Re: Verify signature: bad for enveloped, ok for enveloping and detached.

Wed, 02 Feb 2005 07:49:14 -0800

Close, but you are still creating a detached signature since the file: URI is over content that is external to the document containing the signature element. Change your Reference URI to "".

--Sean

def abc wrote:
--- Jesse Pelton <[EMAIL PROTECTED]> a écrit : 

You need to include the enveloped signature
transformation specifically.  This serves to remove
the signature element from the document before
signing and verification.  This is required because
the signature element changes during signing; if the
original signature element were part of the signed
content, the final signature would be invalid,
because part of the signed content (the signature)
would be different.  See


http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature

and
http://www.w3.org/TR/xmldsig-core/#sec-Transforms.


Yep. You're right. The transform is within the Reference element, isn't
it ? And I get a different signature value, because
now the Transform element gets signed too, right ?

I've added the transform, but my signature still does
not validate...

I now have:

<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="file:/G:/prog/xml-security-1_2_0/misc.xml">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>7uZSWomZ8W6sa3GI+e/XCygny2I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

******************
This is how I sign it:
XMLSignature signature;

signature = new XMLSignature(input,
inputURI.toString(),
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);

Transforms transforms = new Transforms(input);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
signature.addDocument(inputURI.toString(),
transforms);
signature.sign(prvkey);

**************
This is how I verify it:
NodeList dsNodeList =
doc.getElementsByTagName("ds:Signature");
if (dsNodeList.getLength() == 0)
        throw new IOException("No signature in file");
                
Element dsElement = (Element) dsNodeList.item(0);
                                
XMLSignature signature = new XMLSignature(dsElement,
outputURI.toString());
return signature.checkSignatureValue(pubkey);

-- Axelle.



Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

Reply via email to