While I'm familiar with the XML Signature standard, I'm new to this particular implementation, so I hope someone else can help you out with the particulars. I'm still wrestling with getting it to build in my environment.
> -----Original Message----- > From: def abc [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 02, 2005 10:25 AM > To: security-dev@xml.apache.org > Subject: RE: Verify signature: bad for enveloped, ok for > enveloping and detached. > > --- Jesse Pelton <[EMAIL PROTECTED]> a écrit : > > You need to include the enveloped signature > > transformation specifically. This serves to remove > > the signature element from the document before > > signing and verification. This is required because > > the signature element changes during signing; if the > > original signature element were part of the signed > > content, the final signature would be invalid, > > because part of the signed content (the signature) > > would be different. See > > > http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature > > and > > http://www.w3.org/TR/xmldsig-core/#sec-Transforms. > > Yep. You're right. > The transform is within the Reference element, isn't > it ? And I get a different signature value, because > now the Transform element gets signed too, right ? > > I've added the transform, but my signature still does > not validate... > > I now have: > > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference > URI="file:/G:/prog/xml-security-1_2_0/misc.xml"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>7uZSWomZ8W6sa3GI+e/XCygny2I=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > ****************** > This is how I sign it: > XMLSignature signature; > > signature = new XMLSignature(input, > inputURI.toString(), > XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1); > > Transforms transforms = new Transforms(input); > > transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE); > > signature.addDocument(inputURI.toString(), > transforms); > signature.sign(prvkey); > > ************** > This is how I verify it: > NodeList dsNodeList = > doc.getElementsByTagName("ds:Signature"); > if (dsNodeList.getLength() == 0) > throw new IOException("No signature in file"); > > Element dsElement = (Element) dsNodeList.item(0); > > XMLSignature signature = new XMLSignature(dsElement, > outputURI.toString()); > return signature.checkSignatureValue(pubkey); > > -- Axelle.
