Re: Verification problems

Berin Lautenbach Fri, 22 Apr 2005 20:09:43 -0700

Pushya,

Couple of quick questions -

1. When you sign, do you then embed your signature back into the originaly document?

2. You cannot import *just* the signature into your new document and expect it to work. You have to copy the entire document as what has been signed is also in the original doc.

As an aside - the attached Signature file still fails both Ref and Sig checks for me.

Cheers,
        Berin

Pushyamitra Navare wrote:

Hi Berin,
Thanks for replying.

I feel that when dom document which holds signature element
is changed , signature becomes invalid.

I tested it like this -

--
Element e1 = sign ( somedom ) ;
Verify(e1);      // signature is verified.

Document doc = documentBuilder.newDocument();
// Now i import signed Signature element  into another document.
org.w3c.dom.Element e2 = (Element)doc.importNode((org.w3c.dom.Node)e1,true);

Verify(e2);      // verification fails now . :(
--

Is this normal ? Should two documents (w3c.dom.documents) on sending , receiving sides be same ? and shouldn't verification result be same for both e2 and e1 ?

Also , I have attached the whole document i am trying to verify. While verifying , i isolate the Signature element from parsed docuement and then just call Verify () on it. Isn't that right ?

Do reply,

thanks,
-Pushya.


On Thursday 21 Apr 2005 3:38 pm, Berin Lautenbach wrote:

Pushya,
Also the actual signature itself fails.  Are you "pretty printing" the
XML after the signature operation itself?  It almost reads like line
feeds have been added post signing.

I ran java program which serialises documents using 'stringWriter' and redirected its output to file, and attached the file. May be using the stringWriter automatically adds the line feeds.

--

These are the code fragments i use,

// Verify method.
public boolean Verify(Element e) throws Exception
{
    XMLSignature xmlSignature =
        = new XMLSignature( (Element)e , "" );
         KeyInfo ki = xmlSignature.getKeyInfo();
         X509Certificate cert =
 xmlSignature.getKeyInfo().getX509Certificate(); cert.checkValidity();
        boolean Result = xmlSignature.checkSignatureValue(cert);
        return Result;
   }

------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8"?>
<lib:AuthnResponse xmlns:lib="urn:liberty:iff:2003-08" InResponseTo="R21322323232" IssueInstant="2005-04-22T04:25:33.084Z" MajorVersion="1" MinorVersion="2" ResponseID="P1641971398955428227"><samlp:Status 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><samlp:StatusCode Value="samlp:Success"/></samlp:Status><lib:ProviderID>www.IDP.com</lib:ProviderID><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="P9126123448599142335" 
IssueInstant="2005-04-22T04:25:32.944Z" Issuer="www.IDP.com" MajorVersion="1" MinorVersion="1"><lib:AuthenticationStatement AuthenticationInstant="2005-04-22T04:25:32.863Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" 
NameQualifier="Blitz.co.in/NameQualifiers#">userName</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMet

hod></saml:SubjectConfirmation></saml:Subject></lib:AuthenticationStatement></saml:Assertion><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>9QV9N9WFOFC92LOoFy89NTFHr1k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>CMZjDxA6J7LaSiTB0eV7jcAawEOQxGMJ/qX+zVRZNyPp73uqn5ZCPw==</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIIFMjCCBBqgAwIBAgIBBTANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCSU4xCzAJBgNVBAgT
Ak1IMQ0wCwYDVQQHEwRQdW5lMRIwEAYDVQQKEwlCbGl0ei5vcmcxCzAJBgNVBAsTAkNBMRswGQYD
VQQDExJQdXNoeWFtaXRyYSBOYXZhcmUxKzApBgkqhkiG9w0BCQEWHHB1c2h5YW1pdHJhLm5hdmFy
ZUBnbWFpbC5jb20wHhcNMDUwMzE2MTM1NzA0WhcNMDYwMzE2MTM1NzA0WjBjMQswCQYDVQQGEwJJ
TjELMAkGA1UECBMCTUgxDTALBgNVBAcTBFB1bmUxEDAOBgNVBAoTB0lEUC5vcmcxEDAOBgNVBAsT
B0lEUCBJTkMxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/
U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00
b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith
1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmU
r7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOu
HiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQA
AoGABYzBvi2HAaG5KYvlGbxabr9oeS5egJd/lkJost/NhBRt0mTowzA17+nTPiWZUpU2gArlNQFa
fb1rCZQRcbknvHuLxxyRTekVl9m9xItygqQQz1PfcLQXSt8EJU8gzVRO+DcPN/+XK+GJBxRYmgwc
aaLEyJ8fjw998TrY7rrbwV6jggEoMIIBJDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOKOL14TNJerSJFkA9bJ7e+YJen8w
gckGA1UdIwSBwTCBvoAUZQIV2LORTCjOPmIcBwbPTa7NueKhgZqkgZcwgZQxCzAJBgNVBAYTAklO
MQswCQYDVQQIEwJNSDENMAsGA1UEBxMEUHVuZTESMBAGA1UEChMJQmxpdHoub3JnMQswCQYDVQQL
EwJDQTEbMBkGA1UEAxMSUHVzaHlhbWl0cmEgTmF2YXJlMSswKQYJKoZIhvcNAQkBFhxwdXNoeWFt
aXRyYS5uYXZhcmVAZ21haWwuY29tggkAuOPJOxtwTVMwDQYJKoZIhvcNAQEEBQADggEBABtnzzVr
v4f7PCu+sLdbHISXf781s3yyF/Ya7tPDkWOBl0j8iNt0sWxi2gR9lhbktBSn5Q6qDrTNQ7iBaRmz
PpJxj8fTkIY2jNkwekoZ6jVTIweeJ6Wz4yM4c/lHjbSQ1xTjf8/t67NY8JYlEotOY6OLGfQTucU0
WiLbMzV26JOeM81gcLBW2dqyW+foXLyn34xtH9AEIgZr7guEfDWXzNFRgSjA3er7CeolKf7ZK+dx
NVeqwzRsZ1hXQXv5KLDPQfQuWeh+dpH8BrZM/wo42IPmuigfIv9gbcbjpkvrRfCpfiC+lZ/ogu2n
C+R1+vK1gBmhVDgyqHcDULwRlwwR/AY=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:DSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:P xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAcc=
</ds:P>
<ds:Q 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>l2BQjxUjC8yykrmCouuEC/BYHPU=</ds:Q>
<ds:G xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
Zl6Ae1UlZAFMO/7PSSo=
</ds:G>
<ds:Y xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
BYzBvi2HAaG5KYvlGbxabr9oeS5egJd/lkJost/NhBRt0mTowzA17+nTPiWZUpU2gArlNQFafb1r
CZQRcbknvHuLxxyRTekVl9m9xItygqQQz1PfcLQXSt8EJU8gzVRO+DcPN/+XK+GJBxRYmgwcaaLE
yJ8fjw998TrY7rrbwV4=
</ds:Y>
</ds:DSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></lib:AuthnResponse>

Re: Verification problems

Reply via email to