Hi Jean, I could not reproduce your reference validation failures ... when I validate the signature, all of the references pass (but the signature fails which is ok). Here is the log output:
[VerifySignature] Try to verify file:/home/mullan/tmp/Word-plugin-signature.xml [VerifySignature] Could find a X509Data element in the KeyInfo [VerifySignature] Feb 27, 2007 2:28:56 PM org.apache.xml.security.signature.Reference verify [VerifySignature] INFO: Verification successful for URI "#idPackageObject" [VerifySignature] Feb 27, 2007 2:28:56 PM org.apache.xml.security.signature.Reference verify [VerifySignature] INFO: Verification successful for URI "#idOfficeObject" [VerifySignature] Feb 27, 2007 2:28:56 PM org.apache.xml.security.signature.Reference verify [VerifySignature] INFO: Verification successful for URI "#idsigInvalidImage" [VerifySignature] Feb 27, 2007 2:28:56 PM org.apache.xml.security.signature.Reference verify [VerifySignature] INFO: Verification successful for URI "#idsigValidImage" [VerifySignature] The XML signature in file file:/home/mullan/tmp/Word-plugin-signature.xml is invalid !!!!! (bad) What JDK version are you using? --Sean Jean-Luc Cooke wrote: > Thank you, Raul. > > I've tried in v1.3.0 and v1.4.0, both complain the same way. > > Attached is: > (1) VerifySignature.java taken from > xml-security-bin-1.3.0 zip, in directory > src_samples/org/apache/xml/security/samples/signature > I added ability to specify signature file to verify on the > command line > (2) sig1.xml (verifies correctly) > (3) Word-plugin-signature.xml (do not verify due to hash failures > on Objects "#idsigInvalidImage" and "#idsigValidImage") > (4) Output from Aleksey's xmlsec1 command-line tool trying to verify > Word-plugin-signature.xml and getting the correct hash where > Apache-XMLSec does not. (Word-plugin-signature_xmlsec1output.txt) > > Cheers, > > JLC > > > On Mon, Feb 26, 2007 at 04:33:18PM +0000, Raul Benito wrote: >> Hi Jean-Luc, >> I will try to take a look to the issue, but can you send us the >> document and the code you are using? >> And thanks for telling. >> Regards, >> Raul, >> >> On 2/26/07, Jean-Luc Cooke <[EMAIL PROTECTED]> wrote: >> >> To help things along, >> Here's the output from Aleksey's tool. Notice how it verifies >> "#idsigInvalidImage" and "#idsigValidImage" but ApacheXMLSec >> cannot. >> The overall signature status fails with Aleksey's tool, but that's >> not >> what I'm focusing on. >> Is the fact that ApacheXMLSec cannot verify idsigInvalidImage and >> idsigValidImage a bug? >> JLC >> On Mon, Feb 26, 2007 at 09:54:15AM -0500, Jean-Luc Cooke wrote: >> > Sorry to ping here. >> > >> > Can anyone point me in the direction of "If this a bug with >> Apache XMLSec?" >> > >> > I'd really exect the evil empire of Microsoft and Apache to >> interoperate. >> > >> > JLC >> > >> > On Wed, Feb 21, 2007 at 02:37:47PM -0500, Jean-Luc Cooke wrote: >> > > Hello team, >> > > >> > > I tried to verify the following XML file (not a root'd web >> cert, sorry): >> > > >> [2]https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature. >> xml >> > > >> > > Using the >> org.apache.xml.security.samples.signature.VerifySignature class >> that is found in src_samples directory and got this: >> > > >> > > java -cp >> .:../libs/xmlsec-1.3.0.jar:../libs/xalan.jar:../libs/commons-loggin >> g.jar org.apache.xml.security.samples.signature.VerifySignature >> Word-plugin-signature.xml >> > > Try to verify file: Word-plugin-signature.xml >> > > Could find a X509Data element in the KeyInfo >> > > Feb 21, 2007 2:20:17 PM >> org.apache.xml.security.signature.Reference verify >> > > INFO: Verification successful for URI "#idPackageObject" >> > > Feb 21, 2007 2:20:17 PM >> org.apache.xml.security.signature.Reference verify >> > > INFO: Verification successful for URI "#idOfficeObject" >> > > Feb 21, 2007 2:20:17 PM >> org.apache.xml.security.signature.Reference verify >> > > WARNING: Verification failed for URI "#idsigInvalidImage" >> > > Feb 21, 2007 2:20:17 PM >> org.apache.xml.security.signature.Reference verify >> > > WARNING: Verification failed for URI "#idsigValidImage" >> > > The XML signature in file >> file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec/2007-02-21/Word-plug >> in-signature.xml is invalid !!!!! (bad) >> > > Object= >> > > >> > > It is clear the two Objects "#idsigInvalidImage" >> "#idsigValidImage" are failing. >> > > >> > > I have two questions: >> > > 1) How can I pragmatically find out why the signature failed >> verification? >> > > From what I can see the only way is to look at the log4j >> output. >> > > 2) Passing the XML file above into Aleksey's xmlsec1 app it >> passes. What's >> > > different? >> > > >> > > Thanks >> > > >> > > JLC >> >> -- >> [3]http://r-bg.com >> >> References >> >> 1. mailto:[EMAIL PROTECTED] >> 2. https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.xml >> 3. http://r-bg.com/ >> >> ------------------------------------------------------------------------ >> >> /* >> * Copyright 1999-2004 The Apache Software Foundation. >> * >> * Licensed under the Apache License, Version 2.0 (the "License"); >> * you may not use this file except in compliance with the License. >> * You may obtain a copy of the License at >> * >> * http://www.apache.org/licenses/LICENSE-2.0 >> * >> * Unless required by applicable law or agreed to in writing, software >> * distributed under the License is distributed on an "AS IS" BASIS, >> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> * See the License for the specific language governing permissions and >> * limitations under the License. >> * >> */ >> package org.apache.xml.security.samples.signature; >> >> >> >> import java.io.File; >> import java.io.FileInputStream; >> import java.io.FileNotFoundException; >> import java.security.PublicKey; >> import java.security.cert.X509Certificate; >> >> import org.apache.xml.security.keys.KeyInfo; >> import org.apache.xml.security.samples.utils.resolver.OfflineResolver; >> import org.apache.xml.security.signature.XMLSignature; >> import org.apache.xml.security.utils.Constants; >> import org.apache.xml.security.utils.XMLUtils; >> import org.apache.xpath.XPathAPI; >> import org.w3c.dom.Element; >> >> >> /** >> * >> * >> * >> * >> * @author $Author: blautenb $ >> * >> */ >> public class VerifySignature { >> >> /** >> * Method main >> * >> * @param unused >> */ >> // public static void main(String unused[]) { >> public static void main(String arg[]) { >> >> boolean schemaValidate = false; >> final String signatureSchemaFile = "data/xmldsig-core-schema.xsd"; >> // String signatureFileName = >> "data/ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-rsa.xml"; >> String signatureFileName = arg[0]; >> >> if (schemaValidate) { >> System.out.println("We do schema-validation"); >> } >> >> javax.xml.parsers.DocumentBuilderFactory dbf = >> javax.xml.parsers.DocumentBuilderFactory.newInstance(); >> >> if (schemaValidate) { >> dbf.setAttribute("http://apache.org/xml/features/validation/schema";, >> Boolean.TRUE); >> dbf.setAttribute( >> "http://apache.org/xml/features/dom/defer-node-expansion";, >> Boolean.TRUE); >> dbf.setValidating(true); >> dbf.setAttribute("http://xml.org/sax/features/validation";, >> Boolean.TRUE); >> } >> >> dbf.setNamespaceAware(true); >> dbf.setAttribute("http://xml.org/sax/features/namespaces";, >> Boolean.TRUE); >> >> if (schemaValidate) { >> dbf.setAttribute( >> >> "http://apache.org/xml/properties/schema/external-schemaLocation";, >> Constants.SignatureSpecNS + " " + signatureSchemaFile); >> } >> >> try { >> >> // File f = new File("signature.xml"); >> File f = new File(signatureFileName); >> >> System.out.println("Try to verify " + f.toURL().toString()); >> >> javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); >> >> db.setErrorHandler(new org.apache.xml.security.utils >> .IgnoreAllErrorHandler()); >> >> if (schemaValidate) { >> db.setEntityResolver(new org.xml.sax.EntityResolver() { >> >> public org.xml.sax.InputSource resolveEntity( >> String publicId, String systemId) >> throws org.xml.sax.SAXException { >> >> if (systemId.endsWith("xmldsig-core-schema.xsd")) { >> try { >> return new org.xml.sax.InputSource( >> new FileInputStream(signatureSchemaFile)); >> } catch (FileNotFoundException ex) { >> throw new org.xml.sax.SAXException(ex); >> } >> } else { >> return null; >> } >> } >> }); >> } >> >> org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f)); >> Element nscontext = XMLUtils.createDSctx(doc, "ds", >> Constants.SignatureSpecNS); >> Element sigElement = (Element) XPathAPI.selectSingleNode(doc, >> "//ds:Signature[1]", nscontext); >> XMLSignature signature = new XMLSignature(sigElement, >> f.toURL().toString()); >> >> signature.addResourceResolver(new OfflineResolver()); >> >> // XMLUtils.outputDOMc14nWithComments(signature.getElement(), >> System.out); >> KeyInfo ki = signature.getKeyInfo(); >> >> if (ki != null) { >> if (ki.containsX509Data()) { >> System.out >> .println("Could find a X509Data element in the KeyInfo"); >> } >> >> X509Certificate cert = >> signature.getKeyInfo().getX509Certificate(); >> >> if (cert != null) { >> /* >> System.out.println( >> "I try to verify the signature using the X509 Certificate: >> " >> + cert); >> */ >> System.out.println("The XML signature in file " >> + f.toURL().toString() + " is " >> + (signature.checkSignatureValue(cert) >> ? "valid (good)" >> : "invalid !!!!! (bad)")); >> System.out.println("Object="+ (new >> String(signature.getBytesFromChildElement("Object","http://www.w3.org/2000/09/xmldsig#";))) >> ); >> } else { >> System.out.println("Did not find a Certificate"); >> >> PublicKey pk = signature.getKeyInfo().getPublicKey(); >> >> if (pk != null) { >> /* >> System.out.println( >> "I try to verify the signature using the public key: " >> + pk); >> */ >> System.out.println("The XML signature in file " >> + f.toURL().toString() + " is " >> + (signature.checkSignatureValue(pk) >> ? "valid (good)" >> : "invalid !!!!! (bad)")); >> } else { >> System.out.println( >> "Did not find a public key, so I can't check the >> signature"); >> } >> } >> } else { >> System.out.println("Did not find a KeyInfo"); >> } >> } catch (Exception ex) { >> ex.printStackTrace(); >> } >> } >> >> static { >> org.apache.xml.security.Init.init(); >> } >> } >> >> ------------------------------------------------------------------------ >> >> = VERIFICATION CONTEXT >> == Status: invalid >> == flags: 0x00000001 >> == flags2: 0x00000000 >> == Id: "idPackageSignature" >> == Key Info Read Ctx: >> = KEY INFO READ CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: rsa >> ==== keyType: 0x00000001 >> ==== keyUsage: 0x00000002 >> ==== keyBitsSize: 0 >> === list size: 0 >> == Key Info Write Ctx: >> = KEY INFO WRITE CONTEXT >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled key data: all >> == RetrievalMethod level (cur/max): 0/1 >> == TRANSFORMS CTX (status=0) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> == EncryptedKey level (cur/max): 0/1 >> === KeyReq: >> ==== keyId: NULL >> ==== keyType: 0x00000001 >> ==== keyUsage: 0xffffffff >> ==== keyBitsSize: 0 >> === list size: 0 >> == Signature Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: NULL >> === uri xpointer expr: NULL >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> === Transform: membuf-transform (href=NULL) >> == Signature Method: >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) >> == Signature Key: >> == KEY >> === method: RSAKeyValue >> === key type: Public >> === key usage: -1 >> === rsa key: size = 1024 >> == SignedInfo References List: >> === list size: 4 >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#idPackageObject" >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"; >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #idPackageObject >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#idOfficeObject" >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"; >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #idOfficeObject >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#idsigInvalidImage" >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"; >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #idsigInvalidImage >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> = REFERENCE VERIFICATION CONTEXT >> == Status: succeeded >> == URI: "#idsigValidImage" >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"; >> == Reference Transform Ctx: >> == TRANSFORMS CTX (status=2) >> == flags: 0x00000000 >> == flags2: 0x00000000 >> == enabled transforms: all >> === uri: >> === uri xpointer expr: #idsigValidImage >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> === Transform: membuf-transform (href=NULL) >> == Digest Method: >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) >> == Manifest References List: >> === list size: 0
