----- Forwarded by Nicholas G Harlow/Santa Cruz/IBM on 12/15/2005 12:38 PM -----
Nicholas G Harlow
12/15/2005 12:33 PM |
To: [EMAIL PROTECTED] cc: From: Nicholas G Harlow/Santa Cruz/[EMAIL PROTECTED] Subject: DSig Question |
Hello,
I am attempting to sign a particular element in the body of a SOAP message and add the signature to a Security element in the SOAP header. I seem to be generating a signature, but I can't verify it. Do you see anything wrong with this document? I would appreciate any feedback or suggestions you might be able to offer. Thanks very much.
<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><Security><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#utID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>Dc81RV37e40+lIVZ8Ue4+DukIR0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ad4cH+Vaj1ByrZBon+omI7jdI5pG6Yj1smCsXJJ1IhZ3RLdNeREvLQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2
ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl
dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC
REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD
VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T
gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv
8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX
Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv
u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC
gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR
cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK
8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC
FA9ab72kKuB5geYGeckbBrcgPnZk
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:DSAKeyValue>
<ds:P>
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAcc=
</ds:P>
<ds:Q>l2BQjxUjC8yykrmCouuEC/BYHPU=</ds:Q>
<ds:G>
9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
Zl6Ae1UlZAFMO/7PSSo=
</ds:G>
<ds:Y>
Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEY
qY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3
x04lGaZ8jUYZL3gZTNI=
</ds:Y>
</ds:DSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></Security></soapenv:Header><soapenv:Body><wss:UsernameToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ID="utID"><wss:Username>joe</wss:Username><wss:Password>foobar</wss:Password><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-12-15T19:23:18Z</wsu:Created></wss:UsernameToken></soapenv:Body></soapenv:Envelope>
Also, I pasted the code I am using for creating and verifying the sig; there is clearly something amiss in one of these places.
Constants.setSignatureSpecNSprefix(NamespaceConstants.NSPREFIX_SCHEMA_DS);
XMLSignature sig;
Document sigDoc = msgDoc;
if (signingKey instanceof DSAPrivateKey){
sig = new XMLSignature(sigDoc, baseURI, XMLSignature.ALGO_ID_SIGNATURE_DSA);
}
else{
//signing key must be instance of RSA
sig = new XMLSignature(sigDoc, baseURI, XMLSignature.ALGO_ID_SIGNATURE_RSA);
}
//System.out.println("Document:\n"+XMLUtil.getString(doc,true));
if (sigParent != null){
sigParent.appendChild(sig.getElement());
}
Transforms transforms = new Transforms(sigDoc);
//transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
if(baseURI != null){
final Node finalRoot = msgRoot;
IdResolver.registerElementById((Element)msgRoot, baseURI);
sig.addResourceResolver(getResourceResolverSpi(finalRoot));
baseURI = "#"+baseURI;
}
else{
baseURI = "";
}
sig.addDocument(baseURI, transforms, Constants.ALGO_ID_DIGEST_SHA1);
sig.addKeyInfo((X509Certificate)cert);
sig.addKeyInfo(cert.getPublicKey());
if(keyName != null){
sig.getKeyInfo().add(new KeyName(sigDoc, keyName));
}
sig.sign(signingKey);
//System.out.println("Signed Doc: "+XMLUtil.getString(doc, true));
if(out != null){
XMLUtils.outputDOM(sigDoc, out);
}
return sig.getElement();
Document doc = XMLUtil.parse(in);
//System.out.println("VERIFYING DOC: "+XMLUtil.getStringUnchanged(doc));
Element nscontext = XMLUtils.createDSctx(doc, NamespaceConstants.NSPREFIX_SCHEMA_DS, Constants.SignatureSpecNS);
Element sigElement = (Element) XPathAPI.selectSingleNode(doc,"//ds:Signature[1]", nscontext);
//System.out.println("NSCONTEXT: "+XMLUtil.getStringUnchanged(nscontext));
System.out.println("SIG ELEM: "+XMLUtil.getString(sigElement, true));
XMLSignature signature = new XMLSignature(sigElement,baseURI);
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
X509Certificate cert = signature.getKeyInfo().getX509Certificate();
if (cert != null) {
System.out.println("Signed info verify: "+signature.getSignedInfo().verify());//false));
isValid = signature.checkSignatureValue(cert);
System.out.println("Made it here, sig is valid: "+isValid);
}
else {
PublicKey pubKey = signature.getKeyInfo().getPublicKey();
if (pubKey != null) {
isValid = signature.checkSignatureValue(pubKey);
}
Nick