Re: [ebxmlms-develop] troubles with signed acks (still)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Gait,

> I would still strongly propose to pass the message to xmlsec as a string,
> simply to avoid issues with JAXM and dom4j. In fact, for received messages I
> believe it's the only way. both JAXM and Axis do 'something' that renders
> the received message different from the one passed to xmlsec. For
> verification, you must pass in the received data as is to have any chance of
> succesful verification. It's not a big deal to plug in a call to
> getContent() and rewrapping xml sec to support string based verification,
> and will solve at least that part of the problem.
> But even for outgoing messages, I'd still propose to first render the
> message and then pass it on to xmlsec for signing. If not, you need to be
> sure that whatever is passed to xmlsec is identical to what's sent out on
> the wire, otherwise the hash will mismatch and verification is bound to fail
> again.

        I ever think of this solution before and would take this as the
"last" resort. Again, ideally speaking, if JAXM, Axis or xmlsec does not
have those "nice" features in rendering XML representation, using JAXP
transformer (from SOAP to DOM) would be really a simple and natural one.
Now, if we switch to string, which is supposed to be a byte-by-byte faithful
representation, we have to do more tasks as follows.

        In verification, instead of manipulating the SOAP object (which is
a parsed representation of a message), the received message stream from HTTP
or persisted file stream has to be extracted (for SOAPPart bytes and
payload bytes) and fed into xmlsec.

        In signing, one is not going to sign the SOAP object but has to
sign what is anticipated to be serialized in the network stream.

        I ever did an experiment several days ago on the sample file and
X509 certificate that Peter Mayne sent us before. The sample file is
supposed to be generated by other XML security implementation. I copy
and modify the VerifySignature.java example bundled with xmlsec to verify
this sample file. The result is that the digest for URI="" and URI for
payload are successfully verified but the signature value fails!!!

        Sigh... I wonder which XML security implementation can be used
as a reference and I don't know if xmlsec is doing the right thing.

        So, the conclusion is that we may go for String feeding into
xmlsec to remove the "uncertainty" of JAXM or Axis. But it is not guaranteed
whether the result really works and is interoperable with other
implementations.

> just my EUR 0.02.

        Ha.... EUR 0.02 ~= HK 0.176, your suggestion is far more than
2 cents. :-)

Regards,
CY

----------------------------------------------------------------------------
Ng Chi Yuen, CY.       cy...@ce...       http://www.cecid.hku.hk/
Technology Officer,
Centre for E-Commerce Infrastructure Development,
The University of Hong Kong
----------------------------------------------------------------------------