[Mono-bugs] [Bug 79483][Nor] New - SignedXml: Wrong digest value for XML containing CRLF

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Sun Sep 24 12:44:33 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by gert.driesen at pandora.be.


--- shadow/79483	2006-09-24 12:44:33.000000000 -0400
+++ shadow/79483.tmp.13823	2006-09-24 12:44:33.000000000 -0400
@@ -0,0 +1,87 @@
+Bug#: 79483
+Product: Mono: Class Libraries
+Version: 1.1
+OS: All
+OS Details: 
+Status: NEW   
+Priority: Normal
+Component: System.Security
+AssignedTo: sebastien at ximian.com                            
+ReportedBy: gert.driesen at pandora.be               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: SignedXml: Wrong digest value for XML containing CRLF
+When the XML that needs to be signed contains CRLF's, then the digest 
+value is not correctly created.
+I've attached a (gzipped) tar containing all necessary files to reproduce 
+this issue.
+To run the repro you need:
+1. NAnt
+2. JDK (1.4.x or higher ?)
+In the repro, I create signed XML documents, verify these using Mono 
+(which succeeds) and then verify them using IAIK's XML Security Toolkit 
+(Java-based) which fails to verify the digest value.
+Running the same test on .NET for works fine; meaning, the signed XML 
+created by MS.NET validates using IAIK XSECT.
+I also added two unit tests in the latest unit test patch that I attached 
+to bug #79454.
+The DigestValue unit test shows the XML Canonicalization appears to work 
+just fine. The hash created for the canonicalization output even matches 
+the one from MS (test #2).
+Calculating the hash twice seems to give a different result though (#4).
+But that does not appear to be the root cause of the issue after all:
+On MS.NET, the digest value calculated for the Reference appears to be 
+different from the digest value created for the canonicalization output.
+The MS results are valid though, as it verifies using IAIK XSECT and the 
+digest for ther Rference also validates ok with the XMLSEC online XML 
+Digital Signature Verifier (the signature itself does not, but this is 
+because I don't think it supports the X509Data element).
+If you modify the SignXmlFile method to pass \n as linefeed to the 
+CreateSomeXml method, then the resulting signed XML documents will be 
+perfectly valid.
+I'm sorry that my repro requires NAnt. If that is a problem, I'll try to 
+create a Makefile for it (but this is always a struggle for me).
+You actually don't need NAnt to create the signed XML documents. You only 
+need it to run the IAIK validation (unless you manually compile and the 
+small Java class that I use to validate the signature).
+To create the signed XML documents:
+1. Compile test.cs
+2. Run it with "sign" argument:
+mono test.exe sign
+To verify the signed XML documents using Mono:
+mono test.exe verify
+Verification using Mono does not help here, as it will always consider 
+it's own signature valid.

More information about the mono-bugs mailing list