Thank you, Raul. I've tried in v1.3.0 and v1.4.0, both complain the same way.
Attached is:
(1) VerifySignature.java taken from
xml-security-bin-1.3.0 zip, in directory
src_samples/org/apache/xml/security/samples/signature
I added ability to specify signature file to verify on the
command line
(2) sig1.xml (verifies correctly)
(3) Word-plugin-signature.xml (do not verify due to hash failures
on Objects "#idsigInvalidImage" and "#idsigValidImage")
(4) Output from Aleksey's xmlsec1 command-line tool trying to verify
Word-plugin-signature.xml and getting the correct hash where
Apache-XMLSec does not. (Word-plugin-signature_xmlsec1output.txt)
Cheers,
JLC
On Mon, Feb 26, 2007 at 04:33:18PM +0000, Raul Benito wrote:
>
> Hi Jean-Luc,
> I will try to take a look to the issue, but can you send us the
> document and the code you are using?
> And thanks for telling.
> Regards,
> Raul,
>
> On 2/26/07, Jean-Luc Cooke <[EMAIL PROTECTED]> wrote:
>
> To help things along,
> Here's the output from Aleksey's tool. Notice how it verifies
> "#idsigInvalidImage" and "#idsigValidImage" but ApacheXMLSec
> cannot.
> The overall signature status fails with Aleksey's tool, but that's
> not
> what I'm focusing on.
> Is the fact that ApacheXMLSec cannot verify idsigInvalidImage and
> idsigValidImage a bug?
> JLC
> On Mon, Feb 26, 2007 at 09:54:15AM -0500, Jean-Luc Cooke wrote:
> > Sorry to ping here.
> >
> > Can anyone point me in the direction of "If this a bug with
> Apache XMLSec?"
> >
> > I'd really exect the evil empire of Microsoft and Apache to
> interoperate.
> >
> > JLC
> >
> > On Wed, Feb 21, 2007 at 02:37:47PM -0500, Jean-Luc Cooke wrote:
> > > Hello team,
> > >
> > > I tried to verify the following XML file (not a root'd web
> cert, sorry):
> > >
> [2]https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.
> xml
> > >
> > > Using the
> org.apache.xml.security.samples.signature.VerifySignature class
> that is found in src_samples directory and got this:
> > >
> > > java -cp
> .:../libs/xmlsec-1.3.0.jar:../libs/xalan.jar:../libs/commons-loggin
> g.jar org.apache.xml.security.samples.signature.VerifySignature
> Word-plugin-signature.xml
> > > Try to verify file: Word-plugin-signature.xml
> > > Could find a X509Data element in the KeyInfo
> > > Feb 21, 2007 2:20:17 PM
> org.apache.xml.security.signature.Reference verify
> > > INFO: Verification successful for URI "#idPackageObject"
> > > Feb 21, 2007 2:20:17 PM
> org.apache.xml.security.signature.Reference verify
> > > INFO: Verification successful for URI "#idOfficeObject"
> > > Feb 21, 2007 2:20:17 PM
> org.apache.xml.security.signature.Reference verify
> > > WARNING: Verification failed for URI "#idsigInvalidImage"
> > > Feb 21, 2007 2:20:17 PM
> org.apache.xml.security.signature.Reference verify
> > > WARNING: Verification failed for URI "#idsigValidImage"
> > > The XML signature in file
> file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec/2007-02-21/Word-plug
> in-signature.xml is invalid !!!!! (bad)
> > > Object=
> > >
> > > It is clear the two Objects "#idsigInvalidImage"
> "#idsigValidImage" are failing.
> > >
> > > I have two questions:
> > > 1) How can I pragmatically find out why the signature failed
> verification?
> > > From what I can see the only way is to look at the log4j
> output.
> > > 2) Passing the XML file above into Aleksey's xmlsec1 app it
> passes. What's
> > > different?
