Re: Verify signature: bad for enveloped, ok for enveloping and detached.

def abc Wed, 02 Feb 2005 09:35:11 -0800

 --- Sean Mullan <[EMAIL PROTECTED]> a écrit : 
> Close, but you are still creating a detached
> signature since the file: 
> URI is over content that is external to the document
> containing the 
> signature element. Change your Reference URI to "".


Okay, I understand the problem: the URI of my
reference references the initial document, whereas the
signed document should reference itself.
However, what do you suggest by 'change your Reference
URI to ""' ? I'm afraid I haven't understood.

I tried out this: 
- signature.addDocument(outputURI.toString(),
transforms); 
==> this fails with several exceptions (see below)

- signature.addDocument("", transforms) : is that what
you're suggesting ? 
==> still does not verify okay...

regards,

Axelle.

**** 
XMLSignature signature;
                
signature = new XMLSignature(input,
inputURI.toString(),
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
                
Transforms transforms = new Transforms(input);
     
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
        
signature.addDocument(outputURI.toString(),
transforms);
signature.sign(prvkey);
                                
Element root = input.getDocumentElement();
                root.appendChild(signature.getElement());
                                
XMLUtils.outputDOM(input, output);


*****
java.lang.NullPointerException
[MyXMLSigner] at
org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature.enginePerformTransform(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.transforms.TransformSpi.enginePerformTransform(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.transforms.Transform.performTransform(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.transforms.Transforms.performTransforms(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.Reference.getContentsAfterTransformation(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.Reference.calculateDigest(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.Reference.generateDigestValue(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.Manifest.generateDigestValues(Unknown
Source)
[MyXMLSigner] at
org.apache.xml.security.signature.XMLSignature.sign(Unknown
Source)
[MyXMLSigner] at
mysamples.MyXMLSigner.doEnvelopedSignature(Unknown
Source)






> 
> --Sean
> 
> def abc wrote:
> >  --- Jesse Pelton <[EMAIL PROTECTED]> a écrit : 
> > 
> >>You need to include the enveloped signature
> >>transformation specifically.  This serves to
> remove
> >>the signature element from the document before
> >>signing and verification.  This is required
> because
> >>the signature element changes during signing; if
> the
> >>original signature element were part of the signed
> >>content, the final signature would be invalid,
> >>because part of the signed content (the signature)
> >>would be different.  See
> >>
> > 
> >
>
http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature
> > 
> >>and
> >>http://www.w3.org/TR/xmldsig-core/#sec-Transforms.
> > 
> > 
> > Yep. You're right. 
> > The transform is within the Reference element,
> isn't
> > it ? And I get a different signature value,
> because
> > now the Transform element gets signed too, right ?
> > 
> > I've added the transform, but my signature still
> does
> > not validate...
> > 
> > I now have: 
> > 
> > <ds:SignedInfo>
> > <ds:CanonicalizationMethod
> >
>
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> > <ds:SignatureMethod
> >
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >  <ds:Reference 
> > URI="file:/G:/prog/xml-security-1_2_0/misc.xml">
> >    <ds:Transforms>
> >      <ds:Transform
> >
>
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >    </ds:Transforms>
> >    <ds:DigestMethod
> >
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
>
<ds:DigestValue>7uZSWomZ8W6sa3GI+e/XCygny2I=</ds:DigestValue>
> >  </ds:Reference>
> > </ds:SignedInfo>
> > 
> > ******************
> > This is how I sign it:
> > XMLSignature signature;
> >             
> > signature = new XMLSignature(input,
> > inputURI.toString(),
> > XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
> >             
> > Transforms transforms = new Transforms(input);
> >        
> >
>
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
> >         
> > signature.addDocument(inputURI.toString(),
> > transforms);
> > signature.sign(prvkey);
> > 
> > **************
> > This is how I verify it:
> > NodeList dsNodeList =
> > doc.getElementsByTagName("ds:Signature");
> > if (dsNodeList.getLength() == 0)
> >     throw new IOException("No signature in file");
> >             
> > Element dsElement = (Element) dsNodeList.item(0);
> >                             
> > XMLSignature signature = new
> XMLSignature(dsElement,
> > outputURI.toString());
> > return signature.checkSignatureValue(pubkey);
> > 
> > -- Axelle.
> > 
> > 
> > 
> > 
> >     
> > 
> >     
> >             
> > Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails ! 
> > Créez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
> 
>  


        

        
                
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

Re: Verify signature: bad for enveloped, ok for enveloping and detached.

Reply via email to