[Mono-bugs] [Bug 79483][Nor] New - SignedXml: Wrong digest value for XML containing CRLF

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Sun Sep 24 12:44:33 EDT 2006


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by gert.driesen at pandora.be.

http://bugzilla.ximian.com/show_bug.cgi?id=79483

--- shadow/79483	2006-09-24 12:44:33.000000000 -0400
+++ shadow/79483.tmp.13823	2006-09-24 12:44:33.000000000 -0400
@@ -0,0 +1,87 @@
+Bug#: 79483
+Product: Mono: Class Libraries
+Version: 1.1
+OS: All
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Normal
+Component: System.Security
+AssignedTo: sebastien at ximian.com                            
+ReportedBy: gert.driesen at pandora.be               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: SignedXml: Wrong digest value for XML containing CRLF
+
+When the XML that needs to be signed contains CRLF's, then the digest 
+value is not correctly created.
+
+I've attached a (gzipped) tar containing all necessary files to reproduce 
+this issue.
+
+To run the repro you need:
+
+1. NAnt
+2. JDK (1.4.x or higher ?)
+
+In the repro, I create signed XML documents, verify these using Mono 
+(which succeeds) and then verify them using IAIK's XML Security Toolkit 
+(Java-based) which fails to verify the digest value.
+
+Running the same test on .NET for works fine; meaning, the signed XML 
+created by MS.NET validates using IAIK XSECT.
+
+====
+
+I also added two unit tests in the latest unit test patch that I attached 
+to bug #79454.
+
+The DigestValue unit test shows the XML Canonicalization appears to work 
+just fine. The hash created for the canonicalization output even matches 
+the one from MS (test #2).
+
+Calculating the hash twice seems to give a different result though (#4).
+
+But that does not appear to be the root cause of the issue after all:
+
+On MS.NET, the digest value calculated for the Reference appears to be 
+different from the digest value created for the canonicalization output.
+
+The MS results are valid though, as it verifies using IAIK XSECT and the 
+digest for ther Rference also validates ok with the XMLSEC online XML 
+Digital Signature Verifier (the signature itself does not, but this is 
+because I don't think it supports the X509Data element).
+
+===
+
+Note: 
+
+If you modify the SignXmlFile method to pass \n as linefeed to the 
+CreateSomeXml method, then the resulting signed XML documents will be 
+perfectly valid.
+
+===
+
+I'm sorry that my repro requires NAnt. If that is a problem, I'll try to 
+create a Makefile for it (but this is always a struggle for me).
+
+You actually don't need NAnt to create the signed XML documents. You only 
+need it to run the IAIK validation (unless you manually compile and the 
+small Java class that I use to validate the signature).
+
+To create the signed XML documents:
+
+1. Compile test.cs
+2. Run it with "sign" argument:
+
+mono test.exe sign
+
+To verify the signed XML documents using Mono:
+
+mono test.exe verify
+
+Verification using Mono does not help here, as it will always consider 
+it's own signature valid.


More information about the mono-bugs mailing list