> > >
> > > Thanks
> > >
> > > JLC
>
> --
> [3]http://r-bg.com
>
> References
>
> 1. mailto:[EMAIL PROTECTED]
> 2. https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.xml
> 3. http://r-bg.com/
Word-plugin-signature.xml
Description: application/xml
sig1.xml
Description: application/xml
/* * Copyright 1999-2004 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ package org.apache.xml.security.samples.signature; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.security.PublicKey; import java.security.cert.X509Certificate; import org.apache.xml.security.keys.KeyInfo; import org.apache.xml.security.samples.utils.resolver.OfflineResolver; import org.apache.xml.security.signature.XMLSignature; import org.apache.xml.security.utils.Constants; import org.apache.xml.security.utils.XMLUtils; import org.apache.xpath.XPathAPI; import org.w3c.dom.Element; /** * * * * * @author $Author: blautenb $ * */ public class VerifySignature { /** * Method main * * @param unused */ // public static void main(String unused[]) { public static void main(String arg[]) { boolean schemaValidate = false; final String signatureSchemaFile = "data/xmldsig-core-schema.xsd"; // String signatureFileName = "data/ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-rsa.xml"; String signatureFileName = arg[0]; if (schemaValidate) { System.out.println("We do schema-validation"); } javax.xml.parsers.DocumentBuilderFactory dbf = javax.xml.parsers.DocumentBuilderFactory.newInstance(); if (schemaValidate) { dbf.setAttribute("http://apache.org/xml/features/validation/schema";, Boolean.TRUE); dbf.setAttribute( "http://apache.org/xml/features/dom/defer-node-expansion";, Boolean.TRUE); dbf.setValidating(true); dbf.setAttribute("http://xml.org/sax/features/validation";, Boolean.TRUE); } dbf.setNamespaceAware(true); dbf.setAttribute("http://xml.org/sax/features/namespaces";, Boolean.TRUE); if (schemaValidate) { dbf.setAttribute( "http://apache.org/xml/properties/schema/external-schemaLocation";, Constants.SignatureSpecNS + " " + signatureSchemaFile); } try { // File f = new File("signature.xml"); File f = new File(signatureFileName); System.out.println("Try to verify " + f.toURL().toString()); javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); db.setErrorHandler(new org.apache.xml.security.utils .IgnoreAllErrorHandler()); if (schemaValidate) { db.setEntityResolver(new org.xml.sax.EntityResolver() { public org.xml.sax.InputSource resolveEntity( String publicId, String systemId) throws org.xml.sax.SAXException { if (systemId.endsWith("xmldsig-core-schema.xsd")) { try { return new org.xml.sax.InputSource( new FileInputStream(signatureSchemaFile)); } catch (FileNotFoundException ex) { throw new org.xml.sax.SAXException(ex); } } else { return null; } } }); } org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f)); Element nscontext = XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS); Element sigElement = (Element) XPathAPI.selectSingleNode(doc, "//ds:Signature[1]", nscontext); XMLSignature signature = new XMLSignature(sigElement, f.toURL().toString()); signature.addResourceResolver(new OfflineResolver()); // XMLUtils.outputDOMc14nWithComments(signature.getElement(), System.out); KeyInfo ki = signature.getKeyInfo(); if (ki != null) { if (ki.containsX509Data()) { System.out .println("Could find a X509Data element in the KeyInfo"); } X509Certificate cert = signature.getKeyInfo().getX509Certificate(); if (cert != null) { /* System.out.println( "I try to verify the signature using the X509 Certificate: " + cert); */ System.out.println("The XML signature in file " + f.toURL().toString() + " is " + (signature.checkSignatureValue(cert) ? "valid (good)" : "invalid !!!!! (bad)")); System.out.println("Object="+ (new String(signature.getBytesFromChildElement("Object","http://www.w3.org/2000/09/xmldsig#";))) ); } else { System.out.println("Did not find a Certificate"); PublicKey pk = signature.getKeyInfo().getPublicKey(); if (pk != null) { /* System.out.println( "I try to verify the signature using the public key: " + pk); */ System.out.println("The XML signature in file " + f.toURL().toString() + " is " + (signature.checkSignatureValue(pk) ? "valid (good)" : "invalid !!!!! (bad)")); } else { System.out.println( "Did not find a public key, so I can't check the signature"); } } } else { System.out.println("Did not find a KeyInfo"); } } catch (Exception ex) { ex.printStackTrace(); } } static { org.apache.xml.security.Init.init(); } }
= VERIFICATION CONTEXT == Status: invalid == flags: 0x00000001 == flags2: 0x00000000 == Id: "idPackageSignature" == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: rsa ==== keyType: 0x00000001 ==== keyUsage: 0x00000002 ==== keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x00000000 == flags2: 0x00000000 == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: ==== keyId: NULL ==== keyType: 0x00000001 ==== keyUsage: 0xffffffff ==== keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) === Transform: membuf-transform (href=NULL) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Key: == KEY === method: RSAKeyValue === key type: Public === key usage: -1 === rsa key: size = 1024 == SignedInfo References List: === list size: 4 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#idPackageObject" == Type: "http://www.w3.org/2000/09/xmldsig#Object"; == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #idPackageObject === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#idOfficeObject" == Type: "http://www.w3.org/2000/09/xmldsig#Object"; == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #idOfficeObject === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#idsigInvalidImage" == Type: "http://www.w3.org/2000/09/xmldsig#Object"; == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #idsigInvalidImage === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: "#idsigValidImage" == Type: "http://www.w3.org/2000/09/xmldsig#Object"; == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x00000000 == flags2: 0x00000000 == enabled transforms: all === uri: === uri xpointer expr: #idsigValidImage === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0
