RE: <ds:Signature/> and <Signature/> from Hothi_Amrit@emc.com on 2006-06-14 (w3c-ietf-xmldsig@w3.org from April to June 2006)

From: <Hothi_Amrit@emc.com>
Date: Wed, 14 Jun 2006 14:03:35 -0400
To: larry.bugbee@boeing.com, tgindin@us.ibm.com, Hothi_Amrit@emc.com
Cc: w3c-ietf-xmldsig@w3.org
Message-ID: <4AC6013F82001740802D78ED9A1984E20DF8F8A0@CORPUSMX50B.corp.emc.com>

Thanks for the helpful tips.  The problem turned out to be how the Apache's
xml-security lib handles the Reference element.  When signing the whole
document in the java the reference element is:
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="">
Whereas in C the element is: <Reference> 

When Java tries to process the C signature it expects the URI to be there.
If not it will throw an exception.
There are two solutions I cam across:

1. In java add additional rosolver NullURIReferenceResolver which points to
the data.
2. Make sure C signs the document with the reference element: <Reference
URI="">.

 After this I get the Java and C signatures interoperable.

Amrit.

-----Original Message-----
From: Bugbee, Larry [mailto:larry.bugbee@boeing.com] 
Sent: Wednesday, June 07, 2006 9:07 PM
To: Tom Gindin; Hothi_Amrit@emc.com
Cc: w3c-ietf-xmldsig@w3.org
Subject: RE: <ds:Signature/> and <Signature/>


ECDSA signatures, like DSA sigs, will be different each time, even when
the same key is used.  

Both use random numbers in the computation of r and s.  For some testing
it is desirable to stub the random number generator.

Larry


-----Original Message-----
From: Tom Gindin [mailto:tgindin@us.ibm.com] 
Sent: Tuesday, June 06, 2006 8:15 PM
To: Hothi_Amrit@emc.com
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: <ds:Signature/> and <Signature/>


        Amritpal:

        If you look inside the lower-level signature algorithms you'll
find that the signature value is expected to be identical between
multiple uses of the same key over the same base for RSA v1 signatures (
http://www.w3.org/2000/09/xmldsig#rsa-sha1 and the various
http://www.w3.org/2001/04/xmldsig-more/rsa-* algorithms) but not for DSA
(
http://www.w3.org/2000/09/xmldsig#dsa-sha1) or RSA PSS (not used by
XMLDSIG).  I personally don't know about ECDSA.

                Tom Gindin





Hothi_Amrit@emc.com
Sent by: w3c-ietf-xmldsig-request@w3.org
05/31/2006 06:43 PM
 
        To:     <w3c-ietf-xmldsig@w3.org>
        cc: 
        Subject:        <ds:Signature/>   and <Signature/>



Hi,

 I looking at signature interoperability between C which is using
libxml2 (v 2.6.24) and Java using Apache's xml-security libs.  When I
sign the same document using the same key on same document.  The digest
match, but the signature values are different?

 Also the C lib is signing with the signature element <Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"> whereas Java's signature
element is: <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">. 

Thanks,
Amritpal.

Received on Wednesday, 14 June 2006 18:04:18 UTC