DO NOT REPLY [Bug 40921] New: - XML contents modified and signature normallly validated.

2006-11-07 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40921

   Summary: XML  contents modified and signature
normallly validated.
   Product: Security
   Version: unspecified
  Platform: Other
OS/Version: other
Status: NEW
  Severity: normal
  Priority: P2
 Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: [EMAIL PROTECTED]


Hello

I am using the XML Signature API ( javax.xml.crypto ) in order to generate and
verify signatures in xml documents (Enveloped type). 

When verifying the signature, if i have changed some data, the signature is
invalidated (That´s Ok and Correctly). But if have changed the content of
 tag by putting a different certificate, the signature is
normally validated. 

I defined the  indicating that the whole document must be
signed (according to w3 especifications)

Is there something wrong ?

Here is my xml before sign:
===

 
- 
  2006 
  2 
  52A 
  15 
  2 
  3 
- 
- 
  1 
  1.0 
  2 
  
- 
  2 
  3.0 
  4 
  
- 
  3 
  5.0 
  6 
  
- 
  4 
  7.0 
  8 
  
  
 


Here is my xml after sign:
===


 
- 
  2006 
  2 
  52A 
  15 
  2 
  3 
- 
- 
  1 
  1.0 
  2 
  
- 
  2 
  3.0 
  4 
  
- 
  3 
  5.0 
  6 
  
- 
  4 
  7.0 
  8 
  
  
- http://www.w3.org/2000/09/xmldsig#";>
- 
  http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; /> 
  http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> 
- 
- 
  http://www.w3.org/2000/09/xmldsig#enveloped-signature"; 
/> 
  
  http://www.w3.org/2000/09/xmldsig#sha1"; /> 
  ltbvesKBO+VTvcovJyJ0VVkSaJM= 
  
  
 
I0lQECSCl5ITnF8uK/uMDZO2dgo0eLWFz4GMrV6I+FZmN2TbCr6Nj4LF62I7s2DVVrXybEsJmn/i
00EPNyYflhQjbp2/EXFZ+pu8wu5mRtm2LmcRGXbJz6CBEkfOXzFdE8lmw3MPmDT/NsnM3KXavDJZ
Ah2xubknF/+Mjq7WDQE= 
- 
- 
- 
 
unmSpz4AW43DBUeUtbGDxyEBOmKUiAM136ZrGOlJRzximnaFjABuQ7Ucix5Ru60DLlUH5Q3KHfDW
aimUe3ufnWUWSGkbNUGYtwdqv/54LvTvW3SMA0IuvfqUmdF+AJgHCWv0rEYizswKaeNgMak+/oWL
MBrOwE2+fhB6l87tBo8= 
  AQAB 
  
  
- 
 
MIIE5TCCA82gAwIBAgIQMjAwNjA3MjgxNjQzMjMwMjANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UE
BhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI1NlY3JldGFyaWEgZGEgUmVjZWl0
YSBGZWRlcmFsIC0gU1JGMTIwMAYDVQQDEylBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgZG8gU0VS
UFJPIFNSRiB2MTAeFw0wNjA4MDExOTE4MDZaFw0wOTA3MzExOTE4MDZaMIGoMQswCQYDVQQGEwJC
UjETMBEGA1UEChMKSUNQLUJyYXNpbDEqMCgGA1UECxMhU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZl
ZGVyYWwtU1JGMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxFTATBgNVBAsTDFNSRiBlLUNQRiBBMzEq
MCgGA1UEAxMhRklMTElQRSBPTElWRUlSQSBMSU1BOjAwNjg0MDE5NTc0MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC6eZKnPgBbjcMFR5S1sYPHIQE6YpSIAzXfpmsY6UlHPGKadoWMAG5DtRyL
HlG7rQMuVQflDcod8NZqKZR7e5+dZRZIaRs1QZi3B2q//ngu9O9bdIwDQi69+pSZ0X4AmAcJa/Ss
RiLOzApp42AxqT7+hYswGs7ATb5+EHqXzu0GjwIDAQABo4IBrzCCAaswDwYDVR0TAQH/BAUwAwEB
ADAfBgNVHSMEGDAWgBRGeQZEgwLZ6nmND8SA/kG69vMScjAOBgNVHQ8BAf8EBAMCBeAwYAYDVR0g
BFkwVzBVBgZgTAECAwQwSzBJBggrBgEFBQcCARY9aHR0cHM6Ly9jY2Quc2VycHJvLmdvdi5ici9h
Y3NlcnByb3NyZi9kb2NzL2RwY2Fjc2VycHJvc3JmLnBkZjCBowYDVR0RBIGbMIGYoD0GBWBMAQMB
oDQEMjI3MDgxOTg0MDA2ODQwMTk1NzQwMDAwMDAwMDAwMDAwMDAwMDAzMDA5MTEwMVNTUFNFoCcG
BWBMAQMFoB4EHDAyMDk0ODcxMjE5NDAyNzAyNjhBUkFDQUpVU0WgFwYFYEwBAwagDgQMMDAwMDAw
MDAwMDAwgRVmaWxsaXBlbGltYUBnbWFpbC5jb20wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMEMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3IvYWNz
ZXJwcm9zcmYuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBliOTlViZNLJLUf2KlRobCtMmv7c7bkHqe
M4HAW/19AyuuljFtQGpUAB9jjAXzgXpd9Hyrz/1+5NHPJ9fPoB+fHIpDYJfyUEnGkDPve7JUHrTq
10MlPATIuiJhws+40O7sIaYftCK0Yn2V1LTFuEHLSD4T5kvXbpDbeMs6Hx9oiR3HFZxi/Cfhv/1X
KeEjLtsrV9xEeJwY7soKQ0Ds2UMu2LLw02T9o9wMcX9M3MU/QN7AirmWQsMxDfmNDRzXV/Axbh0o
s72mrHXvYpranXJhibh6aKW67LuhZM7Z5EDXWgioMXruk6ys8bm3EIBJ/+YtrUUrmTKA9BsIx3WD
4UOy 
  
  
  
  

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-07 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40921





--- Additional Comments From [EMAIL PROTECTED]  2006-11-07 21:18 ---
An enveloped signature omits anything inside the Signature element apart from
SignedInfo. KeyInfo is not commonly signed. The only attack possible is against
broken software that doesn't understand that KeyInfo is advisory, not trusted
information.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.