uses a signature that is created with Santuario 3.0.4 I hope these unit tests help. If you need more information or other unit tests please let me know. kind regards, Micha Wensveen Solution Architect Visma Connect B.V. Lange Kleiweg 6 2288 GK Rijswijk, The Netherlands Mobile +31658872337 www.suresync.nl This communication is intended for the person(s) named above only. It contains information that is confidential and legally privileged. If received in error, please delete this e-mail and notify the sender. On Tue, 10 Sept 2024 at 03:25, Colm O hEigeartaigh <[email protected]> wrote: > Hi Micha, > > Can you modify the test case a bit so that verification fails with XMLSec > 4.0.0 and submit it in the format of a unit test case to the project? > That'll allow us to diagnose it better. > > I did a git bisect and it appears this massive commit is the problem: > > ccac0cb862a9e8b0632f017e9970906f2e1c6543 is the first bad commit > commit ccac0cb862a9e8b0632f017e9970906f2e1c6543 > Author: David Matějček <[email protected]> > Date: Tue Aug 8 15:08:17 2023 +0200 > > New version, Java 11, System.Logger, AutoCloseable, XmlSignatureInput > types (#192) > > Colm. > > > On Wed, Sep 4, 2024 at 12:27 PM Micha Wensveen <[email protected]> > wrote: > >> Hi, >> >> I created a small test project that generates a signature with an XPath >> transformation >> I did some tests and found >> 1) the result of the transformation is the same hen using Santuario >> 3.0.4 and when using Santurio 4.0.2 >> (based on the result of >> org.apache.xml.security.signature.Reference.getContentsAfterTransformation) >> 2) The digest in the signature created by Santuario 3.0.4 is different >> than the digest created by Santuario 4.0.2 >> 3) When using a different XPath expression, Santuario 3.0.4 generates a >> different digest (as expected because the result of the transformation is >> different). >> But Santurio 4.0.2 generates the same digest as the first XPath >> expression. >> >> >> <ds:DigestValue>47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=</ds:DigestValue> >> >> Enclosed also the results of the signature generation and the >> contentsAfterGeneration and a hash of the contentAfterGeneration. >> >> Any help will be appreciated. >> >> kind regards, >> >> Micha Wensveen >> >> Solution Architect >> >> Visma Connect B.V. >> >> Lange Kleiweg 6 >> >> 2288 GK Rijswijk, The Netherlands >> >> Mobile +31658872337 >> >> www.suresync.nl >> >> >> This communication is intended for the person(s) named above only. It >> contains information that is confidential and legally privileged. If >> received in error, please delete this e-mail and notify the sender. >> >> >> >> On Mon, 2 Sept 2024 at 12:52, Colm O hEigeartaigh <[email protected]> >> wrote: >> >>> Hi, >>> >>> I don't see anything obvious as to why it doesn't work, maybe a bug. >>> Can you create a testcase please that reproduces the problem? >>> >>> Colm. >>> >>> On Mon, Sep 2, 2024 at 7:49 AM Micha Wensveen <[email protected]> >>> wrote: >>> > >>> > Good Morning, >>> > >>> > I hope somebody can help me. >>> > >>> > I upgraded my application from using xmlsec 3.0.4 to 4.0.2. >>> > However when I validate a digital signature that has been created with >>> version 3.0.4 it fails validation with these logmessages >>> > >>> > 2024-09-02 06:32:17,581 [main] WARN >>> o.a.xml.security.signature.Reference - Verification failed for URI >>> "myfile.xml" >>> > 2024-09-02 06:32:17,582 [main] WARN >>> o.a.xml.security.signature.Reference - Expected Digest: >>> dsslKYCcuSb+MHq9e36/JbugIuP7LdkLlUqiScdqgXs= >>> > 2024-09-02 06:32:17,582 [main] WARN >>> o.a.xml.security.signature.Reference - Actual Digest: >>> 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= >>> > >>> > This only happens when using xpath transformation >>> > >>> > <ds:Reference Id="xmldsig-ref1" URI="myfile.xml"> >>> > <ds:Transforms> >>> > <ds:Transform Algorithm=" >>> http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> >>> > <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> >>> > <dsig-xpath:XPath xmlns:dsig-xpath=" >>> http://www.w3.org/2002/06/xmldsig-filter2"; xmlns:xbrli=" >>> http://www.xbrl.org/2003/instance"; >>> Filter="intersect">xbrli:xbrl//*[@id!='' and not(starts-with(@id, >>> 'kvk-i_DocumentAdoption'))]</dsig-xpath:XPath> >>> > </ds:Transform> >>> > </ds:Transforms> >>> > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >>> > >>> <ds:DigestValue>dsslKYCcuSb+MHq9e36/JbugIuP7LdkLlUqiScdqgXs=</ds:DigestValue> >>> > </ds:Reference> >>> > >>> > Is there a migration document to migrate to version 4? >>> > Is there something that I need to change in my code? >>> > >>> > Any help will be appreciated. >>> > >>> > >>> > kind regards, >>> > >>> > >>> > Micha Wensveen >>> > >>> > >>> > >>> > This communication is intended for the person(s) named above only. It >>> contains information that is confidential and legally privileged. If >>> received in error, please delete this e-mail and notify the sender. >>> > >>> > >>> >>
<<attachment: santario-unittest.zip>>
