Hello, I'm trying to verify an XML signature I generated, and the Reference.verify() method finds that digests don't match on a reference. That reference is for an XML element inside a ds:Object inside the XML signature (see reference with URI = #XAdESSignedProperties in the signature at the end of the message)
When I debug , placing a breakpoint in /Reference.dereferenceURIandPerformTransforms(OutputStream os)/, I can see that a call to i/nput.toString()/ gives exactly the same result when generating the signature and when generating it, here's what I get : XMLSignatureInput/Element/<?xml version="1.0" encoding="UTF-16"?> <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:37:41.033+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>CN="CA ROOT SNR,OU=Centre Organisationnel Integration & Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied/></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> exclude null comments:true/#XAdESSignedProperties . Now, if instead of this I do a /new String(output.getBytes(),"UTF-8")/ in the method /Reference.calculateDigest()/, I get different results at signing time and at verifying time. I get one more xmlns attribute on my node at verifying time. Here what I get when signing : <SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA ROOT SNR,OU=Centre Organisationnel Integration & Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> And when verifying : <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; *xmlns:ds="http://www.w3.org/2000/09/xmldsig#"* Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA ROOT SNR,OU=Centre Organisationnel Integration & Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> When creating my signedProperties element I don't actual specify a xmlns attribute on it. the "http://uri.etsi.org/01903/v1.1.1"; namespace is specified on a parent element (ds:Object actually). So can't understand why I get different results from the very same XML node at signing and at verifying time. Could this be a Canonicalizer issue ? I'm using xml security version 1.4.1 with a 1.4.2 jvm. Here is the actual whole XML signature produced, you can notice that the SignedProperties element does not bear a xmlns attribute here : <?xml version="1.0" encoding="UTF-8"?> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";> </ds:SignatureMethod> <ds:Reference> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";> </ds:DigestMethod> <ds:DigestValue> rZm5EgUWy102podIvAM1DkMF3/w= </ds:DigestValue> </ds:Reference> <ds:Reference Type="http://uri.etsi.org/01903/v1.1.1#SignedPropertiesType"; URI="#XAdESSignedProperties"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";> </ds:DigestMethod> <ds:DigestValue> mjMlNm577UuZX1apT7MRor31bao= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> R/2JhSIJ1ZUtoQGqSSnFTVNKsLMDt2booroMrvFvhSVM9YnWjk0id+bOubdDH14zA28+egtxEFwy 9jpQlyisLqFwMkimVUPu+YZNZU72dH5rnvb74GRuX6/FItBQavV5QmR5+L4B5Udd7aVyjpsK8tb/ VZtZGS/ZKTjVqJn8Xoc= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIICfzCCAeigAwIBAgIBATANBgkqhkiG9w0BAQUFADBiMWAwXgYDVQQDDFdDQSBST09UIFNOUixP VT1DZW50cmUgT3JnYW5pc2F0aW9ubmVsIEludGVncmF0aW9uICYgVGVjaG5vbG9naWVzLE89QVFM LFNUPUJyZXRhZ25lLEM9RlIwHhcNMDcwNjE4MTIzNjMwWhcNMjcwNjEzMTIzNjMwWjBiMWAwXgYD VQQDDFdDQSBST09UIFNOUixPVT1DZW50cmUgT3JnYW5pc2F0aW9ubmVsIEludGVncmF0aW9uICYg VGVjaG5vbG9naWVzLE89QVFMLFNUPUJyZXRhZ25lLEM9RlIwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBANQTYN6X5VFZl892o9f+5DvtP8eJqH2SLz3ytrDqcTv/NDyeHaqdy+waKg9r/TdFZAWX 1HwgDTdbGli6QSUPJbe7X51uununP0kjmXI/l263LaqoJPbpK1/9SLYn6whbA+bibaF9h/M8qQ5c WCbQcT/ese//2RK4LnhQkkYzf7J9AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0P AQH/BAQDAgGGMB0GA1UdDgQWBBSgpt2JA7dwEXT603g8RdB7P1PrPjANBgkqhkiG9w0BAQUFAAOB gQBD0RiCW05Zc01YAFMrAahhTLh1ru9yXSTPl9TJX5xqfx+lRFlXHrU+SY1Ae12WWVI5lMMfoMa+ G7k8rpBk/Sux1LGxBzYZvwzKawPsesuYQVb+ji5zLzGrep4hYykeuLeJdNVZxBqf3cRThzW0Csk0 a4iGMsnsLb1wOBRbeDAMIA== </ds:X509Certificate> </ds:X509Data> <ds:KeyValue> <ds:RSAKeyValue> <ds:Modulus> 1BNg3pflUVmXz3aj1/7kO+0/x4mofZIvPfK2sOpxO/80PJ4dqp3L7BoqD2v9N0VkBZfUfCANN1sa WLpBJQ8lt7tfnW66e6c/SSOZcj+Xbrctqqgk9ukrX/1ItifrCFsD5uJtoX2H8zypDlxYJtBxP96x 7//ZErgueFCSRjN/sn0= </ds:Modulus> <ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> <ds:Object xmlns="http://uri.etsi.org/01903/v1.1.1#";> <QualifyingProperties Target="#Signature"> <SignedProperties Id="XAdESSignedProperties"> <SignedSignatureProperties> <SigningTime> 2007-06-27T19:37:41.033+02:00 </SigningTime> <SigningCertificate> <Cert> <CertDigest> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";> </DigestMethod> <DigestValue> fr3QDtOni3g5c/1+W3sJMJmyFhk= </DigestValue> </CertDigest> <IssuerSerial> <ds:X509IssuerName> CN="CA ROOT SNR,OU=Centre Organisationnel Integration & Technologies,O=AQL,ST=Bretagne,C=FR" </ds:X509IssuerName> <ds:X509SerialNumber> 1 </ds:X509SerialNumber> </IssuerSerial> </Cert> </SigningCertificate> <SignaturePolicyIdentifier> <SignaturePolicyImplied></SignaturePolicyImplied> </SignaturePolicyIdentifier> </SignedSignatureProperties> </SignedProperties> </QualifyingProperties> </ds:Object> </ds:Signature> -- ^~^~^~^~^~^~ Frederic JEAN Silicomp-AQL 1 rue de la Châtaigneraie - CS 51766 35517 Cesson Sévigné Tél standard: 02 99 12 50 00 - Fax : 02 99 63 70 40
