Re: [ebxmlms-develop] Digital signature interoperability

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

> I wrote a small standalone Java utility that does signature verification 
> just like Hermes (with the Apache xmlsec classes), and it predicatably 
> verifies Hermes messages but not Tibco messages.

         Digital signature has been a problem for a very long time since 
Hermes was developed. Some observations had also been discussed in this list 
before. We, including Gait Boxman, have been working on this problem again 
and tracing the xmlsec source codes recently.

         Up to now, what I can say is that Hermes should have already 
followed the signing and verification mechanism as bundled in the xmlsec 
examples. For signing, *given* xmlsec is correct, Hermes should produce a 
correct and predictable message since an EbxmlMessage is just serialized to 
obtain the bytes and fed into xmlsec for signing.

         For verification, the situation may be more complicated. The key 
point of my finding is: when a message byte stream is received, it is parsed 
to become EbxmlMessage object. However, in this process, JAXM re-orders the 
namespace declaration! That is to say, EbxmlMessage.writeTo() would give you 
a message different from that of the received bytes. There is uncertainty if 
such re-ordering breaks the signature. We may have to feed the original 
bytes into xmlsec. Given xmlsec handles correctly the namespaces (no matter 
for what SOAP prefix), it should finally validate the message.

> How has Hermes performed in interoperability tests when it comes to 
> digital signatures? What can we do to assist Tibco in sorting this out?

         Digital signature has not yet undergone interoperability test in 
ebXML Asia. In order to figure out the problem, is possible for Tibco to do 
the signature step-by-step such that the intermediate signing output can be 
recorded? We are facing the problem which DS implementation can be "trusted" 
in the sense that it is proved to be correct. You may now have to trace, say 
the transformed output and then the canonicalized output manually, in order 
to figure the problem.

Regards,
CY

----------------------------------------------------------------------------
Ng Chi Yuen, CY.       cy...@ce...       http://www.cecid.hku.hk/
Technology Officer,
Centre for E-Commerce Infrastructure Development,
The University of Hong Kong
----------------------------------------------------------------------------