I had a quick look, and the reference is validating fine, but for some reason the SignedInfo is broken.
I then tried to compile your sample against axis 1.2 alpha, and it compiles, but I'm getting an AbstractMethodError when I run it. It looks like the XMLSignature is calling org.apache.axis.SOAPPart.createElementNS to create the signature element, so I'm assuming SOAPPart is an implementation of w3c.dom.document. And that *might* be where the problem is.
So I then went searching in Axis to see if there were any signature samples.
Have a look-see at :
http://cvs.apache.org/viewcvs.cgi/ws-axis/java/samples/security/SignedSOAPEnvelope.java?rev=1.17&view=markup
This actually serialises/de-serialises the SOAP message in order to get a document that it then signs. Without having gone any further, I wonder if there is something about the way SOAPPart implements dom.doc that is causing a problem.
Hope that helps!
Cheers,
BerinStephen Chell (DSL AK) wrote:
Berin,
I've attached the following files:
signature1.xml - contains a signature that validates successfully signature2.xml - contains a signature that does NOT validate CreateSignature1.java - class that created signature1.xml CreateSignature2.java - class that created signature2.xml VerifySignature.java - used for verifying the signatures (Set the SIG_TO_VALIDATE variable to 1 or 2 to specify which signature file to verify)
Points to note:
1. Both CreateSignature1.java and CreateSignature2.java create an empty SOAP envelope, and insert a simple enveloped signature. The resulting content being signed is identical in each case. The only difference between the two is that CreateSignature1.java uses the DOM api to create the soap envelope, whereas CreateSignature2.java uses the SAAJ api.
2. the files generated by CreateSignature1.java and CreateSignature2.java are identical except for the contents of the SignatureValue element. The DigestValue in each created signature is the same, as I would expect (since the content being signed is the same).
3. It seems that each time I generate a signature, the generated SignatureValue is different, even when the content being signed and the DigestValue does not change. For example, each time I run CreateSignature1.java, the generated SignatureValue is different from last time, even though the content and generated DigestValue remains the same. Is this expected behaviour? Seeing as the signature generated by CreateSignature1.java verifies ok, I presume that this is not necessarily a problem.
Thanks very much for your help.
Steve
-----Original Message-----
From: Berin Lautenbach [mailto:[EMAIL PROTECTED] Sent: Wednesday, 7 April 2004 11:03 p.m.
To: [EMAIL PROTECTED]
Subject: Re: Enveloped signature verification problem
Stephen,
How do you create the signature?
Can you put a copy of the signature to the list as a file? My mail client is chopping stuff all over the place when I try to cut and paste :<.
Cheers, Berin
Stephen Chell (DSL AK) wrote:
Apologies for this, but I've been bashing my head against a brick wall most of the day trying to solve this.
Can anyone tell my why the enveloped signature in the following XML document wont verify? When I call
signature.checkSignatureValue(cert) it returns false. The problem seems to be related to the fact that I'm using SOAP, because I can create another simple enveloped signature without using SOAP and it verifies fine. Any help would be much appreciated.
Thanks in advance ... Steve
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>3G4kS4EIcy5CFXHrWOkD+1n++hc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WDLlcnjJXhIfX/RidflYQyWkZ7gxSSQCX3j3A0NddMG8XTMxu1KJkA
==</Si
gnatureValue>
<KeyInfo>
<X509Data>
<X509Certificate> MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKEx
RVbml2
ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl
dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC
REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD
VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T
gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv
8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX
Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv
u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKg K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+OBhAAC gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8o gYASWfn+TP3hpR cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0a cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+KNiIvK 8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvj t0AkUC FA9ab72kKuB5geYGeckbBrcgPnZk </X509Certificate> </X509Data> </KeyInfo> </Signature> </SOAP-ENV:Envelope>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header></SOAP-ENV:Header><SOAP-ENV:Body></SOAP-ENV:Body><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>3G4kS4EIcy5CFXHrWOkD+1n++hc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>I6WFUPgUpwnqodTqs5K6INen2nl7OXkKqf4OIGvDfnnwpByuAgf9yw==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate> MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2 ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv 8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK 8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC FA9ab72kKuB5geYGeckbBrcgPnZk </X509Certificate> </X509Data> </KeyInfo> </Signature></SOAP-ENV:Envelope>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header></SOAP-ENV:Header><SOAP-ENV:Body></SOAP-ENV:Body><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>3G4kS4EIcy5CFXHrWOkD+1n++hc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>BztPI+ob825ZZdLMu4Jd2Z2xXeQOqb+wL0hOeHZvl30lYBFp769pIw==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate> MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2 ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv 8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK 8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC FA9ab72kKuB5geYGeckbBrcgPnZk </X509Certificate> </X509Data> </KeyInfo> </Signature></SOAP-ENV:Envelope>
